Why should you care about MITRE ATT&CK® Framework?
In this article we'll discuss how your organization can get the most value out of MITRE's ATT&CK® Framework and give some insights into how we use MITRE internally at WithSecure.
This article will tell you:
- What is MITRE ATT&CK® Framework and why it’s important in cyber security
- How MITRE ATT&CK® Framework helps you defend your organization against commonly used techniques
What is MITRE?
MITRE is a US-based not-for-profit company that has been providing engineering and technical guidance for over sixty years. Originally only serving the US government (as it is federally funded), it now provides “cutting-edge solutions to the globe’s most urgent problems.” This includes cyber security.
The MITRE ATT&CK® Framework
MITRE ATT&CK® is a globally-accessible, continually updated knowledge base of known state-sponsored and criminal groups, and the tactics, techniques, and procedures that they use. It enables organizations – whether public or private – to prioritize detection around the most persistent threats and threat groups. We at WithSecure use this in our own EDR and MDR solutions to provide a standard vocabulary and descriptions.
How defense teams can use the MITRE ATT&CK® Framework
Defensive teams – whether tactical, strategic or operational – can make good use of this information in hands-on approaches, such as creating prevention and detection rules or to guide architectural and policy decisions to protect your organization.
One of the biggest challenges with the framework in its current form is the sheer number of different techniques, making it potentially difficult for defensive teams to know which techniques to focus on first. The table below is just a snapshot of the hundreds of techniques listed:
Figure 1 – With so many techniques it can be challenging to know where to start.
To get the most value out of MITRE ATT&CK® it’s important to focus on the items which can give your team the best possible chance of detecting real world attacks. WithSecure team tackle this problem by analyzing each technique in a number of ways:
Real world usage
In the majority of real-world attacks we see attackers repeatedly using only a subset of the MITRE techniques. For example, the framework contains 59 different persistence techniques – yet most attacks encountered by WithSecure involve just seven of these. In an ideal world security teams would cover all techniques. However, with limited resources it’s important to prioritize the most commonly used techniques to increase your detection rates and overall effectiveness. Analysis of public breach reports can be a great way to learn more about which techniques attackers commonly use.
Signal to noise
As many of the MITRE techniques closely match real-world legitimate activity, they can be false-positive prone. For example, Rundll32 usage is common across many organizations making it commonly too noisy for anyone to monitor manually, whereas Mshta is used less often making it easier to spot. But that noise can be valuable; handled correctly, it adds fidelity.
This is a prime example where machine learning and broader context of the monitored activity can pick meaningful signals from the noise and calculate risk scoring to only raise an alert whenever multiple related activities have been detected in unusual context. Your team’s efficiency can significantly improve when they are focusing on the high risk detections in broader context and leaving machine learning to look into higher volume activities otherwise hidden in the noise.
Figure 2 – Broader context of an attack
Ease of collection and analysis
Each technique relies on capturing and analyzing different datasets. For some techniques it’s not possible to collect data, either because of technical or performance limitations. Confirming if you have the telemetry can be a quick way to include or exclude MITRE techniques. Also don’t forget the storage and analysis costs associated with each set of telemetry as this may be prohibitive. To give an example, process data is one of the most useful datasets as it can show you what an attacker has executed on a system; firewall logs on the other hand, while useful, can be significantly higher volume and provide only marginal value.
Quality not quantity across the killchain
Using MITRE ATT&CK® and testing MITRE techniques teams often focus on whether they “pass” or “fail” at detecting individual TTPs and forget that real world attacks span multiple phases and activities. For real world defensive teams, all it takes is for them to detect just one part of a multi-step killchain to then kick off an investigation and uncover all related activity. For example you might miss an attacker using a brand new browser exploit but then spot the service they drop for persistence alerting your team and triggering further investigation. Detection therefore becomes more effective if you select the most commonly used, high fidelity attacker activities across the killchain and ensure your team are confidently able to triage and respond when they occur.
Use-cases to focus on
Based on the above some of the highest value use-cases we’d recommend focusing on are:
- Reviewing user login activity, especially admin activity
- Hunting for suspicious process usage (Rundll32, Powershell, Mshta, Regsvr32)
- Aggregating persistence data (Services, Registry, Scheduled Tasks) to find anomalies
- Memory anomalies, such as process injection
- Known bad software flagged through antivirus or ML equivalents
The next logical question you might ask is:
What tooling do I need to enable my team to detect these MITRE ATT&CK® techniques?
We will cover that in our next post where we’ll discuss MITRE ATT&CK® Evaluation.