MITRE ATT&CK Part 2

Understanding the MITRE ATT&CK Framework Part 2

The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) framework is an open-source tool that provides a comprehensive and constantly evolving database of adversarial techniques used by cyber criminals. The framework is collaboratively built from publicly available information, insights, feedback, and citable contributions from the global community.

The Benefits of the Framework One of the key benefits of the MITRE ATT&CK framework is that it creates a common language. This gives us the ability to speak to less technical people such as business executives, military leaders, or those without a cyber background. This can also aid us in a response capacity by allowing us to ask the organization for specific types of data.

Additionally, the framework aids in signature creation and allows for the proper use of purple teams. It highlights visibility gaps, recommends fixes, and helps implement detection.

Another useful feature of the MITRE ATT&CK framework is the Quantitative Scorecard. This can help organizations highlight the techniques that are most important and the ones that need more visibility. It can guide engineers, analysts, and business leaders with how to prioritize funds.

Creating Visualizations with ATT&CK Navigator Visualizations can also be created with the MITRE ATT&CK Navigator. This can be done programmatically with JSON and shared with others. The saved custom views are known as layers. The web app for the navigator can be accessed at https://mitre-attack.github.io/attack-navigator/.

MITRE ATT&CK Basics The MITRE ATT&CK framework is based on several key concepts. These include tactics, techniques, sub-techniques, mitigations, data sources, detections, procedures, groups, and software.

Tactics Tactics are the tactical adversary goals during an attack. It is important to understand why an adversary performs each action.

Techniques Techniques define the tactical actions of an attacker. It is important to understand how an adversary performs each action. Techniques are identified by T####.

Sub-Techniques Sub-techniques are a more specific description of a technique. They are identified by T####.### and must be under a technique.

Mitigations Mitigations are configurations, tools, or processes that can prevent a technique from working. It is important to understand how to stop an adversary technique from succeeding. Mitigations are found at the bottom of a technique page and are identified by M####.

Data Sources Data sources are sources of information collected by a sensor or logging system. It is important to understand where to collect data. Data sources can be found at https://github.com/mitre-attack/attack-datasources.

Detections Detections are a high-level analytic process, sensors, data, and detection strategies. It is important to understand how to interpret or analyze the data. Any technique or sub-technique will show where to find data and how to process it.

Procedures Procedures describe the specific implementation the adversary uses for techniques or sub-techniques. They describe the group or software entity with a brief description of how the technique is used.

Groups Groups list threat groups and their techniques used. They are identified by G#### and can be found at https://attack.mitre.org/groups/.

Software Software mapping is used to show software seen in the wild with a description and other associations to malware variants. Software is identified by S#### and can be found at https://attack.mitre.org/software/.

Conclusion The MITRE ATT&CK framework is a living framework, and the community is encouraged to add and contribute daily. This framework allows organizations to better understand the techniques used by cyber criminals