Integrating the MITRE ATT&CK framework for cyber resilience

Quickly transform threat analysis and investigations into effective defenses.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity.

– The Mitre Corporation

Break down the complexity of CTI for enhanced threat analysis and quicker investigations

Security operations teams spend a lot of time combing through alerts to identify threats. Unfortunately, malicious activity can slip through unrecognized, despite best efforts. The harsh reality is that most environments are being penetrated by attackers without being detected.

Organizations need to look beyond IOCs to enable more effective threat detection and response to improve their security posture. The MITRE ATT&CK framework is one of the methods leading the way towards a more threat-informed defense.

The History of MITRE ATT&CK

MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors to close gaps in visibility based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.

The Key Benefits of MITRE ATT&CK

MITRE ATT&CK can provide a better understanding of adversaries by quantifying and categorizing them to understand adversarial behaviors. Universal nomenclature and taxonomy of specific tactics, techniques, and procedures enable a shared understanding of threat actors. Recognizing these advantages, Anomali has integrated this framework into our platform.

There are four main issues that MITRE ATT&CK is designed to address:

  • Adversary Behaviors – Tactics, techniques, and procedures (TTPs) are tracked, which are more durable than indicators of compromise (IOCs).
  • Improved Lifecycle Model – MITRE ATT&CK has the ability to map specific behaviors back to an organization’s defenses to understand how it relates to that specific environment.
  • Real-World Applicability – TTPs are based on observed incidents.
  • Common Taxonomy – TTPs need to be comparable across adversary groups using the same terminology. It enables the comparison of adversaries from different nation-states, etc.

MITRE ATT&CK’s Approach

MITRE ATT&CK’s approach uses behavioral methodology guided by five principles:

  1. Include Post-compromise Detection – This is necessary for when threats bypass established defenses or use new means to enter a network.
  2. Focus on Behavior – Signatures become unreliable, as they change frequently. Behaviors tend to remain more stable, enabling better profiling of adversaries.
  3. Use of Threat-based Model – An accurate and well-scoped threat model that captures adversaries’ tools and how they overlap with each other enables preventative actions.
  4. Iterate by Design – Constant, iterative evolution and refinement of security models, techniques, and tools make it a constantly improving tool based on adversary behavior.
  5. Develop and test in a Realistic Environment – Detection capabilities are tested by emulation of adversary behavior within a specific environment. This enables a better response to an attack or preemptive actions, when possible.

How does MITRE ATT&CK help?

The MITRE ATT&CK framework serves as a global knowledge base for understanding threats across their entire lifecycle — spanning tactics, techniques and procedures (TTPs). By characterizing threats and their TTPs in a standardized way, disparate security functions can easily detect and prioritize threats to take more sweeping, strategic actions to mitigate them.

Anomali is committed to helping organizations understand the benefits of how integrated cyber threat intelligence within the MITRE ATT&CK framework can help speed up the detection and response process.

MITRE ATT&CK Inside Anomali

Anomali understands the value of using the MITRE ATT&CK Framework and has integrated threat intelligence capabilities into our solutions that map to the MITRE ATT&CK Framework. These capabilities help break down the complexity of CTI, so that threat analysis and investigations can be easily translated to inform effective defensive actions.

Anomali’s commitment to empowering security professionals to better identify and disrupt malicious activity has led to their integration of ATT&CK into their platform. Its focus on mapping techniques to actual events is key to getting ahead of the adversarial lifecycle.

Anomali prioritizes the quick identification of adversary techniques from online research from blogs, forums, and other sources through the use of Anomali Lens™, a unique technology that integrates the ATT&CK framework automatically. Lens is the first natural language processing (NLP) based web content parser that highlights all cyber threat information for further investigation. Lens scans a security report or blog, for instance, and highlights entities of interest, such as malware families based on ThreatStream instances and data sources. From the resulting data, overlapping techniques from different malware families can be identified to prioritize the building of security controls.

ThreatStream®, an Anomali technology that also works with ATT&CK to unite research, analysis, and publishing tools, speeds the detection of threats and delivers operationalized threat intelligence directly into security controls. This automation provides tremendous productivity for security analysts and enables proactive defense measures.

Using relevant threat information to understand adversarial techniques and how they are leveraged against a specific environment is another advantage of Anomali’s integration of ATT&CK. For example, if a bank sees that another financial institution has been attacked by a particular threat actor or malware family, and the security team is able to identify the attack techniques, it will improve the bank’s ability to emulate an adversary with red and blue team scenarios. Another way the Anomali platform uses ATT&CK is to build visual representations of the attack techniques. Being able to visualize threat actors and their malware and map it to the appropriate techniques is a powerful tool. Effective visuals can communicate up the chain of command to those with less technical skills the threats that are either being encountered or tracked so the organization can better take action.

Anomali integrates the world’s largest intelligence repository with an organization’s security telemetry to deliver extended detection and response capabilities that quickly uncover covert activity to stop attackers and help prevent breaches.


Improve your detection and response capabilities

Organizations rely on Anomali to harness the power of threat intelligence to deliver effective extended detection and response (XDR) capabilities.