The MITRE ATT&CK framework provides a knowledge database of attacker behaviour. This includes a breakdown and classification of offensively oriented actions.
Each attacker has to undergo certain attack steps. ATT&CK organizes these into a set of tactics and techniques. This helps explain the details and provide context. This information can be utilized by red team to understand the usage of techniques. At the same time, this information can guide defenders to better understand the context and artifacts.
Consider tactics the “why” part of the ATT&CK equation. It describes the the adversary’s tactical objective for performing an action. As such it describes the contextual categories for individual attack techniques.
The Enterprise ATT&CK framework describes 14 tactics:
MITRE also has got a framework for Mobile. Furthermore, ATT&CK for ICS is currently being developed.
Techniques describe “how” an adversary achieves a tactical objective For each tactical category there are multiple techniques to achieve the objective. All adversaries must either employ these known techniques. The alternative is to develop novel techniques with expending a vast amount of resources.
The ATT&CK framework can help in multiple domains to improve the capabilities. Most importantly, with the public information present within the framework defenders can evaluate current detection capabilities. To uncover potential weak spots adversary emulation or a red team can help test for specific techniques. Cyber threat intelligence complements the above and helps identify emerging adversaries and techniques.
In order to detect suspicious behaviour, you need to be able to monitor your systems. ATT&CK framework can provide a guide to improve your capabilities. Each technique defines a source of information that could provide visibility of the give technique. The data source describes information identifying the action being performed, sequence of actions, or the results of those actions by an adversary.
With an established baseline the next step is could be running test cases. An easy way to do that is to use an open source project, such as, Atomic Red Team. These tools provide test cases that are aligned with the ATT&CK framework.
In order to established measurable defence capabilities the ATT&CK Navigator can be utilized to map out capabilities. After mapping out the coverage, improvements can be easily prioritize. Ideally, this should also be based on feedback from threat intelligence.
Threat intelligence is about knowing your adversaries. You want to stay ahead of the emerging threats and techniques.
Mapping known incidents to the ATT&CK framework is a good start. Combine this with a map of your organization’s detection capabilities. The resulting overlay will highlight the techniques that should be considered for future improvements.
Adversary emulation mimics a known threat to an organization. Ideally, this is done by blending in threat intelligence to define what actions and behaviors Mapping such a campaign to the ATT&CK framework provides a few benefits.
First of all, the steps can be clearly communicated before the test. After the test the map can be updated with which techniques were run successfully and which ones were not.
Working together with threat intelligence can further improve the results. Taking attacks from real-world adversaries can turn threat intel into effective adversary emulation tests.
The MITRE ATT&CK framework provides a knowledge database of attacker behaviour. The strength lies in the different teams working together under this common terminology.
Furthermore, sharing information stands at the core of the ATT&CK framework. Without the public exchange of past incidents, the knowledge database would look quite slim.