tashatuvango - Fotolia
The Mitre ATT&CK cybersecurity framework -- a knowledge base of the tactics and techniques used by attackers -- continues to gain ground as vendors, enterprises and security service providers adopt and adapt the framework to their defenses.
While using the Mitre ATT&CK framework offers significant benefits over more traditional cybersecurity frameworks, it requires an understanding of what it is and what resources are required to make it work. In this Q&A, Jonathan Couch, senior vice president of strategy at threat intelligence platform provider ThreatQuotient in Reston, Va., answers questions about using the Mitre ATT&CK framework, including how it differs from other cybersecurity frameworks and how it can pay dividends to the organizations adopting it.
Editor's note: This Q&A has been edited for length and clarity.
What is the Mitre ATT&CK framework?
Jonathan Couch: The Mitre ATT&CK framework is yet another kind of cybersecurity framework. Over the years, we've had quite a few of them; the Lockheed Martin Cyber Kill Chain framework is probably the best known.
There is another framework known as the Diamond Model that some organizations use -- mostly the U.S. government but also commercial companies.
The Mitre ATT&CK framework is slightly different in the sense that it is much more adversary-focused, and it also is much more in-depth. It provides a lot more information.
The Lockheed Martin Kill Chain, for example, provides you with the different phases of an attack as you would see it as a defender: 'I can tell they're just scanning my network as a reconnaissance phase -- they haven't actually gotten in, or maybe they've gotten in, and they've moved around my network, and now they're exfiltrating data.' It helps me, as a defender, to be able to take a look at my detection and my response capabilities because I can now identify how far they are into my network, how far they are into their attack.
One of the weaknesses I've seen with the Lockheed Martin Kill Chain is that it isn't very thorough or comprehensive, in the sense of what attacks look like from the attacker's perspective, from the adversary perspective, and that's really what the Mitre ATT&CK model addresses.
I was actually very surprised when I first saw the Mitre ATT&CK model because it is a very thorough explanation of how you can possibly run an attack. How do I gain initial access? How do I hide the persistent side of things? It has all these different elements to it to better enable organizations to be able to track and say, 'What are all the different things that adversaries might do on my network so that I can make sure that I have detection, monitoring and response available for those actions?'
What other cybersecurity frameworks should people consider, and how else does the Mitre ATT&CK framework differ from them?
Couch: NIST has published the NIST Cybersecurity Framework. It's another way of looking at risk and security within your network. It doesn't exactly align with the goals of what the Lockheed Martin Kill Chain or the Diamond Model does, as far as tracking attacks and mapping them against your network defenses.
One of the things the Mitre ATT&CK framework does that I really like is that it addresses much more of the response phase. Mitre ATT&CK is tied in with what they call attack patterns. They map attack patterns against courses of action, which are like best practices: If you see an adversary in your network, here are potential courses of action that you can use to either prevent them from getting in your network using that attack method or to remediate the situation. That goes well beyond the other cybersecurity frameworks that have been put into place.
It also will help in the long term to address some of the cybersecurity skills shortage. If we can actually operationalize the Mitre ATT&CK framework and automate it within our network security environment, it can enable junior analysts without much experience to look at a problem and very easily get some advice from the community. It can offer up those next steps -- what you can do to put in detection and monitoring or prevention technologies -- or how to remediate that situation. That's one of the strongest aspects of the Mitre ATT&CK framework -- that ability to map it so those with less experience can still be effective security analysts.
It's a very complex framework right now, so getting to that point is going to take a little bit of work because there is so much information available in the Mitre ATT&CK framework. But, slowly but surely, the community is starting to figure out how to apply that against their security operations in order to provide that experience and that knowledge base for people, as well as to provide a better, holistic view of the adversaries that are coming at us and what we need to do in order to effectively fight against them.
How can companies start using the Mitre ATT&CK framework, and what should they be aware of to make sure that it integrates and coexists with whatever other frameworks they are using?
Couch: Mitre ATT&CK maps all these attack phases against specific ways to do them. Organizations need to look at what they're trying to protect, how they might be attacked and which adversaries are coming at them.
Take ransomware as an example. If your company is extremely susceptible to ransomware, that's something you really want to protect against. You can look up ransomware and how it's deployed in the Mitre ATT&CK framework and how it moves throughout the network and then focus your defenses and your monitors to prevent or detect it immediately if it comes in. It can give companies a roadmap as far as risk gaps. Where do they need to protect against? Where is there lack of insight into their network?
If spear-phishing is a really big threat for your network and you don't have email monitoring or content filtering along those lines, that's a huge risk gap for you. From a roadmap and strategic planning perspective, that security group can then say they need to have this in place. As you drill down through these different areas, the Mitre ATT&CK framework will provide you guidance on industry best practices to address those different attack vectors of adversaries getting into your network.
What are the greatest benefits of using the Mitre ATT&CK framework?
Couch: The two biggest benefits that I see out of it are, number one, truly understanding the adversary and how the adversary operates -- here are the steps that they're going to go through to get into your network and perform whatever their end goal is.
You don't just have to understand defense. You have to understand how the offense is working. How is the adversary working? How are they thinking? What do they need to do to accomplish their goals? [Knowing] that will help you to better defend your network.
The second big benefit is enablement of junior analysts to help us get past some of the cyber skills training issues that we're currently facing as an industry. If you can effectively leverage the Mitre ATT&CK framework, then it helps the junior security analyst who may not have that much experience. It gives them a knowledge base, a research database to look at and say, 'OK. Here's what I'm seeing. Here is what the industry is telling me that I should look for and how to defend against it.'
What are the greatest challenges for enterprises that are looking to use Mitre ATT&CK?
Couch: Right now, it is very large and very complex. The good news is the permutations of data within the Mitre ATT&CK framework are extremely thorough. The bad news is it's extremely thorough. For somebody in an organization just getting into it right now, it can be daunting. There is a lot of information in there to process, and a lot of organizations haven't automated a lot of that information as far as mapping it to the data they have within their system and mapping it to their security infrastructure.
There's something like 155 different attack patterns right now -- and that's growing. Being able to identify those and having the information readily available so a junior analyst can leverage it -- or so you can map it against your security infrastructure -- [is a challenge]. It's not a native process right now. We've been working with it for quite a while, and we've actually managed to map it against a lot of the data that we're working with within security organizations, but there's still a lot that we need to do to make that information as available, actionable and operational as possible.