Cybersecurity criminals around the world are constantly trying out new strategies to target and attack organizations. Fortunately, there is a way to observe these strategies and use this knowledge against them. Developed by MITRE, a non-profit funded by the U.S. government, the ATT&CK framework is a cybersecurity knowledge base of adversary tactics and techniques based on real-world observations. The framework is useful in many different aspects of cybersecurity, helping organizations increase threat intelligence and strengthen network defenses against attacks.
The ATT&CK framework is a universal way to classify adversarial tactics. It has the advantage of being backed up by a community-driven knowledge base of adversarial techniques. The unified framework enables security professionals to communicate more clearly and share information more efficiently, which ultimately contributes to a higher level of security globally.
Tactics are the core of the ATT&CK framework and represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action. Tactics group together the different methods attackers use, such as persist, discover information, move laterally, execute files, and exfiltrate data. The MITRE ATT&CK framework currently consists of 12 easy-to-understand tactics.
The MITRE ATT&CK techniques are grouped by tactics and are based on a set of actions that adversaries perform to accomplish their nefarious objectives.
Each ATT&CK technique has been observed being used by malware or threat actor groups in attempts to compromise enterprise networks. Techniques are essentially a playbook or a “how to” allowing defenders to prepare for the attack: How are attackers getting into your network? How do they avoid being detected? How are they moving through your network environment?
The techniques library in the ATT&CK framework is constantly evolving and consists of more than 150 techniques and 270 sub-techniques divided into the above-mentioned 12 tactics.
SIEM vendors are always on the lookout for ways to improve their solution to gain more insights and information that can help detect and respond to an attack. The ATT&CK framework allows analysts to better understand the specifics of an attack, which they can then communicate to team members. This makes the threat detection and response time even faster.
The ATT&CK framework is beneficial throughout an organization. It’s a great tool for communicating with senior leadership and security managers. Using ATT&CK, it’s much easier to produce a more accurate overview of incidents. Auditors and CISOs often require information such as dashboards and reports, and the framework can help with automating the creation of the required information.
Logpoint has mapped all analytics to the ATT&CK framework, which bridges the gap between why an alert is firing and what it means. When alerts correspond to an ATT&CK technique, security analysts can more quickly understand how an alert relates to a larger attack so they can take the necessary steps to protect their business. Analysts can also use the ATT&CK visualizations in Logpoint to track the stages of an attack and assess security coverage.
When it’s time to communicate with other employees to document the value of the SIEM and how many alerts are coming in, analysts can easily pull a report from Logpoint that includes the ATT&CK IDs. The framework is steadily becoming an industry standard, which makes it easier to map security coverage and risks because alerts and defenses are based on the same ATT&CK taxonomy.