Leveraging MITRE ATT&CK: How Your Team Can Adopt This Essential Framework

What if there were a free, globally accessible, and open framework that could help your team map attacks, visualize strengths and weaknesses in your environment, and understand where you can strengthen controls to protect critical assets against attackers? That would be a tremendous boon for your security team, right? Here’s some great news: that tool already exists. In fact, it has been available since 2013.

The invaluable tool you’re probably not maximizing  

Here’s the not-so-great news: while many teams are aware of the existence of this tool, too few have mastered the use of it, and still fewer have made it a core component of their security workflow. That’s a big problem, especially in today’s threat environment. 

Widely known, but underutilized, the tool is called the MITRE ATT&CK framework, and it’s absolutely essential for translating  dynamic global intelligence into a predictive view of an attacker’s motivation. Think of the MITRE framework as a map of a potential attack, including all the points within your environment that can be breached—and how. MITRE ATT&CK shows you the impact a successful attack can have on your valuable assets. Often called the cyber Rosetta stone, the MITRE framework gives analysts a way to translate a cyberattack into business impact, allowing everyone in the organization to understand what the attacker has done and intends to do next.

The danger of not understanding attacks : Security evasion

Wondering why your controls aren’t stopping attacks? Let me give you an example of what we’re seeing across security teams of all shapes and sizes.

An organization in the critical infrastructure sector recently came to us because they were at a loss for what they could do to stop the same ransomware attack from happening over and over.

The organization has a fairly large security team, with a few dozen analysts in their security operations center (SOC) and a handful of threat intelligence analysts. The team was focused on using threat intelligence to harden their environment by improving security controls after every attack and making use of detection and response tools, perimeter security, cloud security, and other measures.

Yet, they were still seeing the same types of attacks successfully evade their security measures. They wanted to understand why this was happening and what they could do differently.  

Giving you a way to translate intelligence into relevant actions

It was clear this organization needed the MITRE ATT&CK framework to better understand their intelligence and derive insights into the impact on their critical assets. Without it, they didn’t have a way to translate their intelligence into the right actions. They couldn’t synthesize all their data and intelligence to answer critical questions such as:

• Where is the attacker located?
• What is the attacker’s motivation?
• What else should we be looking for? 

The security team could use the framework for any defensive activities that reference attackers and their behaviors, taking advantage of its common lexicon for describing adversarial behaviors in a standard way. We showed their analysts how they could use MITRE ATT&CK to:

• Map their defensive controls
• Hunt for threats
• Improve threat detection and streamline investigations
• Understand and reference specific actors
• Share intelligence and information
• Improve penetration testing

How teams can adopt the MITRE ATT&CK framework

Once you understand what ATT&CK can do, it’s easy to see why it’s so important for outmaneuvering adversaries.

After adopting the MITRE ATT&CK as their common language and model for describing attacks and attackers, the critical infrastructure organization’s security team can now translate between operational aspects of security and the potential impact of a successful attack. This helps the security team gain executive alignment and prioritize their activities. Using the MITRE ATT&CK framework, the security team can connect up and down the attack flow to understand and get ahead of attackers—before they can disrupt operations or impact any critical infrastructure. 

So why isn’t every security team on the planet already using it? Most often, it’s because of the challenges of operationalizing this necessarily complex model. But the advantages truly far outweigh the effort required.

To learn more about how your organization can use the MITRE framework, listen to the podcast “Building a Secure Framework with XDR and MITRE ATT&CK.”

Mark Alba

_{Chief Product Officer at Anomali}

^{Mark Alba is Chief Product Officer at Anomali, joining the company in April 2020. Mark has over 20 years of experience building, managing and marketing disruptive products and services. Throughout his career, Mark has been on the front lines of innovation, leading product efforts in both start-up and large enterprise organizations including Check Point Technologies, Security Focus, Symantec and Hewlett Packard Enterprise. His proven track record includes bringing to market the security industry’s first fully integrated appliance firewall, leading the integration of global threat intelligence into perimeter security technologies and introducing advanced analytics in support of cyber security operations.}