“MITRE ATT&CK for Dummies” Notes
MITRE ATT&CK for Dummies is a decent introduction to the MITRE ATT&CK framework. It introduces the framework and explains how to use it in an organization’s infosec efforts. It’s not as technical or detailed as I expected, but that’s probably because it seems to be written for executives rather than infosec pros.
You can get a free copy from AttackIQ.
My notes follow.
Introduction
Resources
- https://academy.attackiq.com: free training in how to operationalize ATT&CK
- https://attack.mitre.org: info on full ATT&CK framework
- https://ctid.mitre-engenuity.org: resources for deploying effective threat-informed defense
- https://attack.mitre.org/mitigations/... defensive tools
Understanding MITRE ATT&CK and Cybersecurity
TTPs
- Tactics: adversary’s technical goals
- Techniques: how goals are achieved
- Procedures: specific implementations of techniques
The MITRE Corporation … built the ATT&CK framework to help defenders all over the world to pivot away from a passive defense and to focus on the threats and threat behaviors that mattered most. Launched in 2015, ATT&CK provides a clear framework for defenders to use cyberthreat intelligence (CTI) about known actors, to deploy adversary behaviors against their defenses to test and validate their effectiveness, and to make changes to fix misconfigurations or fill defensive gaps. ATT&CK is a globally available, free, open framework of known adversary tactics, techniques, and procedures (TTPs). ATT&CK helps the public focus on known TTPs to better defend their data.
ATT&CK is a framework outlining the probable tactics that adversaries use to deploy against your enterprise. To use threat intelligence and MITRE ATT&CK, you must first understand the adversary by studying its behaviors. After that, you focus on which adversaries target your sectors and the TTPs they use. From there, you can build threat intelligence to prepare your defenses against adversary TTPs. After you understand how to use CTI, you begin the process of integrating analytics. Within your enterprise, you have event logs, scripts, and cybersecurity capabilities that track adversary behavior. You can collect the information about adversary TTPs into your security information and event management (SIEM) tool to then run analysis about adversary tactics and assess results about the adversary’s behavior. This process requires that you write detections, revise to filter out false positives, and ensure search detections. It takes work, but, step by step, you build your analysis and detection capabilities.
Using Threat Intelligence and Threat-Informed Defense
Ways to benefit from threat intelligence and MITRE ATT&CK
- Identify key hostile actors using a globally vetted framework
- Gain insight into adversaries’ operational behavior to analyze how that impacts your defenses
- Deepen your approach by comparing your results to other analysts’
- Strengthen your defense teams by focusing on countering known hostile actors.
Developing Assessments and Engineering
Malware Archaeology’s Windows ATT&CK Logging Cheat Sheet helps analyze Windows event logs.
Looking at a Use Case: Leveraging MITRE ATT&CK in the Financial Sector
The principal value is that the ATT&CK framework codifies adversary capabilities into one simple and easy-to-use tool for security teams to access. It makes threat intelligence useful through its expanded view of the adversary and its capabilities. … Moving far beyond signatures, the ATT&CK framework gives defenders a comprehensive view of the threat landscape; it allows defenders to see the attacker move along every step in the attack ladder. With years of threat research behind it, the framework provides unbiased, third-party analysis.
ATT&CK provides the … security team with a clear process through which to understand threats and build intelligence about adversary behavior. It gives chief information security officers a way to think about risk effectively at the strategic and management level. … sees ATT&CK as a modern, adversary-focused approach and a valuable tool for security leaders.
Ten Ways to Apply the MITRE ATT&CK Framework
- Cyberthreat Intelligence
- Automated Testing and Auditing
- Security Risk Management and Strategy
- Regulatory and Compliance Mapping
- Security Control Rationalization
- Analyst Training and Exercises
- Threat Hunting
- Commercial Security Solutions Evaluations
- Security Pipeline Validation
- Business Enablement
