How to Implement the MITRE ATT&CK Compliance Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) model was created in 2013 from MITRE's Fort Meade Experiment where researchers studied adversary and defender behavior to try and improve post-compromise detection of threats. MITRE ATT&CK is used throughout the world and across multiple disciplines including threat hunting, security engineering, intrusion detection, risk management, and threat intelligence. Learn how the compliance framework can work for your business.

Here's What You Need to Know About the MITRE ATT&CK Framework:

What is the MITRE ATT&CK Model 

This framework provides a knowledge base of adversarial techniques, classified by tactics (short term tactical attack goals) and techniques (how cybercriminals achieved specific tactics). Rather than focusing on abstract kill chains and tools, the MITRE framework focuses on how cybercriminals interact with systems during a security event. MITRE ATT&CK is structured this way for a few reasons:

1. Insight into Adversary Behavior - standard indicators of compromise (domains, IP addresses, file hashes, registry keys, etc.) provided point-in-time detection, but do not map how cybercriminals interact with systems over time. MITRE ATT&CK changed this by looking at system interaction.
2. Mapping of Lifecycle Models - many existing lifecycle and cyber kill chain concepts relied on abstraction, rather than concrete tactics, techniques, and procedures (TTPs). This was insufficient to address current and emerging security needs. 
3. Widespread Applicability - adversarial TTPs are based on real world examples and observed incidents.
4. Common Taxonomy - there was not a common terminology to describe TTPs across adversary groups. The MITRE ATT&CK framework provides one. 

MITRE ATT&CK leverages endpoint telemetry data and analytics to improve post-compromise detection of adversaries within a corporate network. The framework can be applied to Windows, macOS, Linux, Network infrastructure devices, container technologies; cloud systems covering IaaS, SaaS, Office 365, Azure AD, and Google Workspace; mobile devices covering Android and iOS.

How to Use the MITRE ATT&CK Framework

There are many ways to utilize the information within MITRE ATT&CK - by tactic, technique, and environment. ATT&CK for Enterprises focuses on adversarial behavior in Linux, Windows, Mac, and cloud environments. ATT&CK for Mobile targets adversarial behavior on Android and iOS operating systems. The final category, Pre-ATT&CK, focuses on pre-exploit adversarial behavior, and is couched within the ATT&CK for Enterprise matrix:

When looking at the matrix, tactics are organized into 14 columns, with specific techniques outlined below. The tactics provide high-level notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data. The techniques represent the means of achieving a specific tactic, what an adversary stands to gain, and the type of information they're targeting. The tactics include:

1. Reconnaissance - collecting information for future adversary operations
2. Resource Development - setting up resources to support operations 
3. Initial Access - trying to gain access to your network 
4. Execution - trying to run malicious code
5. Persistence - trying to gain a foothold 
6. Privilege Escalation - trying to access higher-level permissions
7. Defense Evasion - trying to avoid detection 
8. Credential Access - stealing passwords and account names 
9. Discovery - doing their best to figure out your environment 
10. Lateral Movement - moving through your environment 
11. Collection - getting important data to the adversary goal 
12. Command and Control - trying to control compromised systems by communicating with them 
13. Exfiltration - stealing data 
14. Impact - destroying, manipulating, or interrupting data
    
    
    

How MITRE ATT&CK Supports and Secures Your Businesses 

The goal of this platform is to protect your business from breaches and cybercriminals. There are multiple steps for a cybercriminal to hack into a network system and ATT&CK uses tactics at every stage to prevent them from succeeding in a breach. ATT&CK can help businesses in multiple ways including: 

1. Adversary Emulation - ATT&CK can be used to create adversary emulation scenarios to verify and test defenses
2. Red Teaming - your IT team acts as an adversary to show the impact of a potential breach
3. Behavioral Analytics Development - links suspicious activity together to monitor adversary activity
4. Defensive Gap Assessment - identify where your business lacks visibility and defenses
5. SOC Maturity Assessment - ATT&CK can be used to determine how effective a SOC is at analyzing, detecting, and responding to breaches
   
   

Implementing MITRE ATT&CK often involves manual mapping or some integration with security tools which typically include Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), or a Cloud Access Security Broker (CASB). If you want to learn more about cybersecurity and compliance frameworks, contact iCorps for a free IT consultation.