Today we start a multi-part blog series on the MITRE ATT&CK framework and how it relates to vulnerability management. In this first part, we give an overview of MITRE ATT&CK.
According to MITRE, ATT&CK “is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.” The key thing to note here is that it is designed to cover adversary tactics and techniques – which encompass a variety of activities. For example, ATT&CK technique T1200, Hardware Additions, entails when an adversary introduces “computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access” – which has clear physical-world implications while T1068 deals with the use of software exploits for privilege escalation – which in general does not involve the physical world. There are over 500 techniques and each is associated with one or more of 14 tactics, which correspond to different phases of an adversary attack.
Screenshot of the MITRE ATT&CK framework, listing out the techniques used and associated tactics (in columns).
Today, MITRE ATT&CK is typically used by cyber threat intelligence analysts within the SOC. MITRE ATT&CK techniques are often aligned with various behaviors observed in system logs and network traffic. ATT&CK allows for analysts to study if various patterns are associated with certain common behaviors or even certain threat groups. For example, an analyst can map network data from a SIEM to ATT&CK techniques and in turn create a chart showing which threat actors commonly use those techniques. This can provide a decision-maker with insights into which threat actors may be conducting initial reconnaissance on the enterprise.
For more information, check out the MITRE ATT&CK site here: https://attack.mitre.org/
ATT&CK and Vulnerability Management Part 5: Disrupting Attack Sequences through Vulnerability Management
Docker/Kubernetes Part 6: Common Weakness Enumeration (CWE)
ATT&CK and Vulnerability Management Part 4: Using Intelligence to Generate Attack Sequences
ATT&CK and Vulnerability Management Part 3: Considerations in Aligning CVEs and ATT&CK Techniques