Getting Value with the MITRE ATT&CK Framework

In 2013, researchers at MITRE Corporation published the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. This framework describes how attackers operate within an organization and offers a common language for describing these attacks. The framework describes both adversaries’ behaviors and their attempts to compromise systems and provides a set of indicators for measuring the effectiveness of security measures.

Recent ESG Research found that the MITRE ATT&CK framework has grown in popularity to the point that nearly nine in ten organizations use it today. As SOC managers look into the future, they see even greater MITRE utilization. 97% of security professionals believe that MITRE ATT&CK (and derivative projects) will be critically important to their organization’s security operations strategy.

If you missed our recent webinar, here’s an excerpt on how to explain Mitre ATT&CK to executives: 

Or check out our “What is the Mitre ATT&CK Framework” resource for an in-depth overview.

Seeing the Big Picture with the Mitre ATT&CK Framework

Breaches are inevitable. Anyone who tells you otherwise probably has a bridge for sale as well.

The reality is that breaches happen—and often multiple times. Our Cybersecurity Insights report showed that no industry is safe as even with increased investment, most businesses (87%) have fallen victim to successful cyberattacks in the past three years that resulted in damage, disruption, or a breach to their businesses.

As an organization’s attack surface grows, it provides more opportunities and vulnerabilities for attackers to exploit. Adversaries continuously improve their stealth and TTPs to bypass existing security controls, a reality that is forcing organizations to change how they approach threat detection and response.

MITRE ATT&CK helps organizations understand the bigger picture by shifting their focus away from just looking at IP addresses and domains to one that illuminates the threat within the context of an organization’s overall cybersecurity posture.

With MITRE ATTACK, organizations are creating more secure futures by detecting incoming attacks and identifying and mitigating them before they cause damage.

The ATT&CK framework helps security professionals with their daily technical analyses, making them better at what they do. When used to its full potential, MITRE ATT&CK can help security executives gain better value from existing technologies, including threat intelligence platforms (TIPs), SIEMs, and other security analytics tools.

Using ATT&CK to Understand Gaps

ATT&CK helps organizations establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions. 

By using the MITRE ATT&CK framework to apply contextualization to security postures and controls, organizations can quickly identify weaknesses within their security ecosystems. 

Security leaders should use the ATT&CK framework with threat intelligence to validate their security tools and programs and determine the most prevalent threats in their environment. By understanding where their most significant risks lie, organizations can prioritize their threat mitigation efforts, assess the effectiveness of their current cybersecurity measures, and identify opportunities for cost savings. This leads to greater efficiencies, increased productivity, and better defense capabilities.

Applying Cyber Threat Intelligence with MITRE ATT&CK

ATT&CK and threat intelligence can be a powerful combination, as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&CK that they have been known to utilize. This allows defenders to apply insights against operational controls to see their strengths and weaknesses against certain threat actors.

By leveraging threat intel to enrich existing knowledge about threat actors by connecting their attacks, behavior, and tactics from specific threat actor campaigns, you’ll gain a richer understanding of attacker capabilities and intentions.

The intelligence creation process can also benefit from using the common vocabulary of ATT&CK. As mentioned, this can apply to actors and groups and observed behaviors as seen from the SOC or incident response activities. Malware can also be referred to in terms of behaviors via ATT&CK. Tools supporting ATT&CK can help make this process straightforward and consistent.

Standardizing on ATT&CK references can dramatically improve efficiency and ensure shared understanding. This makes disseminating intelligence to operations or management much more manageable when all parties speak the same language around adversarial behaviors. 

Using ATT&CK to Better Understand Adversaries

The ATT&CK framework is one of the most widely adopted frameworks for analyzing malicious behavior and helping security professionals understand how attackers operate.

While blocking or detecting attacks based on the techniques used is essential, it is equally important to understand what the technique does and how it works. By doing this, you can identify potential weaknesses in your environment and take appropriate measures to strengthen them.

It’s equally important to understand both the techniques themselves and how attackers use them. If an attacker has pivoted to another target using stolen credentials, you must figure out why he did so. Is it because they don’t have access to the necessary tools to exploit a web server application’s remote code execution vulnerability? Or do they prefer to leverage credentials over exploits because it gives them greater flexibility and stealthiness?

Understanding why attackers behave the way they do helps you identify the risks associated with their actions and what mitigation measures need to be taken to reduce the likelihood of successful attacks.

The ATT&CK framework provides an in-depth knowledge base of attack intelligence – making it more straightforward to apply these to investigations. Organizations can form conclusions based on verified data and structure to improve prioritization and remediation strategies based on observations from real-world activity.

Understanding Your Relevant Threat Landscape

In addition to providing a detailed view of attacker behavior, the ATT&CK framework helps organizations build a complete picture of their threat landscape by identifying the tactics, techniques, and procedures used by different threat actors and mapping out their relationships with each other.

This enables organizations to correlate events from different data streams, including emails, social network posts, and even malware, to understand the threats they face and their potential impact.

For example. An organization wants to know where a specific threat group is attacking its targets. You could use the ATT&CK framework to look up “targeting.” Once the tactics are identified, an analyst could drill down further to identify the specific techniques used by each technique. In this case, the TTPs may include phishing emails, spearphishing emails, watering hole attacks, etc. After reviewing the specific tactics, techniques, and procedures (TTPs) used by the threat group, an analyst can decide if they fit the profile of the attack and take action against the threats posed by that group.

By leveraging ATT&CK, organizations identify the specific threat groups targeting them. They can look at the TTPs used by those groups and use the insights to look at specific TTPs that specific threat actors use. This allows security teams to prioritize and plan remediation efforts based on observed attacks.

Anomali and MITRE 

In 2021, Anomali joined MITRE Engenuity’s Center for Threat-Informed Defense to collaborate on the Attack Flow Project to better understand adversary behavior and improve defensive capabilities. This partnership culminated with the public release of the project in March 2022.

The Attack Flow project will provide context around adversary behavior and help security teams expertly profile the adversary and visualize attack patterns. It will also enable them to protect the organization against potential threats better before an attack, detect it in real-time, and respond post-attack.

Why Analysts Should Use Threat Frameworks

Understand Context:

A framework helps an organization better identify the context of a cyber attack and determine whether they’re at risk. With the latest vulnerability or breach making its way around, risk management frameworks can help organizations assess their current level of exposure and quickly respond to the question everyone wants to ask: “Are we impacted?”

Improve Efficiencies:

A further reason for adopting an agile approach is to improve organizational efficiency by allowing all teams to benefit from successful projects immediately. Security teams are already stretched thin, making it difficult to defend against every threat. Frameworks are scalable for all organizations, from small security operations centers to large enterprises with dedicated threat hunting teams, incident response teams, red teaming teams, and blue teams.

Visualize the Threat Landscape

Finally, by visualizing the threats in real-time, analysts can map them to their footprints on the framework to reduce their scope of the investigation to only what is relevant to their organization’s security posture and vulnerability profile.

ESG Research Findings

ESG Research found that MITRE ATT&CK has become instrumental in various security operations processes to defend against advanced threats. Of those organizations embracing the MITRE ATT&CK framework,  35% use MITRE to better understand cyber adversaries’ tactics, techniques, and procedures.

Using the ATT&CK framework, organizations can quickly identify weaknesses within their security ecosystems to increase defensive activities against potential attacks.

Download the ESG research to learn more.

Learn more about MITRE ATT&CK.