Ensuring cyber security is like plugging a leaky boat with your fingers. Just when you’ve stopped one gap, another bursts open and the water comes flooding in. It’s a frustrating problem, compounded by so many different factors – a lot of which aren’t even in your control.
Knowledge really is power when it comes to security. Knowledge of your network, your people, your industry, but also knowledge of what attackers are doing, who they’re targeting, what they want. With knowledge, you can figure out where those leaks might come from next – and put a patch over them before they burst.
That’s where MITRE ATT&CK comes in.
What is MITRE ATT&CK?
What is MITRE?
MITRE is a not-for-profit research and development organization dedicated to safety and security in a number of areas. Our main focus of today is on the group’s ATT&CK database, and its purpose in modern business. However, MITRE is behind a number of innovations in not just security, but defense, aviation and healthcare as well.
Learn more: MITRE’s website
What does ATT&CK stand for?
Adversarial Tactics, Techniques and Common Knowledge.
What is the point of ATT&CK?
ATT&CK is a database, built in 2013 by MITRE, to be a globally accessible knowledge base of cyber attacker behaviors and techniques. It categorizes which attack groups are active, what they’re doing, and how they’ve been spotted doing it.
It can also be used as a taxonomy of common terminologies in the cyber security space. This has helped standardize the industry a bit better, ensuring that security experts from across companies, disciplines and sectors speak the same shared language.
ATT&CK is so successful because it’s community-driven
Businesses have proven to be highly willing to work with MITRE, as its not-for-profit status means that it gains no commercial benefit from its work. Companies can be honest about even sensitive information, giving ATT&CK access to critical details that other companies could never hope to acquire.
What this means is that the ATT&CK database is a huge, community-led tool based on real-world intelligence gathered by the world’s global security community. This isn’t an academic thing built by people who don’t know what they’re talking about – it’s cutting edge, and evolves constantly as new threats emerge and old threats evolve.
What can a business use MITRE ATT&CK for?
- Threat detection
- Threat hunting
- Intelligence gathering
- Risk management
How does MITRE ATT&CK help security operations?
The short of it is that the ATT&CK database gives defense teams the knowledge they need to better protect their organizations.
The MITRE ATT&CK website is a significant repository of attack groups, commonly targeted countries and industries, known attacker goals and identified attack techniques. This database is further grouped into different Matrices (see below) for navigability, and also holds information on data sources and mitigations.
With this database in hand, security teams can identify:
- Who is most likely to attack me?
- What are they looking to steal, spy on or harm?
- What tools and techniques are they likely to use?
- How do I detect their activities?
- How do I customize my defense to try and keep them out?
Meet the Mitre Attack Matrices:
ATT&CK’s Matrices are tools you can use to better navigate the wealth of information found in the database. They come in four forms:
- Enterprise: This is the most popular Matrix, and focuses on threats to common computer operating softwares and cloud environments.
- Mobile: The Mobile Matrix covers tactics and techniques involving Android and iOS devices.
- ICS: Industrial Control Systems. This Matrix is specific to attacks focusing on ICS networks.
PRE-ATT&CK: When you need to know about what someone might do before they attempt to exploit your system, you need this Matrix.
Tactics and techniques in ATT&CK
Generally, within each Matrix, MITRE splits up information into two categories:
- Tactics: These refer to what someone would want to accomplish within your network. For example, credential access, lateral movement, exfiltration of data.
- Techniques: These refer to specific methods for accomplishing tactics. For example, account manipulation, application deployment software, automated exfiltration.
So if you wanted to know more about, say, exfiltration in particular, you could navigate to that column within the relevant Matrix and find a list of applicable attack techniques.
Data sources in ATT&CK
The next major component within ATT&CK is its list of data sources. MITRE defines data sources in this context as the various types of information that can be collected by sensors or logs.
Good data sources are critical to threat detection. Using this aspect of the database, you can identify which data sources are available to your organization and which are applicable to the types of threats you’re trying to detect. Or in other words, you’ll find what you need to be looking out for to spot a threat, and how to acquire that particular data.
You may find that you don’t have the right detection capabilities!
Mitigations in ATT&CK
Finally, we have mitigations. At this point in our use of ATT&CK, we know what attackers want, the techniques they will likely use to achieve their goals, and the types of data sources we require to detect when these attacks occur.
The next thing we need to know is how to mitigate these threats. This is where the migitations aspect of ATT&CK comes in useful. Mitigations are security services that you can use to prevent one of the named techniques from being successful.
For every threat identified within ATT&CK, there are corresponding mitigations. These will help you understand what services you must prioritize, and what may be missing from your current arsenal.
Meet MITRE ATT&CK Navigator
So how do you use ATT&CK in a way that is streamlined and convenient? That’s where Navigator comes in.
MITRE ATT&CK Navigator is a web-based tool for exploring and annotating ATT&CK Matrices, which you can use to contextualize threats and techniques to your own particular needs. Additionally, as you highlight threats or filter by attack groups and sectors, you will also spot which data sources and mitigations are most applicable to your unique context, as described above.
More on how to actually use this tool below – we have a webinar on the subject!
How does MITRE ATT&CK help cyber threat intelligence?
We’ve thus far focused a lot on security defense teams – now it’s time to focus on intelligence teams.
Using ATT&CK can help cyber intelligence experts in two key ways:
1. Standardizing language
The standardization of language and massive database of threat actors/techniques allows CTI operatives to talk to each other about relevant threats in that shared language we mentioned earlier.
When sharing information between parties, within the business or without, utilizing this taxonomy will keep your naming and describing of threats consistent. If you see particular activity occurring in your sector, you can call it a particular name within your intelligence report, and everyone who reads it should know precisely what you mean (and what actions they must take).
2. Track threats over time
Instead of waiting for the next tech outlet to report major changes within known threat groups, you can use ATT&CK to keep tabs on the biggest threats to your business. Who are they, what do they do, and what techniques are they using? How have those changed over time? Can you see a trend? Is the risk increasing, or decreasing?
Use Navigator to keep tabs on specific threats, and watch how they change.
How to use MITRE ATT&CK
This article has covered, broadly, everything you need to know to understand MITRE ATT&CK and how it might apply to your business.
Now it’s time to put that knowledge into practice. Contact us today.