Utilizing the MITRE ATT&CK Matrix
What Organizations Need to Know and How to Utilize Vital Information Sharing to Reduce an Environment’s ATT&CK Surface
What is MITRE?
The MITRE Corporation is a non-profit organization which operates multiple federally funded research and development centers across the United States. Their mission is to help overcome problems which challenge the nation’s security and its overall stability. For the last 60 years, MITRE has helped to provide solutions to the complex problems faced by key government sectors such as the Department of Homeland Security and Cyber Counterintelligence. Their work in the cyber security sector has provided countless innovative solutions which stretch far beyond its government application.
What is the ATT&CK Matrix?
One of these innovative solutions is MITRE’s ATT&CK Matrix. The ATT&CK Matrix (Adversarial Tactics, Techniques, and Common Knowledge) is a carefully comprised knowledge base used to describe how adversaries penetrate networks and move laterally across them by escalating privileges, and often evade an organization’s defenses for extended periods of time.
The ATT&CK Matrix looks at these actions from the perspective of an adversary, the goals they may look to achieve, and the methods they may use to achieve them. These methods are broken down by techniques, tactics, and procedures (TTPs) observed during MITRE’s research as well as penetration testing and red team engagements. The information gathered during these engagements provides a model for network defenders to use to better categorize and understand post-exploitation activities.
The organization of the TTPs found within the ATT&CK Matrix may be familiar to most as they coincide with the later stages of the Lockheed Martin Cyber Kill Chain.
Why is the ATT&CK Matrix Important?
Cybersecurity is a “game of inches” and every inch covered has proved to be no small feat for network defenders. As adversaries evolve their tactics and techniques, the security community works tirelessly to evolve their detection and remediation methods to bring their organizations and the community one step closer to closing the gap faced when battling these elusive actors.
One of the detection and remediation methods that has gained a lot of momentum is Cyber Threat Intelligence (CTI). Since its conception, some of the mysticism surrounding its definition and applicable use has begun to reveal itself. However, as with any new school of thought, there is still a lot of knowledge to be gained and work to be done.
The traditional approach to CTI has proven to be a cumbersome process. The ways and means of collecting threat intelligence data is oftentimes delivered through thorough reporting efforts which can leave analysts scrambling to extract meaningful information, and in turn, they must also be able to apply this information in a manner that proves to be an effective means of defense.
Other unforeseen obstacles organizations face are the overwhelming number of indicators these reports produce. These indicators, more times than not, provide a little context and must be vetted before they can be consumed. This can be a daunting process which if not done correctly, can contaminate an organization’s intelligence data causing an even greater increase of false positives than are already being observed. To make matters worse, even if the above-mentioned obstacles are overcome, these indicators are constantly evolving creating stale data in their wake which must be continuously reviewed and re-prioritized.
Now that we have stated some of the obvious issues, what can be done about it? That is where the ATT&CK Matrix comes in. ATT&CK provides structure to this chaos by allowing analysts and network defenders to gather greater context around adversary groups, how they compare to other groups, and what TTPs they are using. This invaluable information will help organizations begin to gain value from their threat intelligence while remaining sane in the process.
How to Utilize the ATT&CK Matrix
While researching how to best utilize ATT&CK, I came across a beautifully written article by Katie Nickles, a lead cybersecurity engineer with MITRE Corporation. In her two-part article she describes the best methods of utilization of the ATT&CK Matrix, how it came about, and who contributes to its success. She also referenced an ideology from David Bianco, called the Pyramid of Pain. The original article was published in 2013, but still stands true today. In the article David outlines the value and priority of the different threat indicators organizations will encounter. He describes how these different indicators can be used to disrupt or completely dismantle an adversaries TTPs, finally giving security teams and network defenders the upper hand.
If you are one of many network defenders who are struggling to make your threat intelligence data work for you, or if you are not familiar with ATT&CK and the incredible work they are providing to the community, I highly recommend spending some time reading Katie’s article and exploring how ATT&CK can help close the gap and reduce your ATT&CK surface.