.jpeg)
MITRE ATT&CK: A Guidebook for the Cyber Jungle
Some people go out into nature with a plant guide or a bird handbook to better understand what they see in front of them. Such a guide includes a catalogue organized by families (raptors, waterfowl, etc.), beak or wing shape, what the bird feeds on, whether it is an early bird or nocturnal,and where it is likely to be seen.
The cyber field is one big jungle teeming with various attack groups, tactics, tools, and motivations. This jungle also has its own "guide:" MITRE ATT&CK. This non-profit initiative, founded in 2013, aims to be a continuously-updated and accessible knowledge base for cyber threats based on field observations of attacks and attack groups. All major cybersecurity companies contribute the most current information to it,creating a uniform language in the world of information security.
Since its inception, MITRE ATT&CK has gradually become an essential daily tool for cyber defenders. It is used by three main groups:
1. Threat Intelligence Analysts: The MITRE ATT&CK framework allows analysts to identify attack characteristics, thus aiding in attribution to a specific group. Unlike traditional identification methods such as file signatures or IP addresses which can be easily changed, attack tactics and tools identify attackers much more consistently.
2. Chief Information Security Officers (CISOs): CISOs use MITRE ATT&CK to map gaps and prioritize tasks. For example, imagine a CISO of a large gaming company. The number of attacks they deal with daily is huge and the potential threats are infinite.
Where to start? What to prioritize? One approach is togo to the MITRE ATT&CK repository and type something like this: Gaming. The repository will show them which attack groups "favor" gaming companies, and what tactics, techniques (there's a difference), and tools these groups have used against similar companies. This allows them to better prioritize projects.
3. Red Teams (Pen Testers): People involved in penetration testing for an organization can use the MITRE ATT&CK framework to simulate relevant attacks based on the organization's size, geography, and the vertical in which it operates. There are also open-source tools that do this automatically based on the repository.
Quantifying security
An additional key contribution of the MITRE ATT&CK framework to the cyber world is the creation of a uniform language that facilitates communication between teams within the organization, between different companies, and with external vendors. For example, as an external IRcompany, we are required to communicate continuously and clearly with theattacked organization. MITRE ATT&CK assists us in clearly explaining the nature of the attack and how to deal with it.
A valuable use of the MITRE ATT&CK Framework is for understanding a given organization's protection status. Here's a common case: A CEO of a company turns to their CISO and asks: "How protected are we?" This is a complex question that's not always easy to quantify, but MITRE ATT&CK allows for an assessment by analyzing all relevant attack techniques and rating the readiness level for each technique (often using color-coding, for example). From there, it's easier to present a numerical assessment of the organization's cyber protection.
In addition to all this, the MITRE ATT&CK repository also offers the means to deal with known techniques. The repository displays mitigation methods for some attack types, and when there's no easy mitigation for a technique, the repository might offer indicators and identifiers, which allow for better monitoring and visibility of that attack.
Finally, the MITRE organization publishes what are called Evaluations once a year, which as the website explains, "is a resource that will allow you to understand how well a particular security product might protect your unique needs against known threats."
The index evaluates the performance of various security tools (Check Point, Palo Alto Networks, Microsoft, etc.) against common threats for that year. The 2024 ranking, which was recently published, is becoming a popular tool for cybersecurity companies to flaunt their detection and prevention capabilities.
In this case, we would suggest healthy skepticism since these rankings are based on specific sets of scenarios that might change in different environments. Therefore, it's important to consider the rankings just as part of a broader set of considerations when choosing security products, rather than relying on them alone.