Managing Security with MITRE ATT&CK

Optiv has been using the MITRE Adversary Tactics and Techniques and Common Knowledge (ATT&CK) framework to help clients strategically manage cybersecurity. This approach enables us to tactically and proactively support clients to lower their risk over time.

What is ATT&CK?
The MITRE ATT&CK framework is compiled using global security knowledge and is based upon real-world observations. ATT&CK includes these core data today:

• Matrices
• Tactics
• Techniques
• Groups
• Software
• Resources

Matrices include mobile and enterprise mapping for Linux, MacOS, and Windows tied back to a kill chain model. For example, an attempted “Brute Force” technique fits within the kill chain category of “Credential Access.” MITRE also details each technique and gives it a unique identifier, an example is T1110 for Brute Force.

The following kill chain categories are mapped within ATT&CK:

• Initial Access
• Execution
• Persistence
• Privilege Execution
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
• Exfiltration
• Impact

Alongside MITRE ATT&CK is the “Pre-ATT&CK Tactics,” which includes the reconnaissance phase of an attack. While it’s not mapped into the matrices of ATT&CK today, it is provided within both the tactics and techniques menu options of the MITRE website.

Groups provides a common reference point for named attribution of adversaries, such as APT1. In the case of groups, they are given a unique “G” ID such as G0006 for APT1. A short description and other also known as (aka) or associated group descriptions are included with group documentation. Furthermore, techniques attributed to the group are also documented. This is a fantastic way for clients to obtain extra information or visibility into a particular threat group. An analytical comparison can then be made by mapping each tactic to a client’s current defensive security plan. This strategy allows a client to better proactively protect and defend against an attack.

Software is a term used within ATT&CK to document malicious code software, such as the AutoIT backdoor. Techniques, related groups, and references are also included with software documentation, making it easy to contextualize threat and response requirements for an organization that seeks to mitigate risk.

How to Leverage ATT&CK in SecOps
Leveraging ATT&CK into your security operations is essential towards actionability. Optiv has embraced the MITRE ATT&CK framework as a methodology of approach and dialogue to aid clients in managing cybersecurity. Our customized reporting leverages MITRE ATT&CK matrices and kill chain concepts. Data from a client environment is correlated to the matrix to create visibility and structure for visualizing cyber risks for an organization.

Colors are used in the matrix to reveal risk using the traffic light protocol (TLP) for red, yellow, and green. We continuously manage and monitor data from a client in an MSSP service, using MITRE to help identify areas of opportunity. By adding additional log sources, such as IDS and IPS, remote access, and web proxy, the overall risk landscape changes as visualized within the MITRE ATT&CK matrices. The graph below reveals MITRE ATT&CK matrix counts for areas of opportunity identified for a client:

We visually represent this data in an ATT&CK matrix and mapping solution(not shown here due to its proprietary nature). Visually, color coding of kill chain categories and client data, such as a TTP in the category of persistence shaded red, clearly reveals areas of opportunity. This enables a dialogue between us and our clients to discuss how altering their security defense plan (configurations and tools, people, and process) can change their risk profile to add additional green squares in areas of need in a cybersecurity program.

Closing Comments
MITRE ATT&CK provides both a common set of knowledge and reference points, but also granular details into tactics and techniques integrated with groups and software threats. By including threat-focused metrics and visibility into our strategic responses, we can further mature our client’s security programs. Leveraging of ATT&CK is a massive asset when considering how to perform counterintelligence and hardening of defenses against a specific actor, group or software threat. More importantly, it helps technical practitioners visually communicate with less technical stakeholders, showing color code changes to infrastructure, instead of getting lost in the technical details of techniques and tactics.