In this week’s bulletin, Charlie explains what MITRE ATT&CK is and the importance of familiarising yourself with its framework.
First, this question may not apply to you if you’re a “techie” involved in preparing your organisation for a cyberattack. You should already be familiar with the framework and use it as a part of developing your organisation’s cybersecurity preparation. However, if you are a “Human-Centric Cybersecurity Professional”, i.e., not a techie but have an interest in cyber crisis management and business continuity, you might be wondering why you should take an interest in this framework.
What is MITRE ATT&CK?
MITRE ATT&CK is a directory and knowledge base that documents and classifies the various methods used by cyber threat actors. It provides detailed information about these methods, making it easier for security professionals to understand, prepare for, and defend against cyber threats. Developed by the MITRE Corporation, a non-profit organisation that operates federally funded research and development centres in the United States, this framework is freely available to anyone and is continuously updated by the cybersecurity community.
It contains information on the following:
1. It covers threats to enterprises, mobile devices, and industrial control systems (ICS).
2. Tactics describe what an attacker is trying to achieve, while techniques detail how an attack might be carried out.
3. A matrix illustrates different types of attacks, following a sequence of 14 steps from reconnaissance through to impact.
4. Data sources represent various subjects or topics of information that can be collected by sensors and logs.
5. Enterprise mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed, in other words, how to prevent an attack.
6. Groups provide a list of different hacker groups and common types of attacks associated with them.
7. Software lists the different tools and malware used by hackers.
8. Campaigns consist of groups of attacks or details about attacks.
A few months ago, I wrote a bulletin on the importance of threat intelligence when responding to a cyber event and how we should use all available information sources to understand our attackers. The more we understand the motivation behind the attack, the better we can respond appropriately. When looking at the MITRE ATT&CK framework, it may appear quite technical and is most useful to those forensically responding to an attack, using it to piece together how the attack was carried out or to detect and stop an ongoing attack. For those involved in crisis response during an incident, the importance of the framework lies in knowing that it exists as a significant technical resource. It can also aid in gaining further information to understand who is attacking and potentially why they are targeting your organization. Read the framework and it will help you to become more aware of its contents.