What is the MITRE ATT&CK Framework?
MITRE ATT&CK is a framework that organizes and categorizes the different approaches, strategies and procedures utilized by threat actors in the digital environment, assisting organizations in identifying cyber-defense gaps. The basis for MITRE ATT&CK came from Lockheed Martin’s Cyber Kill Chain.
The framework aims to compile a detailed list of documented adversary strategies and techniques that have been used in a cyberattack. It should be able to collect a large and thorough variety of attack stages and sequences, since it is accessible to education, government and commercial organizations.
All of the data gathered regarding attacks is organized into matrices such as mobile, enterprise and pre-attack matrices. Each matrix is broken down into a number of different tactics. Every tactic is subdivided into techniques that correspond to the different types of attacks. The following tactics are included in the Enterprise Matrix, for example:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
What are some of the different ways a business might use the MITRE ATT&CK?
- Adversary Emulation – building adversary imitation schemes to test and validate defenses against popular adversary strategies can be accomplished using the MITRE ATT&CK
- Red Teaming – to prevent any defensive measures that may be in place within a network, MITRE ATT&CK can be used to build red team plans and coordinate operations
- Behavioral Analytics Development – to develop and test behavioral analytics in order to detect adversarial activity in the workplace
- Defensive Gap Assessment – another way to use MITRE ATT&CK is as a common behavior-focused adversary model to assess tools, monitoring and mitigations of existing defenses within an organization’s enterprise
- SOC Maturity Assessment – the effectiveness in which the SOC detects, analyzes and responds to intrusions can be measured and identified using MITRE ATT&CK
- Cyber Threat Intelligence Enrichment – useful for identifying and tracking attacker group profiles in a behavioral point of view that is generic to the techniques used by the group
What are the advantages of employing MITRE ATT&CK?
The two most significant advantages of the MITRE ATT&CK are for truly understanding the attacker and his behavior, and for understanding the steps they’ll take to gain access to your network and complete whatever mission they’ve set for themselves. Not only can you gain a better understanding of defense, but the MITRE ATT&CK strategies will also help you gain an understanding of offense. How does the attacker operate? What are their thoughts? What steps must they take to achieve their goals? Knowing this will allow you to more effectively defend your network.
The MITRE ATT&CK framework is also particularly beneficial to junior security analysts who lack experience allowing them to be able to help overcome some of the organization’s emerging cyber skills training challenges. It provides them with a knowledge base and a study database to examine and say ‘’OK, what I’m seeing is as follows. Here’s what the industry says I should be on the lookout for, as well as how to protect myself.”
How to achieve compliance?
When performing a cybersecurity risk assessment, most organizations will first need to truly understand the organization’s operations and business drivers. They will then need to prioritize its assets by importance and identify internal systems that drive the business and enterprise forward, as well as its intellectual property (IP). It is also critical to understand the implications of an attack on the organization’s business processes, systems, assets and data. In addition, organizations should identify what an attacker would want to gain if they were able to gain access to your company.
Once organizations have identified the assets that are most valuable to them and are most likely to be pursued by attackers, they will move on to selecting the MITRE ATT&CK techniques that an attacker will likely use to gain access to their top information and assets for their type of industry.
As previously mentioned, the MITRE ATT&CK framework can be used for a variety of purposes. Centraleyes has adapted the framework as a Defensive Gap Assessment tool.
The platform provides a built-in questionnaire based on the MITRE ATT&CK containing about 300 questions and integrated mapping to the NIST CSF framework. The platform provides organizations with a simple and automated workflow for answering questions, getting real-time personalized scoring and automated reporting to help them envision their security gap, where they are protected and where they still have gaps.
Using the Centraleyes risk management platform allows organizations to manage their security and risk assessments while streamlining and simplifying the process during all stages of implementation.
Organizations that deploy Centraleyes save time and resources, and increase their cyber resilience in a world of ever-evolving risks. It is truly cyber risk management reimagined.