The threat landscape has never been as diverse, and the bad news is that it’s continuously expanding and evolving. SecOps and CISOs are increasingly feeling the crunch of trying to identify, respond to, and harden defenses against a growing array of attacks. In response, the IT problem-solving expert MITRE came up with two free, publicly available frameworks: MITRE ATT&CK and MITRE SHIELD.
The need for working smarter, not harder has never been greater. Read on to find out how you can use these two MITRE frameworks to your advantage.
What is the MITRE ATT&CK framework?
As we’ve just explained, there is an unprecedented need for the ability to make intelligent SecOps decisions. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that helps security professionals do just that. It’s a behavior-based threat model used to build, test, and refine behavioral-based detection capabilities over time.
MITRE ATT&CK framework is used by our penetration testers in orchestrating their attacks to find weaknesses in your infrastructure, exploit them, and report their findings.
It contains matrices that map out the common tactics, techniques, and procedures (TTPs) used by cyber attackers gained from years of research. The framework provides a vast source of freely available information on the behavior of the majority of known threats. It also provides SecOps professionals with a standardized way to discuss threats.
For example, here are some tactic categories:
- Defense evasion – Techniques to avoid detection
- Abuse Elevation Control Mechanisms
- Access Token Manipulation
- BITS Job
- Lateral movement – Techniques to spread through your infrastructure, such as:
- Remote Session Highjacking
- Internal Spearphishing
- Exploitation of Remote Services
- Exfiltration – Techniques to steal data, such as:
- Traffic Duplication
- Automated Exfiltration
- Transfer Data to Cloud Account
With each of these techniques having multiple sub-categories and techniques, you can begin to understand just how thorough it is.
Once an IoC has occurred, the ATT&CK framework can help answer questions like:
- How did they get in?
- How did they through the network?
- How did they evade detection?
- What was their objective?
- What specific methods did they use?
What is MITRE Shield?
If MITRE ATT&CK helps us understand our adversaries’ TTPs and objectives, the MITRE Shield framework tells us how to respond. It’s an actively developing knowledge base that catalogs information about active defense and adversary engagement.
The structured part of this body of information is a mapped table that corresponds directly to the ATT&CK framework. For example, you will also see Defense Evasion listed, identified by the same code, with the same techniques and sub-techniques.
Looking at a specific technique, such as Abuse Elevation Control Mechanisms, you will then find mitigation suggestions. For example:
- Audit: Check for common UAC access bypass weaknesses
- Privileged Account Management: Remove users from local administrator groups
- Execution Prevention: Implement policies that block running programs from non-trusted sources
MITRE Shield also describes opportunities for putting up defenses against or responding to particular techniques as well as use cases.
How can the MITRE ATT&CK and Shield Frameworks be Applied in the Real-World?
Most of the literature on the threat landscape focuses on best security practices or ways to avoid/prevent an attack. In contrast, MITRE takes us into the mind of the adversary by laying out prevalent TTPs.
Using this information, security personnel can put together threat models to assess current security readiness or to prepare for future incidents. Once an IoC has occurred, the framework can also be used to speed up detection and remediation. That’s because it allows users to cross-reference tactics commonly used together, the objectives of certain malicious techniques, etc.
For example, you may use the detection technique described under Additional Cloud Credentials to monitor Azure Activity Logs or other APIs for suspicious activity.
As threats become more sophisticated, multiple tactics are being utilized in an IoC, making this type of approach even more effective.
Next, SecOps can cross-reference the ATT&CK TTP with the SHIELD framework. Here, they’ll find a number of mitigations to help remediate the situation as well as defend against future attempts.
For example, one technique is to set up a Decoy System as an attack target. This allows you to safely monitor actual attacks and better prepare for them in the future. It may also absorb attacks meant for your business-critical systems.
Many businesses fail at early infiltration detection and deploying swift remedial action. This is not the fault of security personnel, but an indicator of how overwhelming the threat landscape has become. The MITRE ATT&CK and Shield frameworks help SecOps make faster, better, and more effective decisions. For organizations, this will show a direct decline in damages suffered as a result.