To have good cyber threat intelligence, organisations need to know what their adversaries are up to and use that information to protect their systems by making better decisions.
For this reason, MITRE has developed the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework.
What is mitre att&ck?
MITRE ATT&CK Framework is essentially a repository of adversary techniques and tactics, based on real-world observation. It provides a deeper insight into our enemies, including the tactics, tools and techniques that they commonly employ.
Importantly, with ATT&CK, these techniques are indexed and broken down into infinitesimal detail to give the precise steps and methods that attackers employ, making it easy for security teams to comprehend the specific actions that could be used against a certain platform.
In addition, MITRE incorporates cyber threat intelligence recording attacker group behavior profiles to document the techniques used by each criminal group, which make it easier to pinpoint which adversary is behind a new APT, for example.
It’s easy to understand why this knowledge base forms an excellent basis for the development of specific threat models and methodologies in the public and private sectors, as well as cyber security community of vendors and practitioners.
The creation of attack was undoubtedly a step in the right direction when it comes to bringing the cyber security community closer together to develop more effective tools and solutions. ATT&CK is open source, and available to any individual or company for free.
However, many organisations are battling to effectively apply this framework to their environment. An entity who has one or two analysts and wants to start using the framework for threat intelligence can start by cherry picking a single group that is of concern or interest, and examining their behaviours as they are structured in ATT&CK.
The framework’s structure looks much like a periodic table, with headings in each column detailing each phase in the attack chain, from the first point of access, all the way to the outcome. Featured under these, are rows that detail the specific techniques. Users can dig deeper into any of the techniques to gain a better understanding of the tactics, which platform was exploited, how they did it, as well as the mitigation and detection details.
The framework is an excellent resource for teams who need a better understanding of where to focus their resources, as well as their detection efforts, as it is impossible to protect equally against ever possible attack vector. It can show teams how to prioritise threats upfront in the attack chain, or how to prioritise certain detections based on the techniques used by the criminal groups that are particularly prevalent within one industry or another.
Many entities will want to keep a closer eye on specific criminal group behaviours that they know are of particular concern to their type of business. The framework isn’t static, it evolves alongside the threats, making it an invaluable source of information to help us better understand our adversaries and what they might be up to next.