Discover all the ways MITER ATT&CK can help defend your organization. Make the most of this important framework to build your security strategy and policy.
What is the MITER ATT&CK Framework?
MITER ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that Tactics, techniques, and procedures (TTPs) used in cyberattacks. Created by the nonprofit MITER, the framework provides security professionals with insights and context to help them effectively understand, identify, and mitigate cyberthreats.
Techniques and tactics within the framework are organized into a dynamic matrix. This facilitates navigation and provides a comprehensive view of the full range of adversary behavior. As a result, the framework is more pragmatic and easier to use than static lists.
The MITER ATT&CK framework can be found here: https://attack.mitre.org/
Note: MITER ATT&CK Framework Bias
said Etay Maor, Senior Director of Security Strategy at . Kato NetworksโThe knowledge provided in the MITER ATT&CK framework is based on real-world evidence of attacker behavior, and is therefore susceptible to certain biases that security professionals should be aware of. It’s important to understand.”
- novelty bias – New or interesting techniques and actors are reported, but techniques that have been used many times are not.
- Visibility bias – Intel report publishers have a visibility bias based on how the data is collected, resulting in visibility for some methodologies and not for others. Additionally, techniques are viewed differently during and after an incident.
- Producer Bias – Reports published by some organizations may not reflect the broader industry or the world at large.
- victim bias – Some victim groups are more likely to report or be reported than others.
- Availability bias – Report authors often include techniques in their reports that immediately come to mind.
Usage example of MITER ATT&CK defender
The MITER ATT&CK framework helps security professionals investigate and analyze various attacks and procedures. It helps in threat intelligence, detection and analysis, simulation, assessment and engineering.of MITER ATT&CK Navigator is a useful tool for exploring and visualizing the matrix, enhancing analysis of defensive coverage, security plans, technique frequency, and more.
Etay Maor added, “The framework can be as deep as you want, or as high-level as you want. It can be used as a tool to show the mapping and tell us if we’re good or bad.” I am adding. It can be understood in certain areas, but it can extend to very specific steps or even understanding the lines of code used in a particular attack. “
Here are some examples of how to use frameworks and navigators.
Threat actor analysis
Security professionals can leverage MITER ATT&CK to investigate specific threat actors. For example, you can drill down into the matrix to find out what techniques various attackers are using, how they are being performed, what tools are being used, and so on. This information is useful in investigating specific attacks. It also expands researchers’ knowledge and thinking by introducing them to additional modes of operation that attackers can perform.
At a higher level, this framework can be used to answer C-level questions about breaches and threat actors. For example, if asked, โWe believe we may be targeted by Iranian nation-state threat actors,โ this framework allows us to drill down into Iranian threat actors such as APT33. You can view the techniques they use, attack IDs, and more.
Analysis of multiple threat actors
The MITER ATT&CK framework can not only investigate a specific attacker, but also analyze multiple attackers. For example, a concern was raised: โRecent political and military events in Iran will likely result in retaliation in the form of cyberattacks. What are the common attack tactics of Iranian threat actors?โ In this case, the framework can do something like this: Used to identify common tactics used by many nation-state actors.
A visualized multi-attacker analysis looks like this: Red and yellow represent techniques used by different attackers, while green represents duplication.
gap analysis
The MITER ATT&CK framework also helps analyze existing gaps in defenses. This allows defenders to identify, visualize, and categorize what the organization does not cover.
Using color for prioritization looks like this:
atomic test
lastly, atomic red team is an open source library of tests mapped to the MITER ATT&CK framework. These tests can be used to test infrastructure and systems based on the framework and help identify and mitigate coverage gaps.
MITER CTID (Threat Intelligence Based Defense Center)
of Miter CTID (Center for Threat-Informed Defense) is a privately funded research and development center that works with both private and non-profit organizations. Their aim is to revolutionize the approach to adversaries by pooling resources and focusing on proactive rather than reactive incident response. The mission is driven by the John He Lambert-inspired belief that defenders must move from thinking by lists to thinking by graphs if they want to overcome the attacker’s advantage.
Etay Maor commented, “This is very important. We need to foster cooperation between defenders across different levels. We are very passionate about this.”
A key effort in this context is the “Attack Flow” project. Attack Flow tackles the challenges defenders face. Defenders often focus on the individual, atomic actions of attackers. Instead, Attack Flow uses a new language and tools in which he describes the flow of ATT&CK techniques. These techniques are combined into behavioral patterns. This approach gives defenders and leaders a deeper understanding of how their adversaries behave, allowing them to refine their strategies accordingly.
you can see here What does the attack flow look like?
These attack flows allow defenders to answer questions such as:
- What have the adversaries been doing?
- How are your enemies changing?
The answers help us understand, share, and analyze attack patterns.
Then you will be able to answer the most important questions.
- What are they most likely to do next?
- what have we missed?
CTID welcomes the community to participate in its activities and contribute to its knowledge base.you can contact them on LinkedIn.
For more information about the MITER ATT&CK framework, see Watch the full masterclass here.