The history of cyberattacks dates back to 1970s, when a self-replicating virus called Creeper was identified and the first antivirus software, Reaper, was designed to get rid of it. Since then, the adversaries have been playing a cat and mouse game with the defenders. As technological advancement accelerates the development of cyberattacks, it is imperative to evolve the threat detection mechanisms at the same pace.

In earlier days, the threat detections were focused on identifying infections located on user machines. The discovery of viruses, worms and malware was the top priority for defenders. It revolved around the discovery of known signatures. However, the threat landscape has changed immensely in the recent years, as has the need for a threat detection approach. Adversaries today aren’t working alone, they are organized, work in teams and have a clear motive for the desired outcome of the attacks. Stopping breaches requires a good understanding of the adversaries, including their motivations, techniques and how they intend to target your organization. One of the ways to obtain adversary information is by using tactical and strategic threat intelligence.

Tactical threat intelligence will provide you with intelligence on indicators of compromise, while strategic threat intelligence will help you understand both, cybersecurity and the nuances of the world’s geopolitical situation. Even though these threat intelligence data points provide understanding of adversaries, a more unified approach is required. Organizations today are implementing variety of frameworks to achieve maturity in their security programs. MITRE ATT&CK is one such framework that helps organizations to comprehend the who, what and why of an adversary.

The MITRE ATT&CK framework is a living and an evolving knowledge repository of common attack tactics, techniques and procedures used by adversaries. MITRE has defined three technology domains: Enterprise (for traditional enterprise networks and cloud technologies), Mobile (for mobile communication devices) and ICS (for industrial control systems). An extract of Enterprise MITRE ATT&CK matrix is illustrated below in Figure 1. The entire matrix is collection of 227 techniques that can be accessed at Matrix – Enterprise | MITRE ATT&CK®

Figure 1 MITRE ATT&CK Enterprise Matrix

MITRE has developed an ATT&CK framework of attack tactics, techniques and procedures known as TTP. The model doesn’t limit itself to the assault process, but also elaborates on the tools used by the adversary and the mitigation actions that defenders can take to contain the attack.

Figure 2 MITRE ATT&CK Objects

 

The ATT&CK framework model is comprised of the following components that relate to the behaviors of an adversary:

Tactics: They help us understand the “why” of an ATT&CK technique or sub-technique. They describe an adversary’s tactical goal.

Techniques/ Sub-techniques: These define “how” an adversary achieves a tactical objective. Sub-techniques further break down behaviors described through techniques into more specific descriptions.

Procedures: These are the specific implementations used by the adversaries for techniques or sub-techniques.

Groups: Groups are designated intrusion sets, threat groups, actor groups or campaigns that typically represent targeted, persistent threat activity.

Softwares: Adversaries use different types of softwares for intrusion. A software can be an instantiation of a technique or sub-technique.

Detections: These are high-level analytical strategies related to processes, sensors and data used to find a (sub-)technique used by an adversary.

Mitigations: These are security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.

The use of ATT&CK framework can be divided into three stages, as illustrated in Figure 3. The stages are intended to enhance the maturity of threat detection.

Figure 3 Three Stage ATT&CK Application

 

1. Enrichment of cyber threat intelligence (CTI)

ATT&CK documents behavior profiles of adversary groups, which can be used to gather intelligence on the techniques used by the group. Usually, incident reports provide information about one incident, but ATT&CK model provides an in-depth overview of the techniques used across incidents or by diverse adversary groups.

Defenders can start by gathering intelligence on the techniques that are commonly used by an adversary group on their radar. This exercise can be extended to involve other adversaries in the future. Through this approach, defenders can create a customized knowledge base that is relevant to their organization.

2. Defense evaluation

ATT&CK can be used to create adversary emulation scenarios to evaluate and verify defenses against common adversary techniques. Defenders and hunting teams can use the profiles of the adversary groups that were shortlisted in the earlier step to align and improve defensive measures. MITRE CALDERA is a tool with a collection of ATT&CK TTPs that can be used for autonomous adversary emulation.

3. Defensive gap assessment

ATT&CK can be used as a common behavior-focused adversary model to assess tools, monitoring and mitigations of existing defenses within an organization. The outcome of the earlier evaluation activity should fill the gaps in the defense. The identified gaps can be used to prioritize investments for improving the security program. Additionally, a maturity assessment of the processes used by the defender and the hunting team to detect, understand and respond to changing threats to their network can be performed over time.

Moreover, ATT&CK can be used to build and test behavioral analytics to detect adversarial behavior within an environment. The Cyber Analytics Repository (CAR) is one example of analytic development that could be used as a starting point for an organization to develop behavioral analytics based on ATT&CK.

MITRE ATT&CK and similar industry standard frameworks offer security personnel with a tool to enhance their threat detection capability in a more methodical manner.

There’s no doubt that increased resources are increasing the sophistication of attacks, but the global contribution of unknown attacks like zero-day is reasonably low.

I second on the thought that organization’s primary focus should be on tuning their security to detect the known threats first, and then gradually head towards the goal of protecting against sophisticated attacks.

In summary, defenders must prioritize enriching their knowledge about the adversaries and their campaigns. One can convert threat intelligence into actionable information by periodically evaluating one’s security program.