We've previously discussed MITRE and how Avertium uses its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework as an important component of our comprehensive 24x7x365 managed security services.
We feel so strongly about the value of this reputable open-source framework that we're circling back around for Cybersecurity Awareness Month to discuss the basics. Here's a look at three ways to use ATT&CK daily to protect your environment against the most advanced and recent adversarial tactics, techniques, and procedures (TTPs).
1. Using MITRE ATT&CK for Threat Hunting
MITRE's ATT&CK defines itself as a “curated knowledge base and model for cyber adversary behavior,” which provides some insight into why it's so useful for gauging an environment's level of visibility against targeted attacks, using a combination of the perimeter- and endpoint-deployed security tools. Our security assessments use the full range of team-style deployments:
Red Teaming
Red team operations involve continuous, campaign-based assessments that emulate realistic behavior and techniques of real-world adversaries and threats. They provide an attack-based frame of reference that reveals deeply relevant insights into system visibility and vulnerabilities.
Blue Teaming
Blue team operations are conducted from the inside, and they play a defensive role of constant vigilance against attacks. They detect attacks, identify security flaws and vulnerabilities, validate controls, and initiate appropriate response and recovery processes.
Purple Teaming
Purple team operations blend red and blue, to create an agile and responsive context for evaluating detection controls and overall security: threats and vulnerabilities emerging from red operations are integrated with controls and tactics from blue operations, to create a holistic security narrative. Ideally, purple is not a separate team, but a convergence of dynamics between red and blue.
Deploying our teams with ATT&CK as a framework allows Avertium to perform security assessments precisely calibrated to deliver extremely relevant results. With its catalog of prior threats and malware sample references, it delineates exactly where to focus our detection efforts.
Related Reading: How Multi-Cloud Environments Expand Your Attack Surface and How to Manage and Reduce the Risk
2. Using MITRE ATT&CK for Incident Response
ATT&CK is an outstanding reference tool for incident response (IR) teams to use as part of their security mission. IR teams can use the ATT&CK knowledge base and the definitions it provides to determine the precise nature of threats faced, as well as common methods to mitigate those threats. ATT&CK matrices provide a blueprint for an incident response that is efficiently organized, well researched, and comprehensive in nature.
Within an incident response context, ATT&CK is all about asking questions; the answers are designed to deliver relevant insights into adversarial TTPs, which is the foundation of mitigation decision making. ATT&CK's common taxonomy facilitates communications, sharing, and collaboration between security teams, which adds another layer of open source enhancement for improved testing, faster development, and better prioritization of detection and response mechanisms.
There are currently 291 techniques in the MITRE ATT&CK framework, and that number is expected to swell as new technologies deploy. Maintaining a comprehensive understanding of adversarial TTPs is a critical element in ATT&CK's usefulness as an IR tool.
Webinar On-Demand: 5 Steps to Creating a Relevant Incident Response (IR) Plan
3. Using MITRE ATT&CK for Heat Mapping
ATT&CK is very useful for creating “heat maps” of frequently used adversarial tactics, techniques, and procedures. MITRE'S cyber analytics repository (CAR) provides dozens of analytic categories, e.g. User Login Activity Monitoring, Remote PowerShell Sessions, Remote Registry, etc., with associated techniques, implementations, and applicable platform information that supports attack detection and identification. A heat map populates and color-codes a chart that can be used to assess systems for the frequency of detected TTPs.
ATT&CK Navigator is a support tool that facilitates navigating and reporting for ATT&CK matrices and heat maps. This allows advanced auditing and analysis of defensive coverage, red/blue/purple team planning, frequency of detected TTPs, and much more. It's one of the ATT&CK tools we use most frequently, and there are hundreds of others we use to help us get the most value from the framework.
Heat mapping can be applied to efficiently analyze systems, tools, controls, policies... well, the applications are virtually endless, and they all support a process that delivers unrivaled visibility into and control over subject IT environments, regardless of scale or complexity.
Avertium Uses MITRE's ATT&CK to Protect Our Customers
Implemented within our managed security services, ATT&CK, along with adherence to the NIST CSF and other compliance standards, creates a strategic framework that enables Avertium to apply more rigor, more relevance, and more responsiveness to our customers' security environments across all industries. This combination empowers Avertium to take a risk-based approach on behalf of our customers to prevent and detect attacks, with applications for threat intelligence, detection and analytics, adversary emulation and red teaming, and assessment and engineering.
Contact us to learn more about how ATT&CK can be a vital part of your security posture and protect you from evolving threats.
Learn why much of modern security ops function at a strategic level for threat-based security and how to apply this to your SecOps.