The MITRE ATT&CK framework is a global curated knowledge base of adversary tactics and techniques. This post delves into the history of the ATT&CK framework and provides insights into why every SOC team can benefit from using it to develop threat models and methodologies to protect their organization.
A Bit of History
The MITRE Corporation, a not-for-profit organization that manages research-and-development centers funded by the U.S. government, developed ATT&CK in 2013. MITRE built ATT&CK to investigate endpoint telemetry data and analytics related to post-compromise detection. The objective was to document common tactics, techniques and procedures (TTP) used by threat actors. It based the framework on real-world observations and provides it to cybersecurity practitioners at no cost.
Who Uses ATT&CK, and Why?
Tracking, identifying and stopping cyberthreats before they cause damage is a big job. That’s why security teams in both the government and private sectors use ATT&CK. It provides a common language to communicate about the TTPs used by adversaries. It also provides perspective from the attacker’s point of view, which helps SOC teams get inside the heads of the bad guys. ATT&CK also provides SOCs with a framework to map their existing security controls and detections, which delivers an organized view into risks and threats specific to the organization.
ATT&CK Metrics and Use Cases
Because the framework helps security teams focus on the TTPs of adversaries, ATT&CK delivers clear value for SOC analysts by making it harder for adversaries to avoid detection.
For example, in the case of Mimikatz, a post-exploitation tool that dumps passwords and other info from memory, most of the classic intrusion detection platforms will look for a known hash (or hashes). Once an adversary suspects their hash is no longer effective, they can quickly modify the hash to avoid detection those security tools that solely focus on hashes. But for users of the ATT&CK framework, the focus is shifted toward the TTP, which is broader and not as easily modified by attackers. The result is that the adversary’s attack is less successful than if it had been launched against an organization that only used classic detection methods.
ATT&CK Benefits for Analysts
Given the challenges of hiring and training junior analysts, ATT&CK is very useful in bridging training gaps. For instance, it provides an extensible framework for detecting the modern attacks favored by the most dangerous adversaries, making it easier for less experienced analysts to be successful. Another ATT&CK benefit is that it enables a common language to be used within and between organizations, which enhances the effectiveness of information sharing.
Of course, not all organizations use ATT&CK. Analysts in those organizations tend to rely more on classic detection techniques, which are easier for adversaries to avoid, as in the Mimikatz example above. Analysts without access to ATT&CK often struggle to develop a deep understanding into their organization’s defense limitations and risks. This results in increased false positive rates, ineffective correlation across investigations, and reduced productivity and effectiveness.
How ATT&CK Empowers Analyst Workflow
SOC analyst workflows in organizations that use ATT&CK typically achieve quicker mean time to detect (MTTD) and mean time to respond (MTTR). That’s because ATT&CK eliminates many false positives, which enables analysts to focus their detection efforts on defense gaps and risks that are specific to their organization.
SOC analysts also can map their organization’s defenses and risks to the ATT&CK framework. This enables them to prioritize and focus their detection and response work on what’s most important to their business. Analysts can develop detection and response tools and workflows to zero in on and address these concerns.
How to Incorporate ATT&CK into Your SOC
ATT&CK is free for any organization to use. However, it is complex and, initially, it could overwhelm analysts, especially junior members of a team. While it’s possible to deploy ATT&CK with existing security solutions, SOC teams committed to using ATT&CK should consider deploying a next-gen SIEM that has ATT&CK built in. For example, ATT&CK is a standard component of Devo Security Operations, our next-gen cloud SIEM. So, organizations that deploy Devo can eliminate much of the complexity of ATT&CK while also receiving its many benefits, including using the common language mentioned above.
SOC teams can incorporate existing playbooks into the ATT&CK Framework with just minor modifications. ATT&CK will enhance the playbooks for detection and response by adding an adversarial viewpoint, which can be quite beneficial.
What’s the ATT&CK Learning Curve?
You’re probably wondering how easy—or difficult—it is for analysts to learn the MITRE ATT&CK Framework. As discussed, it can be overwhelming at first for junior analysts. While it does provide a common language and framework to operate, there are hundreds of techniques to learn and master. That’s another case where deploying a SOC solution that includes ATT&CK is usually the most effective way to take advantage of the many benefits of the framework while minimizing the learning curve.
But even with that learning curve, SOC teams that deploy ATT&CK soon will realize significant improvements in the effectiveness of their threat detection, hunting, and mitigation efforts compared to using traditional detection techniques that adversaries can avoid more easily. The full view into your defenses and risks is well worth the time it takes to master ATT&CK.
Are there Alternatives to ATT&CK?
The MITRE ATT&CK Framework is not the only game in town, but there’s a reason why it is so popular. MITRE designed ATT&CK to work with most other frameworks and models on the market. Some security professionals consider cybersecurity frameworks such as the Diamond Model, Cyber Kill Chain, and NIST CSF to be competitors to ATT&CK. MITRE considers the framework to be complementary to other offerings.