MITRE ATT&CK Framework—How Is It Useful?

<p><a href="" target="_blank">MITRE</a> introduced <a href="" target="_blank">ATT&CK</a> (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via <a href="">STIX/TAXII</a>.</p>


MITRE ATT&CK is becoming widely adopted in enterprise and industry.

It's seen as a real benefit to all organizations to be able to map out common techniques and tactics are being used by adversaries.

It's a way of telling a story.

So it takes very technical information and tells the story of how a threat actor is going to progress through their mission, and what steps they're going to take, or what steps are possible for them.

Currently, there are 12 tactics and over 300 techniques.

And typically this is used for mapping out potential vectors of attack.

It does two things.

One, it gives you all the possibilities.

The second piece is they're collecting the data specifically on well-known threat actors, and they're mapping that to their framework.

MITRE originated ATT&CK in 2013 through their constant effort and the effort of the community at large.

It's constantly being updated, and reviewed, and made applicable for enterprise.

It sources from information from security blogs, research, threat intelligence communities.

MITRE ATT&CK is broken up into three categories.

There's mobile attack, there's pre-attack, and then there's enterprise attack.

So mobile attack, we'll kind of push that off to the side for a moment, because really it's just about how the adversary attacks mobile devices.

So really where threat intelligence comes into play is in pre-attack and in attack.

The point of a threat intelligence program is to identify the threats before they actually hit you.

It's taking your hand and sticking it on the wire outside of your enclave, feeling the noise, feeling the chatter, and to identify anything that's coming at you.

So that's really kind of where pre-attack comes into play.

It outlines a framework of tactics and techniques that the adversary will utilize to attack you.

By understanding the tactics and techniques being used, they can then bring that internally and see where the gaps are or what needs to be optimized to stop potential breaches and exposures.

Once an adversary gets in, so for example, let's take a phishing email as a use case.

We get that email address, we put that into a threat intelligence platform, grab that information, that data, process it, and we can overlay that tactic and technique, in addition to any others that we've observed, on the MITRE ATT&CK framework.

So therefore, you can then take that information and do predictive analysis based on historical data of what well-known adversaries are going to do next.

Normally through the threat research are creating mappings to attack from every output we produce.

It normally incorporates the old matrices of MITRE ATT&CK.

We have mappings between our actor profiles and their group IDs.

Also, the entire MITRE ATT&CK matrices, like all matrices frameworks, are available in the Anomali platform.

The future of MITRE ATT&CK is going to be taking that 30,000 foot view of information and making it more tactical, being able to quickly identify those tactics and techniques that are being executed, and eventually map those to the different threat actors, either they're known or unknown, and progress from there.

Because it will give you the visibility of what the next potential execution is going to be, or how are they going to move laterally in the network? How are they going to gain information? And you can do that based on the historical data that is mapped to that framework.