We recently released our exclusive Ebook MITRE ATT&CK For Dummies. It’s a definitive resource about why ATT&CK is so valuable and how to use it in your security operations. The topic is of great interest to us at D3 because of how deeply embedded ATT&CK is in our SOAR platform. In this blog post, we’ve adapted the final chapter of MITRE ATT&CK For Dummies, in which we quickly list 10 reasons to use ATT&CK, and how to get started.
At its most basic level, ATT&CK brings value by providing a tangible and consistent framework for assessing and discussing security in a way that reflects real-world adversary behaviors. To put this into action, establish ATT&CK as your internal framework for evaluating security coverage and threats. Taking this step helps security teams communicate what they’re doing — and what they need — to stakeholders that may not be well versed in security.
ATT&CK isn’t just a standardized way to talk internally about security. It also gives you the benefits of sharing a standard framework with other security teams, researchers, and vendors around the world. This means there are numerous open-source projects that support the implementation of ATT&CK through scripts for detections, tools for adversary emulation, and more.
Take advantage by leveraging a few free resources:
ATT&CK is more than just a matrix of tactics, techniques, and procedures (TTPs). MITRE has also studied the known behaviors of prominent adversary groups, which you can map onto the matrix to model threats. Security teams can use these maps, create their own, or copy open-source models and drop them into ATT&CK Navigator. Get started by mapping the techniques used by the most prominent advanced persistent threat (APT) group in your industry.
In a mature SOC, you may be proactively analyzing threat intelligence (TI) reports that are relevant to your organization. Even for security pros, these reports can be an overwhelming deluge of granular information. Using ATT&CK as your model for dissecting TI can focus your efforts on the indicators that represent high-risk TTPs. Start by uploading a TI report to TRAM and mapping the detected techniques in Navigator.
Using ATT&CK TTPs to describe what happened in an incident makes for a clear, actionable, and repeatable postmortem process. Start by selecting one past incident. Go through the data collected in security tools — for example, security information and event management (SIEM) or security orchestration, automation, and response (SOAR) — and interview the rest of the security team to determine the techniques used by the adversary. Then map those techniques to the ATT&CK matrix to visualize what the adversary did, and what it tried to do.
ATT&CK provides a framework for implementing behavior-based security by giving you the tools to search for the actions adversaries are known to take, even when those actions aren’t obviously malicious on their own. Put this into action by implementing a detection analytic for a behavior that may slip past signature-based systems.
Like the cyber kill chain, ATT&CK tactics are ordered in the sequence that an adversary is likely to follow. However, ATT&CK is a more actionable model than the kill chain because it provides granular information about each behavior. Leverage the kill chain model by mapping the techniques used in a past incident to ATT&CK. This helps you visualize the path of the adversary, where it was successful, and where you may disrupt a similar attack in the future.
MITRE provides detailed technical information about each technique, which you can turn into effective actions. Get started by picking an important technique and creating a rule in your SIEM to detect it.
Whether or not you have a dedicated red team, ATT&CK provides a great playbook for adversary emulation exercises. Run a simple exercise by picking one of the APT group profiles included in ATT&CK and use Atomic Red Team’s prebuilt scripts to replicate that group’s methods of attack.
Because ATT&CK is free, it’s accessible to organizations of any size, and it can help improve the effectiveness of SOCs of different maturity levels. In advanced SOC, you could start by building a detailed map of your coverage across the matrix. In a less mature SOC, you could start by implementing open-source analytics to detect the most frequently used techniques in your industry.
If you want to learn more about any of these 10 reasons, click here to get the entire MITRE ATT&CK For Dummies Ebook, exclusively available through D3 Security.