¶ What is MITRE ATT&CK?
MITRE is a non-profit organisation that, “works in the public interest across federal, state and local governments, as well as industry and academia”. One of the fields which has benefited from their pioneering research and efforts is cyber threat sharing.
It was their innovative work in this area that led to the development of the MITRE ATT&CK® framework. The ATT&CK acronym stands for Adversarial Tactics, Techniques and Common Knowledge. It represents a freely and globally accessible framework of known adversarial methods, built from historical attack data and updated every quarter by MITRE researchers and industry contributors. The framework’s primary focus is to promote the coherency and standardisation within the cyber security industry, “by bringing communities together to develop more effective cybersecurity”.
¶ MITRE ATT&CK Enterprise Matrix
MITRE ATT&CK’s Enterprise Matrix is a near comprehensive list of historically known adversary behaviour. These are the Tactics and Techniques that an adversary can adopt in order to compromise and operate within an enterprise network.
Tactics describe what an adversary is trying to achieve. It consists of twelve high-level categories:
| Initial Access | Execution | Persistence |
| Privilege Escalation | Defence Evasion | Credential Access |
| Discovery | Lateral Movement | Collection |
| Command and Control | Exfiltration | Impact |
Techniques (and in some cases, Sub-techniques) describe how an adversary might achieve a Tactic. There are many Techniques for a given Tactic, and one Technique might map to several Tactics. This can be represented as a matrix:
See the SOC.OS blog for more information on MITRE ATT&CK.
You are tasked with defending a castle. Knowing an attacker intends to scale the castle walls (Tactic) by using grappling hooks (Technique) puts you in a far better defensive position.
¶ How is MITRE ATT&CK beneficial?
A structured breakdown of adversarial Tactics and Techniques is helpful for enterprises of all shapes and sizes:
- Contextual Understanding - It forces security teams to consider all levels of technical detail and granularity. Describing an attacker’s goal, and the specific steps they can take to achieve it, gives teams a fuller picture. This can also help identify low-level long-term attacks and Advanced Persistent Threats (APTs).
We've seen an attacker carry out Process Injection on an endpoint. They could be attempting Privilege Escalation or Defense Evasion. We should review user permissions and scan for malware on that endpoint.
- Strategic Planning - It forces organisations to consider their security defences in a structured way and consider these through the lens of an attacker. This allows them to identify areas of under- or over-spending and allocate resources accordingly.
In the last quarter, our firewalls blocked the majority of Command & Control incidents. However, we saw an increase in Initial Access incidents - in particular, successful Phishing attempts. We should invest in a better email security solution now, and upgrade the firewall appliances next quarter.
- Common Language - Security Analysts communicate in low-level, technical language (Techniques). Managers/Executives communicate in a high-level, strategic language (Tactics). The framework can be used to promote accurate reporting and meaningful conversations between the two. This common language can also be applied across security tools, which may be alerting on the same thing, but using different languages.
We've seen a 46% increase in successful Credential Stuffing attacks reported by our security tools in the last month. We should let our CISO know we are prioritising Brute Force incidents. The CISO can report on the increase in Credential Access incidents at the next board meeting to justify the rollout of a company-wide Multi-Factor Authentication policy.
The five stages of the stages of the NIST Cybersecurity Framework are Identify, Protect, Detect, Respond, Recover. Applying the MITRE ATT&CK® framework can help an organisation improve maturity across all stages.
¶ How do I start using MITRE ATT&CK?
MITRE offer several resources to help organisations get started with ATT&CK.
The ATT&CK® Navigator is most frequently used by organisations and cyber security consultancies. The aim is to map how well each of your security tools can identify/prevent/respond to techniques. Each tool is added to the framework in Layers. Overlaying all of these layers highlights strengths and weaknesses in your cyber security posture.
The challenge of using ATT&CK is accurately mapping the capbility of security tooling into the framework. The SOC.OS blog contains a guide to mapping alerts to the MITRE ATT&CK® framework. However, when done manually this is a time-consuming and labour-intensive task, requiring a deep level of cyber knowledge to complete accurately. This can distract already stretched security teams from the primary task of preventing and responding to incidents. Additionally, the cyber landscape can change so rapidly that the mapping exercise can be out-of-date by the time it is complete. This requires teams to constantly refresh and reassess the situation.
SOC.OS natively and continuously maps the output of security tools to the MITRE ATT&CK framework, allowing security teams to gain the benefits without any extra effort.
¶ How does SOC.OS use MITRE ATT&CK?
Take a look at the demo video, product sheet and release notes for examples.
¶ Correlation
MITRE ATT&CK® is natively incorporated into SOC.OS and is the backbone of the correlation engine. As SOC.OS processes alerts, it automatically classifies the alert message and translates this to the MITRE ATT&CK framework.
SOC.OS correlates alerts into clusters depending on their corresponding MITRE ATT&CK® threat types. This ensures that alerts targeting the same part of a network with similar threat types are more likely to appear in the same cluster. These relevant alert groupings mean analysts can investigate and remediate accurately and efficiently.
¶ Prioritisation
SOC.OS users can use the custom enrichment tagging feature to highlight clusters in their workbench which contain certain threat types.This feature can also be used to automatically score these clusters higher to prioritse them for investigation. This allows organisations to respond quickly to threats of the highest concern.
¶ Investigation
When presented with a cluster, the analyst can view the MITRE ATT&CK® threat types in both the:
- Visualisation - To understand when each threat was seen in the context of the incident
- Sidebar - Summarises the threats present in this cluster. Also provides a full description and links to the corresponding MITRE ATT&CK page to facilitate training.
¶ Reporting
SOC.OS provides customers with a monthly report highlighting alert and triage statistics, alongside MITRE ATT&CK® threat coverage - effectively automating the arduous mapping task described above.
Coverage over tactic report example:
Coverage by source report example:
Establish your current MITRE ATT&CK® threat coverage automatically with a free trial of SOC.OS.