MITRE is a non-profit organisation that, “works in the public interest across federal, state and local governments, as well as industry and academia”. One of the fields which has benefited from their pioneering research and efforts is cyber threat sharing.
It was their innovative work in this area that led to the development of the MITRE ATT&CK® framework. The ATT&CK acronym stands for Adversarial Tactics, Techniques and Common Knowledge. It represents a freely and globally accessible framework of known adversarial methods, built from historical attack data and updated every quarter by MITRE researchers and industry contributors. The framework’s primary focus is to promote the coherency and standardisation within the cyber security industry, “by bringing communities together to develop more effective cybersecurity”.
MITRE ATT&CK’s Enterprise Matrix is a near comprehensive list of historically known adversary behaviour. These are the Tactics and Techniques that an adversary can adopt in order to compromise and operate within an enterprise network.
Tactics describe what an adversary is trying to achieve. It consists of twelve high-level categories:
Initial Access | Execution | Persistence |
Privilege Escalation | Defence Evasion | Credential Access |
Discovery | Lateral Movement | Collection |
Command and Control | Exfiltration | Impact |
Techniques (and in some cases, Sub-techniques) describe how an adversary might achieve a Tactic. There are many Techniques for a given Tactic, and one Technique might map to several Tactics. This can be represented as a matrix:
See the SOC.OS blog for more information on MITRE ATT&CK.
You are tasked with defending a castle. Knowing an attacker intends to scale the castle walls (Tactic) by using grappling hooks (Technique) puts you in a far better defensive position.
A structured breakdown of adversarial Tactics and Techniques is helpful for enterprises of all shapes and sizes:
We've seen an attacker carry out Process Injection on an endpoint. They could be attempting Privilege Escalation or Defense Evasion. We should review user permissions and scan for malware on that endpoint.
In the last quarter, our firewalls blocked the majority of Command & Control incidents. However, we saw an increase in Initial Access incidents - in particular, successful Phishing attempts. We should invest in a better email security solution now, and upgrade the firewall appliances next quarter.
We've seen a 46% increase in successful Credential Stuffing attacks reported by our security tools in the last month. We should let our CISO know we are prioritising Brute Force incidents. The CISO can report on the increase in Credential Access incidents at the next board meeting to justify the rollout of a company-wide Multi-Factor Authentication policy.
The five stages of the stages of the NIST Cybersecurity Framework are Identify, Protect, Detect, Respond, Recover. Applying the MITRE ATT&CK® framework can help an organisation improve maturity across all stages.
MITRE offer several resources to help organisations get started with ATT&CK.
The ATT&CK® Navigator is most frequently used by organisations and cyber security consultancies. The aim is to map how well each of your security tools can identify/prevent/respond to techniques. Each tool is added to the framework in Layers. Overlaying all of these layers highlights strengths and weaknesses in your cyber security posture.
The challenge of using ATT&CK is accurately mapping the capbility of security tooling into the framework. The SOC.OS blog contains a guide to mapping alerts to the MITRE ATT&CK® framework. However, when done manually this is a time-consuming and labour-intensive task, requiring a deep level of cyber knowledge to complete accurately. This can distract already stretched security teams from the primary task of preventing and responding to incidents. Additionally, the cyber landscape can change so rapidly that the mapping exercise can be out-of-date by the time it is complete. This requires teams to constantly refresh and reassess the situation.
SOC.OS natively and continuously maps the output of security tools to the MITRE ATT&CK framework, allowing security teams to gain the benefits without any extra effort.
Take a look at the demo video, product sheet and release notes for examples.
MITRE ATT&CK® is natively incorporated into SOC.OS and is the backbone of the correlation engine. As SOC.OS processes alerts, it automatically classifies the alert message and translates this to the MITRE ATT&CK framework.
SOC.OS correlates alerts into clusters depending on their corresponding MITRE ATT&CK® threat types. This ensures that alerts targeting the same part of a network with similar threat types are more likely to appear in the same cluster. These relevant alert groupings mean analysts can investigate and remediate accurately and efficiently.
SOC.OS users can use the custom enrichment tagging feature to highlight clusters in their workbench which contain certain threat types.This feature can also be used to automatically score these clusters higher to prioritse them for investigation. This allows organisations to respond quickly to threats of the highest concern.
When presented with a cluster, the analyst can view the MITRE ATT&CK® threat types in both the:
SOC.OS provides customers with a monthly report highlighting alert and triage statistics, alongside MITRE ATT&CK® threat coverage - effectively automating the arduous mapping task described above.
Coverage over tactic report example:
Coverage by source report example:
Establish your current MITRE ATT&CK® threat coverage automatically with a free trial of SOC.OS.