In today’s fast-paced digital world, information security has never been more important. With cyber threats becoming more sophisticated by the day, it is critical for organizations to stay ahead of the curve by understanding the tactics and strategies adversaries can use to compromise their systems. This is where the Mitre ATT&CK Matrix comes in.
The Mitre ATT&CK Framework takes its name from the MITRE Corporation, which maintains it, and the acronym ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is publicly available and serves as a knowledge base of techniques used by cyber adversaries to target corporate IT systems.
Mitre ATT&CK is not just a tool, it is a true cybersecurity roadmap. It is an interactive and constantly updated resource that provides detailed descriptions of the tactics, techniques, and procedures (TTPs) used by cybercriminals in their attacks. Mastering and applying the Mitre ATT&CK can give organizations an invaluable advantage in the fight against cyber threats.
But how do you turn this valuable roadmap into a tangible and effective security strategy? This is where this guide comes in. Throughout this material, you will learn how to integrate ATT&CK into your organization, identify security gaps, prioritize and implement security controls, provide effective training, and establish a continuous monitoring and review process.
With Mitre ATT&CK as your ally, you will be better equipped to anticipate, prevent and respond to cyber-attacks and protect your valuable digital assets.
Are you ready to embark on the journey to more robust and efficient information security?
1. Contextualization
The first step is to ensure that everyone in the company, from managers to the technical team, understands what Mitre ATT&CK is and the value it brings. Conduct presentations or workshops to introduce the concept. Simplify the explanation by comparing ATT&CK to a “security checklist” that identifies all possible ways an adversary can attempt to infiltrate the systems.
It’s important to remember that contextualization is an ongoing process. As the ATT&CK matrix is updated and new techniques are added, it’s necessary to revisit this step to ensure that everyone in the organization continues to understand the matrix and its relevance.
1.1. Explaining the Concept:
Before discussing Mitre ATT&CK with your team, it’s essential that you can explain the concept in a clear and concise manner. You should fully understand what ATT&CK is, how it works, and its importance. Prepare a simple yet informative presentation that addresses these points.
1.2. Identifying Stakeholders:
Stakeholders may vary depending on the organization, but they usually include the IT team, the security team, the risk management team, and top-level executives. Each stakeholder group requires different information, so tailor your communication to each group.
1.3. Conducting Awareness Meetings:
For the technical team, such as IT and security, provide details on how the ATT&CK matrix works and how it will be applied. Also, emphasize the importance of each individual’s role in effectively using the matrix. For the management team and executives, focus on the relevance of ATT&CK for overall company security, how it can help prevent attacks, and how it can impact the business in terms of risk reduction and compliance.
1.4. Organizing Training Workshops:
For the technical team, arrange more in-depth training workshops to familiarize them with the matrix. Use practical examples and case studies to demonstrate how attack techniques are used in real life and how the ATT&CK matrix can help detect and prevent such attacks.
1.5. Establishing an Open Communication Channel:
Create an open communication channel for questions and discussions regarding the ATT&CK matrix. This could be a dedicated chat channel, regular Q&A sessions, or a dedicated email address. This channel will allow people to ask questions and discuss issues as they begin working with the matrix.
2. Study of the ATT&CK Matrix
The ATT&CK matrix is a visual resource that displays all the listed tactics and techniques in the framework. The tactics represent the high-level objectives an adversary may have, such as Initial Access or Lateral Movement, while the techniques are the specific methods that can be used to achieve these objectives.
Devote yourself to studying this matrix to understand the meaning of each tactic and technique.
2.1. Exploring the Matrix:
The ATT&CK matrix is available online on the Mitre website. Start by navigating the matrix to familiarize yourself with its structure. Note that the matrix is divided into several categories of tactics, such as Initial Access, Execution, Persistence, Defense Evasion, among others. Each of these categories has multiple associated techniques.
2.2. Understanding the Tactics and Techniques:
In the matrix, click on each tactic and technique to obtain more information. The tactics represent the objectives an adversary may have during an attack, while the techniques are the specific methods that can be used to achieve those objectives.
For example, the Initial Access tactic describes the ways in which an adversary can gain entry into a network or system. A technique under this tactic could be Spearphishing Link, which describes a specific way an attacker could gain initial access.
All the techniques described in the framework have been used by cyber invaders and criminal organizations in the real world to infiltrate targeted organizations’ networks and steal their data. At the time of writing this article, the framework contains information on 227 different techniques.
According to the tactics presented in Mitre ATT&CK, there are 14 ways (tactics) in which cyber attacks can occur:
- Reconnaissance: gathering information about the target organization in preparation for future hostile activities. It currently presents 10 techniques.
- Resource Development: acquisition of infrastructure and resources to support adversarial activities against the target organization. It currently presents 8 techniques.
- Initial Access: gain initial access to the target network. Currently there are 9 techniques.
- Execution: techniques used to execute malicious code on the network, usually to exploit or steal data. There are currently 14 techniques.
- Persistence: maintaining access to the target network over time by bypassing measures such as credential changes or restarts that may disrupt access. Currently, it presents 19 techniques.
- Privilege Escalation: obtaining administrator permissions or other high-level permissions within the target network. Currently, it presents 13 techniques.
- Defense Evasion: avoiding detection by security software and IT security teams. Currently, it presents 42 techniques.
- Credential Access: stealing account names and passwords, allowing the attacker to bypass security measures by accessing the network with legitimate credentials. Currently, it presents 17 techniques.
- Discovery: exploring the network and collecting information such as running applications and services, existing accounts, available resources, etc. Currently, it presents 31 techniques.
- Lateral Movement: accessing and controlling remote services within the target network.
- Collection: aggregating data from various sources within the target network. Currently, it presents 9 techniques.
- Command and Control: techniques for communicating with adversary-controlled systems within the target network. Currently, it presents 16 techniques.
- Exfiltration: techniques for stealing data from the target network and transferring it to an adversary-controlled external server. Currently, it presents 9 techniques.
- Impact: techniques for destroying data or disrupting the availability of applications, services, or the target network itself. Currently, it presents 13 techniques.
2.3. Analyzing Technique Details:
Each technique in the ATT&CK matrix is accompanied by a detailed description, including a summary of the technique, examples of how it has been used in real-world attacks, detection suggestions, and possible mitigation measures.
For each technique, the framework includes:
- A description of the technique;
- A list of sub-techniques related to the technique;
- A list of known mitigation methods for the technique;
- A list of known detection methods for the technique;
- Some metadata related to the technique;
- References and additional resources related to the technique.
The techniques in the Mitre ATT&CK framework are categorized into 14 tactics that cover the entire lifecycle of a cyber attack, from initial information gathering to data exfiltration and further attack impact.
When cybercriminals target an organization’s IT environment, we know their ultimate goal is data exfiltration.
I recommend spending some time studying these details for each technique, as it will undoubtedly provide a deeper understanding of how real attacks occur and how to protect against them.
2.4. How do criminals obtain data from corporate systems?
We can predict the opponent’s behavior:
- Gain network access and avoid detection;
- Explore the network to discover valuable data assets;
- Secure the necessary permissions to enable data exfiltration;
- Steal organizational data and damage network systems.
The 14 tactics described in the Mitre ATT&CK framework are an extension of this general pattern of action, covering all of the short-term goals and objectives that attackers attempt to achieve on their way to successfully stealing data from organizations. Techniques are the specific methods used to achieve these tactical objectives, which is why each technique is listed under its corresponding tactic.
The Mitre ATT&CK Framework also provides information on known threat actor groups worldwide. For each known threat actor group, the framework describes the types of organizations they target, the techniques they have used in previous attacks, and the software they have used to attack target networks.
In addition, the framework includes a database of software programs that have been used in malicious cyber attacks.
2.5. Relating Techniques to Your Environment:
Consider how each technique applies to your own IT environment. For example, if you use a particular type of software or hardware, are there specific techniques an adversary could use against it? Or, if you have a specific policy, such as allowing remote access, what techniques could be used to exploit it? Performing this analysis will help you tailor the ATT&CK matrix to your specific situation.
2.6. Common Use Cases:
The ATT&CK framework can be used and adapted for many scenarios, such as the examples below:
- Detection and Analysis: It can assist in cybersecurity defense by developing analytics that detect the techniques used by an adversary.
- Threat Intelligence: It provides security professionals with a common language to structure, compare, and analyze threat intelligence.
- Adversary Emulation and Red Teaming: It provides a common language and framework that red teams can use to emulate specific threats and plan their operations.
- Assessment and Engineering: It can be used to assess your organization’s resources and make technical decisions, such as which tools or configurations to implement.
To work with these use cases using ATT&CK, you can rely on some of the infrastructure resources provided by ATT&CK, which are presented below:
- Interfaces for Working with ATT&CK: This page describes how to access ATT&CK content using STIX/TAXII and Excel.
- ATT&CK Navigator: The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices. You can use the Navigator to visualize defensive coverage, plan blue and red team activities, or whatever else you’d like to do with ATT&CK. If you want to get started right away, a hosted instance is available here.
3. Discovering and Addressing Security Gaps
By using the ATT&CK matrix, you can understand the vulnerabilities in your environment and identify the focus of your security efforts. For each technique in the matrix, consider whether there are security strategies in place to detect or thwart that approach. Note the areas where protection is lacking – these are the security “gaps”.
Remember that gap analysis is an ongoing task. As your environment changes and new techniques are added to the ATT&CK matrix, you must continually update your gap analysis.
Now let’s look at how to perform a gap analysis:
3.1. Master Your Environment:
The first step is to have a comprehensive understanding of your IT environment, including all systems, applications, networks, and security controls in place. If you haven’t already done so, create a detailed inventory.
3.2. Mapping Your Current and Active Controls:
For each technique listed in the ATT&CK matrix, determine whether you have security controls in place that can detect, block, or mitigate the technique. Consider everything from firewalls, intrusion detection systems, and anti-virus software to security policies and training.
3.3. Detecting the Gaps:
Next, identify the areas where there is no coverage. These are your security “gaps”-the points where you lack the ability to detect, prevent, or mitigate a particular technique. List these gaps.
3.4. Evaluating the Risk:
For each vulnerability, assess the associated risk, which can vary based on several factors, including the likelihood of an attacker using the technique, the sensitivity of the systems or data affected, and your organization’s ability to respond to an incident involving the technique.
3.5. Documenting Your Analysis:
Document your gap analysis in a format that is easy to understand and share with others in your organization. The documentation can be a simple document such as a spreadsheet with a row for each technique, columns to describe existing controls and associated risks, and a column for identified gaps.
4. Prioritization
Not everything can be done at once, right? That is why prioritization is a critical step after gap analysis.
Based on the gap analysis, decide which gaps need to be addressed first. Some technologies may pose more risk to your organization than others, depending on your specific situation. Use your knowledge of your environment and likely threats to help you prioritize.
Keep in mind that prioritization is an ongoing process. As your environment changes and new techniques are added to the ATT&CK matrix, you will need to review and update your priorities.
Now let’s explore how to prioritize your security measures based on the results of your gap analysis:
4.1. Evaluating the Risk:
Review the gaps identified in your analysis and the risk associated with each gap. In general, gaps that pose a higher risk should be addressed first. Risk considerations may include the likelihood of an attacker using a technique, the sensitivity of the systems or data affected, and the organization’s ability to respond to an incident.
4.2. Considering Feasibility:
Not all security measures will be equally practical to implement. Some may require significant investment in new technology, while others may be achievable with existing resources. Consider feasibility when prioritizing actions.
4.3. Thinking Strategically:
Some security measures can provide broader benefits to your organization than mitigating a single attack technique. For example, promoting security awareness training for employees may help prevent multiple attack techniques. Try to identify and prioritize these “high-return” actions.
4.4. Developing an Action Plan:
Develop an action plan based on your risk assessment, feasibility, and strategic benefits. This plan should list the security measures you plan to implement in order of priority and establish a timeline for each action.
4.5. Communicating the Plan:
Share your action plan with relevant stakeholders in your organization, including the IT team, security team, risk management team, and executives. Ensure that everyone understands the rationale for the prioritization and what is expected of them in implementing the plan.
5. Implementation of Security Controls
Initiate the implementation of security controls to address the identified vulnerabilities/gaps. Security controls are the measures you take to protect your organization from the threats described in the ATT&CK matrix.
Remember that security is an ongoing process, not something that can be set up and forgotten. Therefore, as the environment changes and new threats emerge, it is necessary to review and possibly update your security controls.
Now let’s explore the details of implementing controls:
5.1. Developing an Implementation Plan:
Create a detailed plan for each security control you plan to implement. This plan should include what needs to be done, who is responsible, what resources are needed, and a realistic timeline.
5.2. Gathering Resources:
Before beginning the implementation, gather all necessary resources, which may include hardware, software, team time, training, and any other required resources.
5.3. Implementing Security Controls:
Start implementing the security controls according to your plan. Make sure that each control is implemented correctly and works as expected.
5.4. Training:
Ensure that your team is adequately trained to use and maintain the new security controls. Training is important for technical controls, such as new software or hardware, but also for process controls, such as new security policies or procedures.
5.5. Documentation:
Document any new security controls and any changes made to your systems or processes. This documentation will be useful for future security analyses and audits, and will help the team understand what was done and why.
5.6. Monitoring and Adjustments:
After implementing controls, continue to monitor them to ensure their ongoing effectiveness. This may include reviewing logs, conducting periodic security tests, and soliciting feedback from the team. Based on this monitoring, make any necessary adjustments.
6. Training
Training is essential to ensure that everyone in the organization understands and can effectively implement security strategies, including the Mitre ATT&CK Matrix. Your team should be prepared to recognize and respond to each technique described in the ATT&CK matrix.
The goal of training is not only to impart information, but also to create a security culture within your organization where everyone understands the importance of security and their role in maintaining it.
Let’s explore how to approach this training:
6.1. Identifying Training Requirements:
Determine the skills or knowledge your team needs to implement and maintain the security controls you have implemented, which may vary depending on the type of control. For example, new security software may require technical training, while a new security policy may require awareness training.
6.2. Developing a Training Plan:
Create a plan that outlines what the training will cover, who needs to attend, who will deliver the training, and when and where it will take place. Depending on your organization’s needs, you may want to conduct the training in-house or hire an outside vendor.
6.3. Conducting the Training:
Conduct the training as planned. Make sure the training is as interactive and engaging as possible to keep participants interested. Use practical examples to illustrate key points and allow participants to apply what they have learned.
6.4. Assessing Effectiveness:
After conducting the training, evaluate its effectiveness through testing, participant feedback, or observation of changes in behavior or security practices following the training.
6.5. Updating and Refreshing:
Information security training is not a one-time event. As the ATT&CK matrix is updated and new security controls are implemented, you will need to provide update or refresher training to your team. Schedule this training on a regular basis.
7. Monitoring and Ongoing Review
Finally, maintain an ongoing process of monitoring and review. As new techniques are added to the ATT&CK matrix, repeat the gap analysis and implementation process for these new techniques. In addition, periodically review existing controls to ensure their continued effectiveness.
The goal of monitoring and ongoing review is to ensure that your security strategy remains effective in the face of an evolving threat landscape. It is an ongoing process that requires commitment and constant vigilance.
Let’s analyze how to approach monitoring and continuous review:
7.1. Establishing Metrics:
To effectively monitor your security controls, you need to establish clear metrics. These metrics can include the number of attack attempts detected, incident response time, security policy compliance, and more.
7.2. Setting Up Monitoring:
Configure monitoring systems to automatically track the defined metrics. This may include the use of security information and event management (SIEM) tools, intrusion detection/prevention systems (IDS/IPS), or other security technologies.
7.3. Regular Reviews:
Periodically review the data collected by your monitoring system. The goal is to identify trends, detect new threats, and evaluate the effectiveness of your current security controls.
7.4. Incident Response:
When a security incident is detected, the response should be prompt and effective, which may include investigating the incident, mitigating the threat, restoring affected systems, and communicating with stakeholders.
7.5. Learning from Incidents:
After a security incident is resolved, conduct a post-incident analysis to understand what happened, why it happened, and how it can be prevented in the future.
7.6. Updating the Matrix:
Stay current with ATT&CK matrix updates and regularly review and update your matrix to reflect new attack techniques and tactics.
7.7. Adjusting Security Controls:
Based on the information gathered through monitoring and testing, it may be necessary to adjust your security controls. This may involve strengthening existing controls, implementing new controls, or eliminating controls that are no longer effective.
8. Additional Resources and Useful Links
For more details about ATT&CK, as well as additional links to help you get started, understand use cases, and learn about Mitre’s motivation for creating it, please see the links below:
- Getting Started oficial do Mitre ATT&CK
- Paper: ATT&CK Design and Philosophy
- Paper: ATT&CK for ICS extension
- Paper: Finding Cyber Threats with ATT&CK-Based Analytics
- ATT&CK Sightings
- Adversary Emulation Plans
- ATT&CK Evaluations
- ATT&CK Update Log
- Interfaces for Working with ATT&CK
- Graphic: MITRE ATT&CK Roadmap
- Graphic: MITRE ATT&CK Matrix Poster
9. Final Considerations
Implementing Mitre ATT&CK can be a significant project, but it is a valuable investment in your organization’s security. The ATT&CK framework provides a systematic way of thinking about security, ensuring that you cover all possible attack vectors.
Studying the ATT&CK matrix is an ongoing process, as new techniques are regularly added to the matrix as new attacks are discovered. Therefore, it is important to revisit the matrix regularly to stay current with the latest threats.
* * * * *