Engineering often boils down to creating meaning from chaos. The cybersecurity industry is constantly organizing and developing ways to ingest the overwhelming amount of data available to us to make it actionable. Whether it’s prioritized data about vulnerabilities, building control frameworks to guide other engineers about best practices, or cataloging every type of known cyberattack and their related tactics into a matrix, we crave curating data about observed security event characteristics to make acting on them easier and more effective.
MITRE is a not-for-profit think tank working in the public interest across federal, state, and local governments as well as industry and academia to bring new and innovative ideas to life. The organization developed the ATT&CK model as a “knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle.” It has been embraced by the security industry as a model for understanding attack behavior and for developing programs to defend against them.
In this Knowledge Guide we’ll look at what ATT&CK is and how it can be utilized by an organization to continually mature its security program to defend against the myriad techniques and phases of cyberattack.
What exactly is ATT&CK and how should a security practitioner use it?
MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a framework comprised of a list of identified and defined techniques that an adversary would use to accomplish a defined tactic. This framework also includes ways of defending against the categorized adversary action, or tactic. Examples of such tactics include reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, etc. Techniques for the persistence tactic could include browser extensions, account manipulations, pre-OS boot, traffic signaling, etc.
A not-for-profit organization, MITRE began developing the framework in 2013 and released it in 2015 with the goal of documenting and classifying adversary behaviors better. The community-driven knowledge base has kept the framework relevant and useful.
The MITRE ATT&CK framework should be used to anticipate and emulate adversary scenarios, to link and analyze patterns of suspicious, malicious activity, and to assess the efficacy of a SOC or a threat operations team to defend against specific adversary tactics and behaviors.
Is ATT&CK a framework similar to CIS, NIST, or HITRUST?
The ATT&CK framework is not exactly similar to the popular CIS, NIST, or HISTRUST frameworks. While the MITRE framework is structured information meant to help clarify and organize attack techniques, it is not a framework that an organization can use as a checklist or to-do list in order to achieve better posture.
CIS, NIST, and HITRUST, among others, have specific industry-oriented controls and specifications for best practices and preventative measures that can be implemented. These frameworks are prescriptive in nature and can almost be installed like a checklist.
The ATT&CK matrix organizes and defines a taxonomy of attack techniques by type, target, and several other qualifiers, but it is not something that can act as a prescriptive tool by itself. According to McAfee, it “typically involves either manual mapping or integration with cybersecurity tools,” such as a SIEM, EDR, or CASB.
Utilizing ATT&CK data and schema in security tooling
Using MITRE with any security tool usually requires manual mapping. With a SIEM, it will require that mapping from the framework to the aggregated log data. Changes are then done in other security tools like EDR or CASB. However, there are some tools developed by MITRE that enhance the use of the ATT&CK model.
Cyber Analytics Repository (CAR), developed by MITRE, is a separate project that is more of a guide on actions to take against the tactics and techniques categorized in ATT&CK. This knowledge base can be implemented with tools like Splunk and EQL. According to MITRE’s own website, CAR analytics include:
- a hypothesis, or the idea of the analytic
- the information domain the analytic operates within
- ATT&CK techniques and tactics references
- a glossary
- a pseudocode description of implementation
- a unit test that can trigger the analytic
Another tool MITRE developed, ATT&CK Navigator, allows for annotation and exploration of ATT&CK matrices. It’s a simple visualization tool to help with defense planning and with identification of frequent techniques. Navigator allows users to define custom views, or layers, of a matrix that can be either done by the user or by sample code that generates already built-out layers.
MITRE ATT&CK training
In 2021, MITRE Engenuity created a training and certification program called MITRE ATT&CK Defender (MAD). Based on a comprehensive survey, while 82% of security professionals were familiar with ATT&CK, 8% used it regularly even though it is widely desired by employers.
Because ATT&CK is constantly updated by the industry, the MAD certifications require recertification to ascertain updated proficiency in the framework. Thus far, there are two MAD certifications available: ATT&CK Cyber Threat Intelligence and ATT&CK Security Operations Center Assessment.