The changing role of the MITRE ATT&CK framework

Since its creation in 2013, the MITRE ATT&CK framework has been of interest to security operations professionals. In the early years, the security operations center (SOC) team used MITRE as a reference architecture, comparing alerts and threat intelligence nuggets with the taxonomy’s breakdown of adversary tactics and techniques. Based on ESG research, MITRE ATT&CK usage has reached an inflection point. Security teams not only recognize its value as a security operations foundation but also want to build upon this foundation with more use cases and greater benefits.

After nine years, MITRE ATT&CK and its use cases have evolved well beyond a reference architecture. In many ways, MITRE ATT&CK has become a “lingua franca” of security operations. According to ESG research, 48% of organizations say they use the MITRE ATT&CK framework “extensively” for security operations while another 41% use it on a limited basis. When asked how important MITRE ATT&CK is for their future security operations strategy, the results were even more impressive. Nineteen percent claim that MITRE ATT&CK is critical, 62% say it’s very important, and 15% believe MITRE ATT&CK is an important component of their security operations strategy.

New MITRE ATT&CK use cases

Why are so many organizations embracing MITRE ATT&CK? In a holiday spirit, MITRE ATT&CK is a gift that keeps on giving. ESG research reveals that organizations are using MITRE ATT&CK for several use cases. For example:

• Thirty-eight percent of organizations use MITRE ATT&CK to help them apply threat intelligence into their alert triage and investigations processes. This is a basic use case, but it can really help SOC teams enrich alerts and gives them a blueprint for what else to look for.
• Thirty-Seven percent of organizations use MITRE ATT&CK as a guideline for security engineering. Engineers use the framework to map out targeted adversary campaigns and then implement the right security controls, detection rules, and countermeasures in the right places.
• Thirty-five percent of organizations use MITRE ATT&CK to better understand the tactics, techniques, and procedures (TTPS) of adversaries. If you work in the SOC team of a western government agency, you should be concerned about nation state threats like APT 29. The MITRE ATT&CK navigator can be used to isolate and present the TTPs used in specific cyber-attacks like this. SOC teams can then assess their controls and data sources, identify blind spots and weaknesses, and use these insights to reinforce defenses.
• Thirty-four percent of organizations use MITRE ATT&CK to understand the full extent of cyber-attacks. Armed with the framework, analysts can map individual alerts to what happened in the past and what may happen in the future. This is the difference between individual alert triage and full-blown threat forensics and investigations.
• Thirty-three percent of organizations use MITRE ATT&CK to supplement the threat intelligence provided by their security technology vendors. Endpoint detection and response (EDR), network detection and response (NDR), DNS services, and email gateways all integrate threat intelligence for alerting and blocking suspicious activities, but they do so on a siloed technology basis. MITRE ATT&CK can help weave these individual pixels into a much more detailed threat picture.

The future of MITRE ATT&CK usage

So, where does MITRE usage go next? Allow me to prognosticate a bit:

• MITRE ATT&CK use will drive more continuous security testing. MITRE ATT&CK already raised the value of threat intelligence by helping companies map atomic indicators and alerts to extended kill chains. Similarly, I believe MITRE ATT&CK will also drive the mainstreaming of continuous security testing. There is already alignment in these two areas with open-source tools like Red Canary’s Atomic Red team. I believe increased MITRE ATT&CK knowledge and use cases will also drive more adoption of commercial continuous testing tools like those from AttackIQ, Cymulate, IBM (Randori), Mandiant (Verodin), and SafeBeach.
• Startups will focus on helping organizations operationalize MITRE ATT&CK. While many organizations want to operationalize MITRE ATT&CK, they may not have the skills or integrated software stack to maximize this effort. Given the ubiquity of MITRE ATT&CK, it’s likely that a bevy of startups will appear, aimed at bridging this gap. Some already exist like Tidal Cyber, a company founded by ex-MITRE employees for this very purpose.
• Organizations will look more intently at other MITRE projects. Based on the success of MITRE ATT&CK, CISOs and SOC teams will be more open to looking at other MITRE projects like MITRE D3fend (A knowledge graph of cybersecurity countermeasures) and MITRE Engage (a framework for planning and discussing adversary engagement and operations). MITRE Engage may also act as a catalyst for jumpstarting the dormant deception technology market.