Why MITRE ATT&CK Matters

There is an abundance of hype when it comes to approaches for the detection of Advanced Persistent Threats.  It is common to hear about specific attack methods and how these techniques can evade the usual defenses employed by organizations.  But, the critical tools required to detect, investigate and respond to targeted attacks requires a holistic view of the attack lifecycle and a real-world understanding of the attacker’s intent. 

This is where the MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework really shines.  MITRE ATT&CK is a model developed from years of actual observations of how adversary groups operate.  Think of a law enforcement investigator carefully documenting the methods of operation of a criminal syndicate – the resulting profile is not only a historical document of past behavior but, a powerful tool to identify and predict how that syndicate will behave in the future.  This is exactly what MITRE ATT&CK enables an enterprise to do with adversary groups that have their firm in the crosshairs.

Signal and Noise

One key aspect of MITRE ATT&CK is that any specific technique detected also needs to be understood in the content of the larger attack pattern and environment in which the detection occurred.  For example, observing PowerShell usage might be less meaningful in an organization where PowerShell is used for system administration.  Lots of alerts on detections that lack context just drain the resources of the SOC team.  But, a PowerShell detection delivered in the context of a script attempting to launch a suspicious process is far more valuable.  Analysts need tools that deliver detections with contextual details that help the analyst prioritize their investigations.

MITRE ATT&CK not only enumerates the techniques that need to be detected but, maps these techniques into matrices covering the phases of attack for specific operating systems.  This helps security teams assess the effectiveness of their defenses and target areas that need proactive threat hunting.

MITRE Cyber Analytics Repository

MITRE does not stop with the ATT&CK framework.  They have also defined a list of best practices for investigators that combine tactics and techniques into specific procedures analysts should conduct called the Cyber Analytics Repository (CAR).  Each analytic is defined to help analysts detect adversary behavior.  Tools that automate these procedures give analysts a productivity boost and ensure that even entry level investigators can easily collect and analyze data required to identify adversary behaviors.

Continuous Enhancements

Lastly, MITRE has made ATT&CK and CAR collaborative projects for the entire cyber security community.  This open approach ensures that new attack methods and mechanisms to detect them are widely shared.

The MITRE ATT&CK framework is so powerful because it describes tactics, the things an attacker must do to achieve their goals, as well as techniques, specific things the attacker can do to achieve those goals. The framework gives us a common language to talk about these tactics and techniques. It is equally effective at describing all attacks from the relatively mundane breach to an attack by a motivated, well-funded nation state actor.