Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Level the Security Operations Playing Field With MITRE ATT&CK

Playing defense is always more difficult than being on the attack, because defense is always reactive on some level. This concept is especially true in cybersecurity, where adversaries can take as many shots as they want at an organization, while the poor security team has to be perfect every time to prevent a successful attack. 

Playing defense is always more difficult than being on the attack, because defense is always reactive on some level. This concept is especially true in cybersecurity, where adversaries can take as many shots as they want at an organization, while the poor security team has to be perfect every time to prevent a successful attack. 

Because of this natural disadvantage, security teams should always be on the lookout for ways to become more proactive by predicting and anticipating their adversaries’ next moves. Using a kill chain framework helps security teams get inside the heads of their adversaries and understand their intent. The variation of this concept that I have found to be the most valuable is the MITRE ATT&CK matrix, because of its rich database of real-world cyber attack data.

The Kill Chain

The kill chain originated as a military concept to describe the stages of an attack and was adapted into the intrusion kill chain (or “cyber kill chain”) by Lockheed Martin in 2011 to describe attacks against computer networks. In its original form, the cyber kill chain has seven phases that outline an attack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objective

These phases are like a hypothetical playbook for adversaries, which security teams can use to anticipate and contextualize attacks. Many organizations now use a kill chain framework in some way, and while it is valuable as a high-level concept, it does not include any detail on exactly how attackers achieve the goals of each phase, therefore leaving lots of room for security researchers to elaborate on its basic structure.

What Makes ATT&CK Different

Between 2013 and 2015, the not-for-profit security corporation MITRE developed their own version of a cyber kill chain, which they call ATT&CK (adversarial tactics, techniques & common knowledge). ATT&CK focuses on post-compromise detection, as opposed to the cyber kill chain, which begins with the adversary conducting reconnaissance on their target. 

Instead of phases, ATT&CK breaks down incidents into 12 “tactics” (what the adversary is trying to do), each accompanied by numerous “techniques” (how the adversary is doing it). Tactics include Execution, Defense Evasion, and Lateral Movement. Techniques are more specific, such as PowerShell, Modify Registry, and Remote Desktop Protocol. The result is a massive matrix of adversary behavior, based on MITRE’s study of real-world cybersecurity incidents.

The Value of Using the ATT&CK Matrix in Security Operations

Successful cyber attacks need time to unfold, but organizations generally take a long time to detect an attack and recognize what is happening. The good news is that if the organization can detect and disrupt the attack at any phase, it will be unsuccessful, even if the network has already been compromised. For example, an adversary’s goal will not be just to escalate privileges within a target’s systems, but rather to use those privileges for the end goal of exfiltrating data.

Using the ATT&CK framework in your analysis of cybersecurity incidents allows you to make connections between different tactics and techniques. This helps security teams identify ongoing attacks before they are completed and gives the security team a good idea of what the adversary has already done and what they are likely to do next.

The ATT&CK framework is particularly valuable for detecting attacks because it is a behavior-based model, not a signature-based model. Because ATT&CK predicts common behaviors, it isn’t fooled by zero-day attacks, indicators of compromise that are modified by adversaries to avoid detection, or other weaknesses of signature-based systems. 

ATT&CK’s “techniques” are also set apart from conventional IOCs because a technique might be a legitimate action that is done for malicious purposes. In other words, once an adversary has compromised a system and gained privileges, they might not need to do anything else that would trip the alarms of conventional security tools. ATT&CK techniques describe the actions that the adversary might take next, even though they might look like normal activity.

MITRE’s extension of the cyber kill chain concept takes the conceptual value of breaking incidents into phases and combines it with behavior-based research that rivals the best threat intelligence sources. Whether it is built-in to your detection and response tools, or just a way to standardize how your security team talks about advanced persistent threats, the MITRE ATT&CK matrix should find a place in your security operations. 

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.