In cybersecurity, a key part of defense is understanding the nature of the attacks. But without a common way of describing the methods and techniques used by threat actors in the real world, it’s difficult to develop effective strategies to protect systems and data. In a recent white paper, the experts at cybersecurity solutions firm, Blackberry Cylance, looked at a framework for doing just that: a comprehensive knowledge base from MITRE called ATT&CK. Essentially, this globally accessible repository captures the techniques, tactics and procedures (TTPs) of advanced persistent threats (APTs) to support development of new defense capabilities. But while ATT&CK can be a useful foundation for the creation of security models and methods, it’s important to understand what it isn’t.
ATT&CK, an acronym for Adversarial Tactics Techniques and Common Knowledge, breaks out details of 11 tactics and hundreds of related techniques used by threat actors. The framework links to real-world information used to identify issues and exploits that have been used against enterprises. In addition, it includes sections on Detection and Mitigation, to provide guidance on what and how to monitor the computing environment.
For federal security teams, especially in defense environments, this repository is more than a reference site; it’s a platform for creating plans and methodologies to combat cyber threats. Blackberry Cylance points out five key areas that the ATT&CK framework can support:
- Threat Modeling and Controls Gap Identification – to identify where the greatest risks can be found within the enterprise.
- As a Common Language / Reference for Meaningful Conversations – to get everyone on the same page when trying to set security goals for the organization
- As a Frame of Reference During Incident Response – to keep security response teams focused on the issue at hand until the incident is resolved, rather than who may be behind the attack
- As a Framework To Reference During APT-Replay Red Teaming Exercises – to add realism to the exercise, keeping in mind that attack groups will modify and improve their techniques over time; the next attack may look very different than the current one
- As a Bridge Between Red and Blue During Purple Team Exercise – to ensure that the lessons learned by the red team get translated into action by the blue team, by providing specifics about how defenses were breached (as opposed to simply identifying the point where the attack made its way into the network)
While this centralized, common reference tool can speed up or amplify security capabilities by making it easier to find crucial information, there are limitations. For one, ATT&CK can’t predict what form future threats may take; it is a repository of information about past attacks. Also, the information it contains isn’t meant to be a security strategy in and of itself—it’s meant to inform the decision-making functions of a CISO or SecDevOps leader, to help them develop the appropriate measures for their agency or organization. The context needs to come from those security team’s experience and tolerance for risk.
As the Blackberry Cylance white paper points out, before ATT&CK existed, there was no single catalog of both the obvious and nuanced differences between attacker TTPs. One real benefit has been shifting the focus from static signatures “towards a different type of detection: the behavior of a known adversary.”
What ATT&CK can do is provide clear, coherent facts about how adversaries interact with systems and data, and what approaches others have used to deal with those assaults. So, whether it’s spearphishing, supply-chain compromise or insider threat, those charged with securing the enterprise have a starting point that can help them move faster and more precisely to prevent and respond to cyberattacks.