Over the last decade, the MITRE ATT&CK knowledge base has been widely adopted by thousands of security defenders, ultimately forming a strong community for ATT&CK users. Security teams have leveraged ATT&CK to experiment in enterprises, build and release open-source tools, as well as incorporate it into commercial products and services. More importantly, ATT&CK has become a common language that addresses a long-standing cybersecurity challenge: the industry’s focus on the vulnerability-centric approach.
Unfortunately, this approach has not allowed cyber defenders to get ahead of threats and vulnerabilities that persist. The industry still has a constant struggle of finding, fixing, and patching vulnerabilities to prevent exploitation or zero-days. The industry needs a different approach – one in which cyber defenders can really understand the underlying behaviors that adversaries use to achieve their objectives and use that understanding to assess, shape, and test their defenses rather than chasing endless vulnerabilities.
Chasing vulnerabilities vs. understanding adversaries
Vulnerabilities and adversary techniques are very different. The sheer volume and velocity of new vulnerabilities all but assure that even the largest and well-resourced organizations will find it difficult to keep all their systems fully patched. In contrast, the relatively small number and modest growth rate in adversary techniques and sub-techniques in ATT&CK makes it a far more practical and sustainable means of organizing one’s defenses.
ATT&CK goes beyond vulnerabilities; most of the publicly reported adversary behaviors in ATT&CK would work on systems that are 100% patched against all known CVEs. Once they have achieved initial access, adversaries become users, albeit unauthorized ones, of the very same systems legitimate workers are using. At this point they begin to “live off the land,” using the tools, resources and connections that exist to support the operations of an enterprise, instead of using those resources to achieve their malign objectives.
Put a lens on what’s important
While it’s essential to understand vulnerabilities, companies also need to take a threat-informed defense approach to assess, organize, and optimize defenses. By leveraging a systematic application and deep understanding of adversary tradecraft and technology, and viewing the enterprise through the lens of an adversary, a security team gains critical insights into how to prioritize its security operations and investments. That shift in perspective helps the team see more clearly how a skilled adversary would use the enterprise’s resources against the company.
The ATT&CK knowledge base serves as a critical element of threat-informed defense, providing the common language to describe those behaviors, but it’s only the start. Much of the value of threat-informed defense comes from relating adversary behaviors in ATT&CK with the rest of an enterprise’s security context. That context can range from the specific threat groups that target similar organizations, to defenses currently in place, to the efficacy of those defenses based on testing and even includes specific vulnerabilities that enable adversary behaviors. This makes it essential to bridge between relevant adversary behaviors and the defenses in place to stop (or at least detect) them.
Mind the gaps
Leveraging threat-informed defense can unlock important insights into the current security posture of the enterprise. By basing analysis on known adversary behaviors, the process of identifying meaningful gaps in enterprise defenses becomes far more tractable than conventional compliance approaches alone. The relatively small number of adversary behaviors makes it possible to map them to the team’s set of mitigating controls in frameworks such as NIST 800-53, CIS, or CMMC as well as protection, detection and response capabilities provided by the cybersecurity tools the team deployed.
Moreover, a threat-informed approach enables the availability of clear benchmarks for the evaluation of existing controls and capabilities. With greater transparency into specific adversary behaviors, the team now has a roadmap for how to begin to evaluate the ability of its fielded defenses to protect against, detect or respond to those behaviors. Ideally, the team can implement a continuous testing program to automatically verify that company defenses continue to operate as expected.
While threat-informed defense can deliver significant improvements in an enterprise’s security posture relative to the resources invested, it’s not a substitute for good cyber hygiene. Organizations still need to identify their assets, manage their configurations and patch exploitable vulnerabilities in their systems. Threat-informed defense doesn’t obviate the need for those foundational activities, but it does offer a critically important means to assess, prioritize, and measure the effectiveness of them. Threat-informed defense, when applied systematically within an enterprise, can significantly increase visibility into the effectiveness of the currently deployed defenses and delivers a clear roadmap for improving those defenses over time.
Richard Struse, co-founder and CTO, Tidal Cyber