Five Steps to Improve Defenses with MITRE ATT&CK

MITRE Adversarial Tactics, Techniques and Common Knowledge (MITRE ATT&CK) is a model and knowledge base of adversary behavior. Designed to look at attacks from the attacker’s perspective, it catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations. 

ATT&CK is not a static framework and is updated with new adversaries, tactics, techniques, and other information supplied by security vendors and organizations around the world. Since its public release, MITRE ATT&CK has become a gold standard in the endpoint security space. 

Why Organizations Should Map to the MITRE ATT&CK Framework

MITRE ATT&CK helps defenders understand security from the eyes of the adversary. It provides a unique perspective to design better security programs, tools, and processes. The framework also serves as a common language and shared repository for security professionals to continuously provide feedback and inputs to improve security.

MITRE ATT&CK can improve efficiency by empowering analysts of all levels to understand what is happening during an attack and what will happen next. It breaks the attack down into 14 tactics with associated techniques that are most commonly used by attackers.

From reconnaissance to gaining initial access, to persistence, and finally, exfiltration and impact, the MITRE ATT&CK Framework walks you through step by step how an attack unfolds. 

How to leverage the MITRE ATT&CK Framework to improve security

MITRE-ATTACKDownload your 2-page datasheet on How to Leverage the MITRE ATT&CK Framework to Improve Security.

Step 1. Establish Inputs

Identify what inputs are available to you. Consider incorporating threat intelligence into your security processes, consider indicators of compromise, look at behavior indicators, and leverage data mining from your own resources like Splunk and Hadoop to power your security process improvement.

Step 2. Create an Adversary Emulation Plan

Take the time to create an Adversary Emulation Plan (AEP). The AEP will guide your security team in safely testing itself against the latest threats while also identifying opportunities for security improvements. AEPs are composed of several sections, including an overview of the plan, an overview of the adversary group, a detailed listing of the emulation phases, and a biography of sources. 

Step 3. Run an Attack Simulation

When running the attack simulation, your red team must ensure their exercises simulate the actual attack resources the adversary uses. This includes resources and activities like an external command and control server, the proper infiltration and exploitation techniques, and the completion of data exfiltration. If your team skips or fails to execute certain steps, you will inevitably miss important activities that take place in an actual attack.

Step 4. Alert, Hunt and Report

At a minimum, your red team should use adversary emulation plans and tactics, techniques, and procedures (TTPs) for execution and should actively report on the success of their activities. Be sure to document all resources your red team uses and maintain constant communication with them throughout the simulation. If your existing tooling is unable to detect parts of the attack simulation, your team should conduct threat hunting to uncover more aspects of the attack. 

Step 5. Plan For Process & Technology Improvements 

Develop a process and technology improvement plan based on the results of the attack simulation and the final report. Incorporate the results of several different adversary group simulations, as changes per simulation can significantly influence technology decisions.

Cybereason Posts Best Results in History of MITRE ATT&CK Evaluations

This year, Cybereason achieved the best results in the history of the MITRE ATT&CK evaluations. The evaluation took the technology from 30 participating vendors and pitted it against real-world simulations of two notorious ransomware and data destruction gangs, Wizard Spider and Sandworm. The results speak for themselves.

Cybereason Posts Best Results in History of MITRE ATT&CK Evaluations

Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud, and across the entire enterprise ecosystem. Only the AI-driven Cybereason Defense Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Dan Verton
About the Author

Dan Verton

Dan Verton is Director of Content Marketing at Cybereason. Dan has 30 years of experience as a former intelligence officer and journalist. He is the 2003 first-place recipient of the Jesse H. Neal National Business Journalism Award for Best News Reporting – the nation’s highest award for tech trade journalism and is the author of the groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill, 2003). He most recently served as an intelligence advisor and co-author of a nationwide TSA anti-terrorism awareness training program.

All Posts by Dan Verton