Blog
breach readiness

MITRE ATT&CK: A Guidebook for the Cyber Jungle

By
February 5, 2025
Share this post

https://profero.io/blog/mitre-att-ck-a-guidebook-for-the-cyber-jungle

Some people go out into nature with a plant guide or a bird handbook to better understand what they see in front of them. Such a guide includes a catalogue organized by families (raptors, waterfowl, etc.), beak or wing shape, what the bird feeds on, whether it is an early bird or nocturnal,and where it is likely to be seen.

The cyber field is one big jungle teeming with various attack groups, tactics, tools, and motivations. This jungle also has its own "guide:" MITRE ATT&CK. This non-profit initiative, founded in 2013, aims to be a continuously-updated and accessible knowledge base for cyber threats based on field observations of attacks and attack groups. All major cybersecurity companies contribute the most current information to it,creating a uniform language in the world of information security.

Since its inception, MITRE ATT&CK has gradually become an essential daily tool for cyber defenders. It is used by three main groups:

1.    Threat Intelligence Analysts: The MITRE ATT&CK framework allows analysts to identify attack characteristics, thus aiding in attribution to a specific group. Unlike traditional identification methods such as file signatures or IP addresses which can be easily changed, attack tactics and tools identify attackers much more consistently.

2.    Chief Information Security Officers (CISOs): CISOs use MITRE ATT&CK to map gaps and prioritize tasks. For example, imagine a CISO of a large gaming company. The number of attacks they deal with daily is huge and the potential threats are infinite.

Where to start? What to prioritize? One approach is togo to the MITRE ATT&CK repository and type something like this: Gaming. The repository will show them which attack groups "favor" gaming companies, and what tactics, techniques (there's a difference), and tools these groups have used against similar companies. This allows them to better prioritize projects.

3.    Red Teams (Pen Testers): People involved in penetration testing for an organization can use the MITRE ATT&CK framework to simulate relevant attacks based on the organization's size, geography, and the vertical in which it operates. There are also open-source tools that do this automatically based on the repository.

Quantifying security
An additional key contribution of the MITRE ATT&CK framework to the cyber world is the creation of a uniform language that facilitates communication between teams within the organization, between different companies, and with external vendors. For example, as an external IRcompany, we are required to communicate continuously and clearly with theattacked organization. MITRE ATT&CK assists us in clearly explaining the nature of the attack and how to deal with it.

A valuable use of the MITRE ATT&CK Framework is for understanding a given organization's protection status. Here's a common case: A CEO of a company turns to their CISO and asks: "How protected are we?" This is a complex question that's not always easy to quantify, but MITRE ATT&CK allows for an assessment by analyzing all relevant attack techniques and rating the readiness level for each technique (often using color-coding, for example). From there, it's easier to present a numerical assessment of the organization's cyber protection.

In addition to all this, the MITRE ATT&CK repository also offers the means to deal with known techniques. The repository displays mitigation methods for some attack types, and when there's no easy mitigation for a technique, the repository might offer indicators and identifiers, which allow for better monitoring and visibility of that attack.

Finally, the MITRE organization publishes what are called Evaluations once a year, which as the website explains, "is a resource that will allow you to understand how well a particular security product might protect your unique needs against known threats."

The index evaluates the performance of various security tools (Check Point, Palo Alto Networks, Microsoft, etc.) against common threats for that year. The 2024 ranking, which was recently published, is becoming a popular tool for cybersecurity companies to flaunt their detection and prevention capabilities.

In this case, we would suggest healthy skepticism since these rankings are based on specific sets of scenarios that might change in different environments. Therefore, it's important to consider the rankings just as part of a broader set of considerations when choosing security products, rather than relying on them alone.

Share this post

Related posts

Read related insights

View all

AtomicStealer Spreading via Fake Apple Support Websites

Uncovering AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine.

Read Now

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

How sophisticated criminals are using old-school tactics and psychological warfare to extort businesses without ever touching their systems

Read Now

New Attack Vector - AI - Induced Destruction

The New Attack Vector No One Saw Coming, how "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.

Read Now
View all
Profero logo
Subscribe
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solution
Get StartedUnder Attack?
About
CompanyCareers
Resources
BlogGithubTrust Portal
Contact
X/Twitter
LinkedIn
© 2024 Profero. All rights reserved.
Privacy PolicyTerms of Service
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ManageDenyAccept