Skip to Main Content
August 25, 2020

Two Simple Ways to Start Using the MITRE ATT&CK Framework

Written by Rick Yocum
Attack Path Effectiveness Review Security Program Assessment

While there is a wealth of free information intended to help larger organizations use the MITRE ATT&CKTM Framework, these resources often assume that the reader has dedicated security teams, deep technical skills, and/or a catalog of supporting security tools.

But what if small organizations, compliance teams, or risk management professionals want to leverage ATT&CK? Never fear! There are a couple of fast and practical ways to make that happen.

But first, a bit of information on the scope of the MITRE ATT&CKTM Framework.

There’s A Lot in ATT&CK

The breadth ATT&CK and the detailed information within it can make for complicated beginnings.

Consider:

  • ATT&CK actually represents four frameworks. We recommend starting with the ‘Enterprise’ framework, but you should be aware that the ‘PRE-ATT&CK’, ‘Mobile’, and ‘ICS’ frameworks exist.
  • The Enterprise Framework has over 425 Techniques, each representing a specific thing an attacker might attempt on target systems.
  • Each Technique has a set of 58 Data Sources. Data Sources represent the things an organization can watch to detect when an attacker is attempting to perform a Technique.

With multiple frameworks, tons of techniques, and several dozen data sources, it can be tough to know where to begin.

(Just a quick caveat - these methods have intentionally been significantly simplified to allow time-constrained and/or less technical individuals get started utilizing ATT&CK with minimal investments of time and effort. While some fidelity has been sacrificed, the resulting techniques are simple and powerful ways to get started.)

#1 – Leveraging Tactics

Each Technique is assigned to one or more of 12 Enterprise Tactics. These Tactics represent the high-level goals associated with each Technique. Because each organization has a different set of assets and business processes, the specific risks associated with each Tactic are unique to each organization.

Thinking about the risks posed by each of the 12 Enterprise Tactics can be a quick and effective way to prioritize defenses.

For instance:

  • Risks associated with the Exfiltration Tactic are much higher for organizations with lots of intellectual property and sensitive data.
  • Risks associated with the Impact Tactic are much higher for organizations that require 100% uptime, like healthcare, and for organizations that are politically or socially controversial.

Because attacks often require the use of multiple tactics, it’s usually better to implement strong protections against several tactics than it is to apply weak protections against all tactics. This concept can be especially useful when protections against some tactics are clearly more expensive than others.

While basic defenses should be in place for each tactic, additional investments should generally be focused on the riskiest and the most cost-effective tactics based on organizational assets and operations.

#2 – Consolidating Data Sources

In addition to considering security priorities by tactic, organizations can think about the coverage of their security tools by using high-level categories of data sources.

In the same way that Tactics can be thought of as groups of Techniques, Data Sources (the activities defenders can monitor) can ‘roll-up’ into several high-level categories that broadly describe the key areas to monitor and defend.

For instance, as part of a recent engagement, I grouped the 58 ATT&CK data sources into the following 16 high-level categories:

  • Device Inventories
  • Network Activity
  • *aaS Activity
  • End-User Web Activity
  • Email Activity
  • Domain Activity
  • Device Component Inventories
  • Firmware and Pre-Boot Activity
  • Operating System Activity
  • Anti-Virus Activity
  • Command-Line and Script Activity
  • System Software Inventories
  • Application Activity
  • System Services Activity
  • System Processes Activity
  • File and Certificate Activity

These categories represent the key attack surfaces defined in the MITRE ATT&CKTM Framework and can be used to strategically prioritize defenses.

The categories give a fairly clear view of the types of detective and protective tools organizations should consider when investing in their defenses. However, like Tactics, the specific risks associated with each of these Data Source Categories will be unique to each organization, and organizations should focus investments in the areas with the highest levels of risk.

Want to learn more about what goes into these Data Source Categories? Stay tuned, because we’ll be discussing them more in a subsequent blog

Final Thoughts

Because the MITRE ATT&CKTM Framework is built on real-world knowledge of attacker activities, it provides a different and important perspective on the controls and defenses that can help organizations defend against malicious activities.

However, the size and technical nature of the framework can make it difficult to fully digest. Using Tactics and Data Source Categories to distill key framework concepts can provide an easy and effective starting point for using ATT&CK to strategically assess risk and prioritize investments.

Want to learn more about how TrustedSec is using the MITRE ATT&CKTM Framework to help organizations evolve beyond threats? Check out the resources below or contact us today!