A CISO's Guide to the MITRE ATT&CK Framework

The majority of businesses today consider cyber security to be a routine activity. Cyberattacks no longer elicit the same shock and terror that they once did. They are now just part of the job. Despite this natural progression, the volume and severity of cyber attacks continue to grow, necessitating additional cyber security.

MITRE ATT&CK Framework | However, cyberattacks do not only target businesses. For example, 60% of North American homes have experienced at least one cyber attack. In addition, nefarious cyber criminals have victimized 75% of small businesses.

The global cyber security market was worth $156.24 billion in 2020. In 2021, it was worth $217.87 billion. As a result, company executives are becoming increasingly concerned about cyber vulnerabilities linked to their employees’ activities.

This article describes the MITRE ATT&CK framework, which has become one of the most effective cybercrime defence frameworks today.

What is the MITRE ATT&CK framework?

MITRE Corporation, a US-government-funded research organization, based in Bedford, MA, and McLean, VA, introduced a framework to improve internet cybersecurity in 2015. The company was founded in 1958 by the Massachusetts Institute of Technology (MIT). It worked on several business projects for various organizations, including developing the AWACS airborne radar system. MITRE, on the other hand, is not an acronym and has nothing to do with MIT. James McCormack, an early board member of the organization, came up with the name because he thought it had gravitas.

The framework was dubbed the MITRE ATT&CK, a combination of the initial letters of Adversarial Tactics, Techniques, and Common Knowledge. Its goal was to identify, describe, and categorize the ever-expanding list of cyberattacks and enterprise network intrusions. It is a cybersecurity knowledge base of cyberattack tactics and techniques drawn from events worldwide. Its goal is to standardize cyber security terminology while fortifying defences against future cyber attacks.

The letter “CK” in ATT&CK stands for “Common Knowledge.” referring to the documented list of cybercriminals’ tactics and techniques. Additionally, the term CK refers to the framework’s list of procedures. “Tactics, Techniques, and Procedures,” or TTP, is a similar cyber security term. However, the letters CK were chosen to complete the acronym for apparent reasons.

Company executives are becoming increasingly aware of the need to educate their employees about the potential risks of cyberattacks.

ATT&CK covers a wide range of computer platforms and technologies, including Windows and macOS, as well as on-premise and cloud networks, such as Infrastructure as a Service (IaaS) and Software as a Service (SaaS) (SaaS). In addition, the framework includes references to Office 365, Azure’s Active Directory, Google Workspace, and Android and iOS mobile devices.

Techniques, Sub-techniques, and Procedures for MITRE ATT&CK.

The MITRE ATT&CK framework is made up of several cyberattack matrices, including:

• Pre-ATT&CK Matrix: Identifies the reconnaissance and weaponization phases of a cyberattack.
• Enterprise Matrix: Extends the scope of a cyberattack beyond the * detection stage.
• Mobile: This is similar to the Enterprise Matrix but for mobile devices.
• ICS: Refers to the methods used by cybercriminals to gain access to networks containing Industrial Control System (ICS) mechanisms.

ATT&CK divides its analysis into Tactics, Techniques, and Procedures after these initial stages.

• Tactics: ATT&CK defines the objectives of a specific cyberattack at this stage. The tactics in the Pre-attack matrix differ significantly from those in the Enterprise, Mobile, and ICS matrices because they focus on a different stage of the cyberattack life cycle.
• Procedures, Sub-techniques, and Techniques: Additional levels of cyberattack analysis:
• Techniques: Define the method used by the cybercriminal to accomplish a specific goal.
• Sub-technique: A technique that may be subdivided into sub-elements on occasion.

Specific tools used in a cyberattack, such as malware and threat actors, are referred to as procedures.

How does the MITRE ATT&CK matrix work?

The MITRE ATT&CK matrix is a collection of procedures used by cybercriminals to gain access to and compromise corporate computer networks. In the matrix, each procedure is defined as a distinct “tactic.”

The paths are aligned from reconnaissance to identification and, finally, exfiltration. This is a sample section of the matrix:

Visit the MITRE ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/

The MITRE ATT&CK Matrix helps businesses strengthen their cyber security efforts in various ways. These are some examples:

• The platform enables an enterprise to simulate attacks on its cyber defences from both the attack (red) and defence (blue) perspectives.
• ATT&CK analytics tools provide collated and compiled data representing cyber vulnerabilities in an enterprise’s defences.
• Gap Analysis: A thorough examination of areas of defensive weakness in an enterprise’s security protection.
• Load data on adversaries into the platform to simulate specific attacks on an enterprise network.
• Enhancement of Cyberthreat Defense: An enterprise can use various techniques to determine its lines of defence against cyberattacks from Advanced Persistent Threats (ATPs).
• SOC Assessment: An evaluation of an enterprise’s Security Operations Center’s (SOC) effectiveness in managing cybersecurity threats and breaches. For more information on how to improve your SOC capabilities, click here.

There are currently 191 techniques and 385 sub-techniques in the Enterprise ATT&CK matrix. Each method is assigned a four-digit code, such as “T002” for “Bypass User Account Control.”

These methods demonstrate how cybercriminals act, such as the data they target and the hacking software they employ.

The framework also identifies which technologies cyber intruders use and the types of activities they engage in regularly.

In its ATT&CK for Cloud Matrix, the MITRE ATT&CK matrix can also be used for cloud networks. The matrix incorporates elements from the larger enterprise matrix. Because on-premise networks differ qualitatively from cloud-hosted networks, each matrix manages its environment. Local cyberattacks typically target software and infrastructure on the target organization’s premises. Cloud attacks will target servers hosted by cloud service providers such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure and Office 365.

What is the difference between MITRE ATT&CK and Lockheed Martin’s Cyber Kill Chain?

Lockheed Martin’s Cyber Kill Chain platform competes with the MITRE ATT&CK platform. While they may appear to be similar in structure, Cyber Kill Chain follows a seven-step procedure that includes the following steps:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and control
7. Actions on objectives

While the Enterprise ATT&CK matrix includes the 14 tactics listed below:

1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defence Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Command & Control
12. Collection
13. Exfiltration
14. Impact

While each system focuses on the same overall process, the MITRE ATT&CK framework delves deeper into the identified tactics. The Lockheed platform does not specify the techniques used in each tactic, whereas ATT&CK does.

Effective cyber awareness training raises awareness of cybersecurity threats and attack vectors.

With each new cyberattack that makes headlines, cybercriminals appear to have the upper hand. However, recent technologies present them with obstacles that they will inevitably overcome.

The reality is that change is taking place. Home computer users are now aware of the dangers of clicking on unusual links or responding to unusual emails. With the dramatic increase in cybercrime, there has also been an increase in awareness among individuals and businesses. As a result, the fight against cybercrime is on, and criminals can be defeated.

MITRE ATT&CK provides a strong defence against cybercrime. Criminals are fleeing due to the rapid pace of employee anti-cybercrime training. Traditional routes they have used in the past no longer provide the same rewards.