Threat Management, Risk Identification/Classification/Mitigation

How MITRE’s ATT&CK framework helps security teams map adversary behavior

Today’s columnist, Deborah Watson of Proofpoint, offers insights on how the MITRE ATT&CK framework helps security teams better understand adversary behaviors. (Credit: The MITRE Corporation)

The Mitre ATT&CK knowledge base contains a solid foundation of adversary tactics and techniques that have been observed and documented. The latest update, Mitre ATT&CK version 9, published in April 2021, introduces 16 new Groups, 67 new pieces of software, with updates to 36 Groups and 51 software entries.

The Mitre ATT&CK framework originated from MITRE's Fort Meade eXperiment (FMX) research focused on the investigation into using endpoint telemetry to improve post-compromise detection. It’s helpful to explore Mitre ATT&CK framework use cases, common pitfalls, and recommendations for use.

ATT&CK Use Cases:

Red Teaming: Apply an adversarial mindset to create red team plans and organize attacks to avoid defensive measures.

Behavioral Analytics Development: Organizations can develop options to look past existing indicators of compromise (IoCs) to detect adversarial behavior within an environment.

Defensive Gap Assessment: Determine gaps in technical capabilities for mitigation and detection in relation to ATT&CK tactics, techniques, and procedures (TTPs).

SOC Maturity Assessment: A defensive gap assessment focuses on technical capabilities, and MITRE differentiates the maturity assessment by measuring SOC processes.

Cyber Threat Intelligence Enrichment: ATT&CK provides documentation of adversarial group profiles in relation to common behaviors to support defense mapping.

ATT&CK Navigator

There are many ATT&CK resources, including STIX, Excel, Workbench, Python Utilities, and Navigator. The web-based ATT&CK Navigator tool allows the development of visual representations of defense coverage which organizations can use for red/blue team planning, gap analysis, and tracking technique ATT&CK frequency. Security teams commonly use ATT&CK Navigator to develop heat maps of cybersecurity product defense coverage.

Common Pitfalls

Using the Mitre ATT&CK framework can benefit organizations performing gap assessments that understand how security teams would actually use the framework. Many organizations attempt to replace their existing risk assessment frameworks with Mitre ATT&CK. ATT&CK is not a risk framework and was never intended to replace common cybersecurity frameworks traditionally used to improve defenses and manage risk, such as NIST Cybersecurity FrameworkCIS CSC, and Cobit.

Many other organizations also use ATT&CK Navigator to develop a map of their current product coverage. It’s not uncommon for organizations to ask their vendors to provide mappings for their products to Mitre ATT&CK. At the outset, this may seem like a logical exercise to complete, as a heatmap provides visual information when security teams well-understand the context. However, mapping vendor products raises a myriad of questions.

If a vendor maps their product to an enterprise technique, does this mean all sub-techniques are defended? Are all platforms protected? Does the product provide mitigation or detection? Did we implement the feature that provides mitigation or detection? How should I prioritize the gaps?

These are just a few of the questions that organizations must ask themselves once they map their cybersecurity products. The answers are not found within the Mitre ATT&CK framework because Mitre did not intend to address these factors. Companies are expected to already have existing processes in place.

Use Mitre ATT&CK the ‘Right Way’

The Mitre ATT&CK and ATT&CK Navigator are beneficial when an organization has processes to support its use. First and foremost, MITRE ATT&CK was not intended to replace NIST CSF and other risk frameworks, nor was it intended to replace NIST 800-53 and other control frameworks used to assess cybersecurity maturity and capability state. Instead, the information from ATT&CK should supplement the use of existing risk frameworks and controls. Using the frameworks together lets organizations determine if their capabilities can defend against common behaviors.

Mitre notes that Phishing for Information operates differently from phishing in that the bad actors want to gather data from the victim rather than executing malicious code. Mitigations to this technique include M1054 Software Configuration and M1017 User Training. Reviewing the description of M1054 results in looking to anti-spoofing and authentication to mitigate phishing for information. These are foundational mitigations; however, today's adversaries are evolving. Not mentioned is any reference to advanced phishing defenses.

By design, there’s a significant gap in the framework's preventive techniques. Mitre ATT&CK deprecated PRE-ATT&CK, the pre-compromise adversary behavior matrix, due to lack of adoption and contributions. While Mitre did integrate some pre-compromise techniques into ATT&CK, the matrices are now wholly-focused on enterprise systems post-compromise behavior.

Mitre's recent beta release of D3FEND promises answers to the feedback for a model that can precisely specify cybersecurity countermeasure components and capabilities. Further advancements are still needed, but the Mitre team hopes that additional development will drive more use of D3FEND to perform cybersecurity solution mapping. Until then, ATT&CK has emerged as the best solution for mapping adversary behavior, provided that organizations recognize its scope and limitations.

Deborah Watson, Resident CISO, Proofpoint

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.