A new article by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. The MITRE ATT&CK framework is rapidly gaining adoption as a valuable way for security teams to categorize, predict, and disrupt adversaries’ actions. That’s why D3 has embedded the entire framework into its security orchestration platform to identify even the subtlest traces of past and ongoing attacks. In his new article, Stan describes how MITRE built upon the cyber kill chain concept to create ATT&CK, and how the framework enables a more proactive security posture.
In this excerpt, Stan explains why the MITRE ATT&CK framework is an especially effective tool for identifying and disrupting cybersecurity incidents:
Successful cyber attacks need time to unfold, but organizations generally take a long time to detect an attack and recognize what is happening. The good news is that if the organization can detect and disrupt the attack at any phase, it will be unsuccessful, even if the network has already been compromised. For example, an adversary’s goal will not be just to escalate privileges within a target’s systems, but rather to use those privileges for the end goal of exfiltrating data.
Using the ATT&CK framework in your analysis of cybersecurity incidents allows you to make connections between different tactics and techniques. This helps security teams identify ongoing attacks before they are completed and gives the security team a good idea of what the adversary has already done and what they are likely to do next.
The ATT&CK framework is particularly valuable for detecting attacks because it is a behavior-based model, not a signature-based model. Because ATT&CK predicts common behaviors, it isn’t fooled by zero-day attacks, indicators of compromise that are modified by adversaries to avoid detection, or other weaknesses of signature-based systems.
This article can be found in its entirety on SecurityWeek.
To learn more about how D3 has embedded the entire MITRE ATT&CK matrix into its SOAR platform, read our whitepaper.