MITRE ATT&CK, VERIS frameworks integrate for better incident insights

Incident responders work much like police detectives or journalists, in search of the who, what, when, why and how of incidents before they can take steps to address problems. One tool that helps responders address incidents after they occur and position organizations for better defense in the future is the widely used Mitre ATT&CK framework (with ATT&CK standing for Adversarial Tactics, Techniques, and Common Knowledge).

The ATT&CK framework is deployed as a cyber intelligence tool during or after an incident to identify the relevant adversary and reveal appropriate mitigation steps. One recent example comes from McAfee, which used ATT&CK in a case that initially started as an investigation into a suspected malware infection but ended up as a surprise discovery of a long-term cyberattack by two Chinese threat groups, APT27 and APT4.

MITRE ATT&CK relies on a detailed knowledgebase of adversary tactics and techniques based on real-world observations. In essence, the ATT&CK framework deals in a granular way with the who, what, and why of the attack.

Another framework used by incident responders is the Vocabulary for Event Recording and Incident Sharing (VERIS), a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. It is used, among other things, to classify the incidents and breaches appearing in the widely-read annual Verizon Data Breach Investigation Report (DBIR).

VERIS is a broader, higher-level framework than ATT&CK that relies on an open and free repository of publicly reported security incidents. It offers incident responders the when and how of attacks.

Last month, Verizon and The Center for Threat-Informed Defense, a non-profit, privately funded research and development organization operated by MITRE Engenuity, an R&D foundation founded by MITRE, announced a “mapping and translation layer between VERIS and ATT&CK that allows for the usage of ATT&CK to describe the adversary behaviors that were observed in an incident coded in VERIS.”

Bi-directional mapping is the goal

The two organizations intend for this connectivity between ATT&CK and VERIS to give a “bi-directional mapping” that links the behaviors that adversaries use to attack systems with demographics and metadata in the hopes of giving organizations better defenses aligned with the latest threats. “Even though VERIS is relatively popular and it’s fairly useful, it doesn’t have the kind of high-level visibility that something like ATT&CK provides,” Alex Pinto, senior manager, Verizon DBIR team, tells CSO. Nevertheless, VERIS functions as a useful strategy tool, and security leaders often use it to communicate to the board, he says.

“But [VERIS] doesn’t help the defender with the nitty-gritty. ATT&CK is good on the practical side, but it doesn’t have the coverage VERIS has. VERIS is not just concerned with the actual ‘cyberattacks,’ like all the hacking and the malware. We’re also concerned about misuse and theft of devices.”

So, MITRE Engenuity and Verizon decided to link them to make them work together more effectively. “We believe this would be a huge win for the information security community,” Pinto says.

ATT&CK/VERIS collaboration available on GitHub

The goal is to allow defenders to create a more detailed picture of cyber incidents, encompassing the threat actor, technical behavior, targeted assets, and impact. The mapping created by this collaboration is available on GitHub for all defenders and incident responders to use.

“We decided to make it as frictionless as possible,” Richard Struse, director, Center for Threat-Informed Defense at MITRE Engenuity, tells CSO. “We released this on the center’s website, and there’s a corresponding GitHub repository. We don’t try to track or control who uses this.”

“This is a building block. This is a bridge that allows two communities that each are doing valuable work to now connect the work they’re doing in an impactful way and a really efficient way,” Struse says. “What we’re hoping to do is inform the community that this resource is out there and that it’s freely available. They can pick it up and use it today to either add more technical detail to their VERIS-centric view of the world or take it and add some more of that more strategic-level information if they’re sort of ATT&CK-centric.”

Lingua franca for security incident communications

Although it’s not yet clear how the integration between the two frameworks would provide practical benefits to defenders or incident responders, Pinto thinks one key benefit would be to provide a lingua franca to communicate about incidents. “It becomes way easier to understand the end-to-end, the flow of the kind of the contextualization. I should be doing ‘this’ to be protected against ‘that’ becomes so much simpler,” he says.

Fundamentally, both frameworks, and the integration of the two frameworks, formalize what incident responders and defenders do all the time anyway. These models provide a more logical, systematic approach to this kind of work, Pinto says. “This is something that everybody has to do anyway. You’re always trying to figure out. ‘Okay, am I spending my money or my time in security on the things I should be doing?’ This is something that everybody has to do in a way. You try to guess most of the time if what you’re defending against aligns with what you should be defending against.”

The VERIS-ATT&CK mappings “is the dictionary,” Pinto says. “It’s your translation dictionary. So, you really don’t have to think about it.”