The framework also describe the different ways that attackers will attempt to achieve these tactics or goals. We call them ‘techniques’ and using the online matrix tool, you can drill into each technique by double-clicking it. This gives you:
A more detailed explanation of the technique
How it can be mitigated
Malware commonly associated with the use of it.
An ID number - which is useful when communicating problems with others
The MITRE Framework also shows how an attacker will 'pivot' from one tactic to another in order to increase their hold over the target network. For those familiar with the 'Kill Chain', this sounds suspiciously similar - and as such - is a very powerful tool for anticipating what an attacker will do next.
Finally, Mitre ATT&CK also includes something called ‘Groups’. There are 91 groups at present and these represents high profile attackers whose modus operandi are known. These attackers often go by different aliases, but MITRE lists most of them.
PUTTING IT ALTOGETHER
To make use of Mitre ATT&CK, you can start by selecting the security controls used in your organisation and then mapping them back to the framework. From here, it is possible to immediately identify gaps, assess risk and then implement administrative or technical controls to mitigate them.
Vendor products also vary widely in their effectiveness but the framework provides security teams with the ability to compare and contrast offerings to see how they address the risks that the organization faces.
For Red and Blue Teams, it is also possible to model real-world attacks by using the techniques shown and deploying them in well known sequences, using the software tools adopted by cybercriminals. Ultimately, this gives a clear, objective way to explain to senior management what the security strategy needs to be, outlining:
Which threats we should be most concerned about.
What security controls we need to acquire.
Which security controls provide the necessary protection.
Whether we should be concerned about what was read in the papers!
Knowing how a cyberattack will play out is gold dust. For starters, it means you can:
Identify your weaknesses and shore up your defences:
By putting in place security controls that address specific threats and attack vectors. Some of these controls will be:
Administrative in nature. This includes polices and procedures that mandate who should do what, by when and how. Examples of administrative controls include hiring practices, background checks, data classifications and labelling, acceptable use of the network, security awareness training, change management; business continuity, disaster recovery and incident response planning.
Controls can also be:
Technical in nature. This includes the hardware or software mechanisms used to manage access and to provide protection for resources and systems - encryption, constrained interfaces, access controls lists, protocols, firewalls, intrusion detection systems . . all fall under this category.
Either way, administrative and technical controls ensure that the anticipated attack will either be:
Less likely to materialise, or
Mitigated so that the impact is manageable.
If you know how a cyber attack will play out, you can also:
Allocate time, effort and money into controls:
That will provide the most bang for buck. You can even compare security products and services from different vendors and pick those that will address the specific risks you face.
Give definitive answers:
When senior managers ask whether the organisation is vulnerable to such and such an attack that they have just read about in the news.
Stop an Attack:
Before destructive behaviour occurs or there is a data breach.
The Mitre ATT&CK (Adversarial Tactics, Techniques, & Common Knowledge) framework is a free resource which will help you do some of these things.
The framework identifies 12 goals (or tactics) which an attacker is trying to achieve: