In the month of October, we were privileged to attend the two-day conference of MITRE ATT&CK, where participants and attendees voiced their support for the framework of ATT&CK. The event, sponsored by McAfee company, served as a forum for sharing best practices and insights for using ATT&CK as a way to demystify and describe the complexities of today’s cyber attacks. MITRE is well known for its research that is threat-based in cybersecurity, including highly adopted standards and several tools such as STIX/TAXII and Common Vulnerability Exposure (CVE). For any other information about McAfee, you can visit McAfee.com/Activate.
What is the framework of MITRE ATT&CK? Why is it so important to the community of security?
ATT&CK is a publicly accessible knowledgebase of adversary techniques and tactics based on the observations of real-world. For the very first time ever, the vendor-agnostic framework of ATT&CK enables us to standardize the threat intelligence-sharing the complete process and describe how adversaries prepare for, launch, and finally execute their attacks. Armed with this knowledge, both customers and security vendors can work toward improving their detection and prevention methods.
What makes the framework of ATT&CK so robust is the large community of contributors. By making the content of ATT&CK completely available to every practitioner worldwide, MITRE has created a community which is continuously growing that is fostering innovation in open source tools, services, and products based on the framework.
Best of all, ATT&CK framework provides a common, easy-to-understand language that can be consumed in various chunks of bite-size. It enables practitioners to explain concepts that are quite complex to customers and management by relating the security risks to the various business.
How are organizations using the framework of ATT&CK?
Speakers generally representing a quite large spectrum of organizations from the government, private sector, and multiple security arena shared ways in which they are benefitting from ATT&CK framework:-
- Building profiles that are industry specific of the threat and doing adversary emulation through red teaming: Generally By acting like real-life adversaries, red teams perform penetration testing using techniques which are threat-specific to detect system and network vulnerabilities and to test the efficacy of various security tools. This enables organizations to answer several questions that are critical for their team of security operations:
-Is our organization a target, and what kinds of groups are mainly targeting us?
-How do these adversarial groups generally operate?
-Have we seen the adversary ever before?
-What is their motivation? What is the potential impact to our organization?
By using ATT&CK framework, red teams, who are usually doing the attacking, can easily communicate with and share their findings with several blue teams, who are basically doing the defending.
- Red team automation at the unit, or the atomic test, level: Recently, various assessment tools have emerged that automate testing of prevention and detection on a granular level against a lot of adversarial techniques identified by ATT&CK framework. Gartner expects that these tools will gain ground in the operations of security and may supplant testing of traditional penetration.
- Operationalization of intelligence at a good tactical level: Large companies with mature security operations organizations are using ATT&CK as a framework to drive their ongoing center of security operations (SOC) activities. Specifically, they are using ATT&CK framework in the following given ways:
-Improving their capabilities of detection by engineering new content to feed into their information of security and event management (SIEM) solution, intrusion prevention system (IPS) and intrusion detection system (IDS).
-Creating hypotheses for hunting various adversaries on the network.
-Tracking various adversary groups using tactics, procedures, and techniques for SOC processes, such as network security management, forensics, and many others.
-Combining the framework of ATT&CK with configuration management and vulnerability management to drive overall initiatives and risk management, such as prioritizing security architecture and control several gaps.
Robert Williams is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cybersecurity, malware, social engineering, Games, internet and new media. He writes for McAfee products at www.mcafee.com/activate or mcafee.com/activate .