In October, I was privileged to attend the two-day MITRE ATT&CK™ conference, where participants and attendees voiced their support for the ATT&CK framework. The event, sponsored by McAfee, served as a forum for sharing insights and best practices for using ATT&CK as a way to describe and demystify the complexities of today’s cyberattacks. MITRE is well known for its threat-based research in cybersecurity, including highly adopted standards and tools like STIX/TAXII and Common Vulnerability Exposure (CVE).
What is the MITRE ATT&CK framework? Why is it so important to the security community?
ATT&CK is a publicly accessible knowledgebase of adversary tactics and techniques based on real-world observations. For the first time ever, the vendor-agnostic ATT&CK framework enables us to standardize the threat intelligence-sharing process and describe how adversaries prepare for, launch, and execute their attacks. Armed with this knowledge, both security vendors and customers can work toward improving their detection and prevention methods.
What makes ATT&CK so robust is the large community of contributors. By making ATT&CK content available to every practitioner worldwide, MITRE has created a growing community that is fostering innovation in open source tools, products, and services based on the framework.
Best of all, ATT&CK provides a common, easy-to-understand language that can be consumed in bite-size chunks. It enables practitioners to explain complex concepts to management and customers by relating the security risks to business.
How are organizations using the ATT&CK framework?
Speakers representing a wide spectrum of organizations—from the government, private sector, and security arena—shared ways in which they are benefitting from ATT&CK:
- Building industry-specific threat profiles and doing adversary emulation through red teaming: By acting like real-life adversaries, red teams perform penetration testing using threat-specific techniques to detect network and system vulnerabilities and to test the efficacy of security tools. This enables organizations to answer questions that are critical for their security operations team:
- Is my organization a target, and what kinds of groups are targeting us?
- How do these adversarial groups operate?
- Have we seen the adversary before?
- What is their motivation? What is the potential impact to my organization?
By using ATT&CK, red teams, who are doing the attacking, can easily communicate with and share their findings with blue teams, who are doing the defending.
- Red team automation at the unit, or atomic test, level: Recently, several assessment tools have emerged that automate testing of detection and prevention on a granular level against a wide range of adversarial techniques identified by ATT&CK. Gartner expects that these tools will gain ground in security operations and may supplant traditional penetration testing.1
- Operationalization of intelligence at a tactical level: Large companies with mature security operations organizations are using ATT&CK as a framework to drive their ongoing security operations center (SOC) activities. Specifically, they are using ATT&CK in the following ways:
- Improving their detection capabilities by engineering new content to feed into their security information and event management (SIEM) solution, intrusion detection system (IDS), and intrusion prevention system (IPS)
- Creating hypotheses for hunting adversaries on the network
- Tracking adversary groups using tactics, techniques, and procedures (TTPs) for SOC processes, such as network security management, forensics, and others
- Combining ATT&CK with vulnerability management and configuration management to drive overall risk management initiatives, such as prioritizing security architecture and control gaps
What is our role in driving ATT&CK forward?
McAfee is collaborating closely with MITRE in extending their ATT&CK techniques and aligning our products to show coverage and context based on this framework. Both participants and attendees at the conference agreed that ATT&CK is a necessary component for a viable enterprise security strategy.
At our booth, we demonstrated how we have incorporated ATT&CK into McAfee MVISION Endpoint Detection and Response (MVISION EDR), which is scheduled for Q1 2019 availability. Visitors were impressed with how detection is based on and mapped to the ATT&CK framework, allowing a faster, more consistent process to determine the phases of a threat, assess associated risk, and prioritize response.
With our expanded expertise in EDR, threat intelligence, threat hunting, and the cloud, we have identified multiple opportunities to further our collaboration with MITRE.
We also plan on becoming even more involved with the MITRE ATT&CK community through active participation in practitioners’ forums and events like this conference. We are launching new initiatives to enable us to contribute to the ATT&CK knowledgebase by publishing and sharing our research and learnings about new adversarial techniques, incident response methodologies, and red teaming processes.
If you were unable to attend, you can view videos of the ATT&CK conference sessions on YouTube.
To learn more about MITRE ATT&CK, check out resources that we have published on this topic:
- Blog: “Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses”
- Expert Investigation Guides
- McAfee Labs Threats Report, September 2017
1 Gartner, 2018. “BAS and Red Teams Will Kill the Pentest.” https://blogs.gartner.com/augusto-barros/2018/02/14/bas-and-red-teams-will-kill-the-pentest/.