Defending your castle with MITRE ATT&CK® 

  • October 19, 2020
  • Dave Mareels
Image shows a castle in a snowy landscape

A knowledge gap is the discrepancy between what is known and what should be known. What is known is:

The widely held preconception that the MITRE ATT&CK® framework is reserved only for large, extremely sophisticated and cyber mature organisations.

At SOC.OS we believe that the framework can be put to good use in organisations of all shapes and sizes, and that there are in fact loads of benefits to be had by adopting the framework at the very onset of an organisation’s cyber maturity journey.

Consider the following thought experiment 

If I gave you a limited set of resources, and tasked you with the vague challenge of, “defending a castle”, it’s hard to know where to begin, and even more so how to effectively allocate your resources. If I told you, however, that the adversary wishes to scale the castle walls (their objective, or Tactic), and that they plan to do this by using a grappling hook (their how, or Technique), you are now in a far better defensive position; you have a better idea how to allocate your resources to maximise your defence effectiveness. What if, I then handed you a cheat-sheet of all historical and successful attacks, neatly segmented into objectives and techniques, made against similar castles?  

Now, just swap out this physical castle and cheat sheet with an organisation’s digital estate and MITRE ATT&CK, respectively, and there you have an analogy of the benefits that MITRE ATT&CK can offer to any organisation.  

Makes sense (I hope), but what actually is MITRE ATT&CK? 

MITRE is a non-profit organisation that, “works in the public interest across federal, state and local governments, as well as industry and academia”. One of the fields which has benefited from their pioneering research and efforts is, “cyber threat sharing”. It was their innovative work in this area that led to the development of the ATT&CK framework, which was first created in 2013 and released to the public in 2015. The ATT&CK acronym stands for Adversarial Tactics, Techniques and Common Knowledge. It represents a freely and globally accessible framework of known adversarial methods, built from historical attack data and updated every quarter by MITRE researchers and industry contributors. The framework’s raison d’être is to promote the coherency and standardisation within the cyber security industry, “by bringing communities together to develop more effective cybersecurity”.  

Back to the cheat sheet 

The cheat sheet in our thought experiment is in fact referencing MITRE ATT&CK’s Enterprise Matrix, which is a near comprehensive list of historically known Tactics and Techniques that an adversary can adopt in order to compromise, and operate within, an enterprise network. It consists of twelve, high-level adversarial tactic categories:  

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defence Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Command and Control
  11. Exfiltration
  12. Impact  

These 12 Tactics are what an adversary is trying to achieve, and are broken down even further into lower level Techniques (and in some cases, sub-Techniques). If the Tactic is the attacker’s objective, the Technique is a description of how the attacker will go about achieving it. Think scaling the castle walls (Tactic) by using grappling hooks (Technique).  

As you can imagine, there are many techniques for a given tactic, just like there are many ways in which you can scale the castle walls (using ladders, siege towers or stealth ninjas for example).  

A snippet of the Enterprise Matrix cheat sheet: 

MITRE ATT&CK Enterprise Matrix Framework Sample Tactics

This structured, standardised and coherent breakdown of adversarial Tactics and Techniques is hugely beneficial for enterprises of all shapes and sizes. It introduces a standardised way of understanding at all levels of technical detail and granularity – describing not only an attacker’s objective, but also the specific steps they can take to achieve that objective. 

Why is that so beneficial? 

Well, it forces you to think and communicate about your security defences in a methodical and structured way and more importantly, to consider these through the lens of an attacker. Applying this structure in fact can help enhance your overall maturity across all stages of the NIST’s cybersecurity framework; Identify, Protect, Detect, Respond, Recover.   

Another benefit of having this matrix freely available to all digital estates is that it allows security analysts (with their day-to-day communications rooted in the language of “Techniques”) to communicate with high-level execs (who understand and speak in “Tactics”-centric language day-to-day). As you can see, the Matrix clearly highlights how the low-level techniques are mapped to the high level tactics, and thus acts as the ultimate security translation tool, facilitating effective communication and understanding between top level executives and technical security personnel, and everyone in between.

E.g. without the ATT&CK language, security team member Shaz would tell Sarah the CISO – “we have seen 34% more attacks of type High DGA Low DNS TTL”. It’s tough for Sarah to fully appreciate what’s going on here, which in turn makes her job of translating this to the board and responding most effectively, a rather challenging one. 

Instead, if Shaz was to adopt and speak in ATT&CK language, she’d be able to tell Sarah “they’re seeing 34% more attacks with a Technique of type T1483 – Domain Generation Algorithmsand therefore the attacker is attempting to carry out more TA0011 – Command and Control Tactics on their estate”. Sarah is in a better position to comprehend, translate this to business risk (the language of the board) and respond more effectively. 

Levelling the playing field  

Andrew Stock (Chief Engineer, BAE Systems Applied Intelligence) further validates this, saying it “levels the playing field for smaller enterprises. By providing a globally accessible and consistent knowledge base to organisations that typically weren’t afforded the luxury of developing their own cyber specific threat library or language in house, it gives a much-needed leg up to enterprises who struggle with knowing how best to  allocate resources to protect their business, data and customers. Thanks to MITRE, they now have the exciting opportunity to adopt a common language from the onset of their cyber maturity journey, potentially saving a world of confusion, time, effort and money later down the line as their cyber programme matures and their business grows”

Thanks to MITRE, organisations of all shapes and sizes finally have a toolset at their disposal which enables them to approach security in a methodical and structured way and by using this new language, helps them effectively communicate the security agenda across all levels of the organisation.  

Additional benefits of adopting this new common language (spoiler alert: themes of upcoming blogs) 

Organisations stand to reap a multitude of additional benefits as a result of weaving this standardised language into the fabric of their business: 

  • enhancing the value of threat intelligence 
  • enhancing understanding of threat profile 
  • enhancing risk and incident management policies/procedures  
  • increasing effectiveness of cyber awareness training programmes 
  • enhancing overall maturity across all stages of the NIST’s cybersecurity framework; Identify, Protect, Detect, Respond, Recover.   

As Karl Albrecht puts it, “change your language and you change your thoughts”, in turn changing actions and behaviours (or more apt perhaps, your own Tactics and Techniques). 

We look forward to sharing more business benefits and practicalities as a result of learning and adopting the MITRE ATT&CK language.

We’d also love to hear about your own success stories, or challenges, so please share these with us directly at info@socos.io, or at the very least, amongst your peers in the wider infosec community. 

Thanks for reading.  

About the author

Dave Mareels

Dave Mareels

CEO

Following a Masters in Mechanical Engineering, Dave joined BAE Systems’ engineering leadership programme working across military aircraft, maritime and cyber domains, before taking on SOC.OS in 2018. When not working, he enjoys travelling, basketball, BBQs and private tutoring.

Back to blog