Chris Swagler | December 8th, 2021

MITRE ATT&CK Framework

When it comes to cybersecurity, understanding the threat landscape is crucial for companies to stay ahead of the threat actors, and that’s where the MITRE ATT&CK framework comes into play. MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge. The project was created in 2013 with the goal of establishing a globally accessible knowledge base of adversary techniques and tactics based on real-world observations by cybersecurity personnel. Additionally, the framework serves as a model for cyber behavior reflecting various attack lifecycle phases of an adversary and known platforms they target.

MITRE ATT&CK was originally designed only for Windows, but it has since been integrated to reflect Linux and Cloud systems. Information about the MITRE ATT&CK framework and other Tactics, Techniques, and Procedures (TTPs) is now publicly available for anyone. The concept of the model’s tactics and techniques is to provide common taxonomy of individual adversary actions understood by both offensive and defensive sides of cybersecurity. Additionally, it provides an appropriate level of categorization for adversary actions and how to defend against them.

The ATT&CK behavioral model contains three core components: Tactics explains the “why” of an ATT&CK technique and refers to the adversary’s short term, tactical goals during the attack, such as achieving credential access; Techniques explains “how” the actions are used by adversaries to achieve their tactical goals, including persistence, the ways adversaries maintain their foothold within systems; Common Knowledge refers to documenting the techniques and other metadata used by adversaries.

The ATT&CK framework is recognized as the leading authority in understanding behaviors and techniques threat actors use against organizations. It removes vagueness and provides a common vocabulary to discuss and collaborate on defending against the adversary’s methods. Additionally, the framework has practical applications for security teams and offers blueprints for where to focus detection efforts. Companies can educate themselves by exploring the techniques, targeted platforms, and risks to help inform their security plan and leverage the MITRE ATT&CK framework to track their progress. The framework is a valuable asset in evaluating current tools and depth coverage around key attack techniques. With threats emerging and evolving, the MITRE ATT&CK framework continues to advance into a useful source for tracking and understanding various attack groups’ movements and techniques.

With ShadowSpear, SpearTip’s unparalleled detection and response Platform, engineers analyze and identify the MITRE tech presence connected to every event that occurs on a monitored system. This allows SpearTip engineers to locate a potential compromise or breach, or to investigate what happened during the breach and where it originated so as to rapidly respond by isolating the machine and commencing a digital forensics investigation. Using MITRE can help companies effectively respond to incidents and collect necessary data very quickly. Through MITRE, companies can perform more proactive threat hunting, including tracking and analyzing events across time.

The use of the MITRE ATT&CK framework to aid in advanced cyber threat hunting is vital in getting ahead of threat actors. Cyber threat hunters are able to stop potential cyberattacks before they disrupt business operations by using stealthy techniques to outmanuever polymorphic malware and decrease dwell time. Experienced threat hunters are also able to uncover and resolve zero-day vulnerabilities before exploitation can occur.

As a result, companies can rapidly investigate and categorize their systems, which helps them build a baseline to identify abnormal activity. Another key component of the MITRE ATT&CK framework is that companies can assess the workload and identify their current state for quicker response and investigation. Utilizing MITRE allows for the ability to align events to TTPs of potential threat groups to determine if something is malicious.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Experience the entire MITRE Framework Presentation from SpearTip’s Senior Director of Operations, Jonathan Tock, here: MITRE Framework Presentation