Improving Cybersecurity With MITRE ATT&CK Framework

In my previous blog posts, I’ve talked about the NIST CSF and another framework from the nonprofit Center for Internet Security (CIS), which has a smaller set of controls to help companies and organizations secure their environments.

Now, I want to talk about the MITRE ATT&CK framework. But let’s start at the beginning: First, who is MITRE and what does ATT&CK mean?

MITRE is a nonprofit organization that manages federally funded research and development centers that develop computer-related tools. They research issues for various U.S. agencies that deal with aviation, health care, homeland security (DHS) and others.

ATT&CK is a framework that helps cybersecurity teams—both red and blue—figure out how threat actors gain access to computers and systems and what they do when they gain that access.

ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge.

Think of it as a playbook that an adversary uses to break into your mobile phone, tablet, computer or computer system. The ATT&CK framework is like having your opponent’s playbook in a football game. Every organization has limited resources, and knowing where to focus your attention helps you use those resources more effectively.  The framework is free and was first published in 2015, so it is well known in cybersecurity circles.

Here is an example of how to use it:

Imagine you are a nonprofit that supports human rights. Because of what you do, you will be targeted by certain threat actors. As a nonprofit, you have few resources to devote to cybersecurity, so you search ATT&CK for malicious actors who target organizations like yours and see what techniques they tend to use. The ATT&CK index identifies malicious actors and who they tend to attack. In your search of the ATT&CK site, you see that a group known as APT18 targets human rights groups and tends to focus on external remote services, like a VPN or a Citrix server, rather than phishing emails to gain access to computer systems.

As you review one of the techniques APT18 uses, you learn about Technique T1133; attackers often use valid credentials they acquired using pharming or by breaching the network through an external-facing remote service. Then, you read the ways to mitigate that threat.

You can now focus your limited resources on mitigation techniques for remote services to help block that threat actor.

If you look at APT18, you’ll see that they tend to use eleven techniques to gain access. ATT&CK has identified those techniques as well as how to mitigate those threats. The framework is useful for beginner, intermediate and advanced security teams because it has the technical depth to grow and mature your security posture.

If you are just starting your cybersecurity journey, you will quickly discover that you need to log what is happening on your network, on your computers and systems to know what to look for and where. Are you looking for malicious network traffic or unusual activity on your mobile devices and Windows and Mac computers? Are you checking your firewall logs, your antivirus logs and your system event logs for suspicious activity?

If you are not logging that information in a central server, you will have a hard time finding the threats to your network—or those that are already present!

In my next blog post, I’ll talk about getting all those log files together so you can go searching for malicious activity.

Headshot

John Bruggeman

I am a veteran technologist, former CTO and CISO, with nearly 30 years of experience building and running enterprise IT. I have developed and supported information security programs, helping them mature and succeed by using industry standards like ISO27K and NIST CSF.

I am very familiar with regulatory compliance requirements from PCI-DSS, HIPAA, FERPA, A133 to privacy related requirements like GDPR and CCPA. I earned several GIAC certifications (GSEC, GCIH and GCWN) and I am active in the local information security community, through groups like Infragard and the Higher Education Security Council for EDUCAUSE.

Connect on LinkedIn

Visit CBTS Security website

john-bruggeman has 6 posts and counting.See all posts by john-bruggeman