Analysts and IT specialists working in a modern security operations center rely on alerts to apprise them of pending threats. But without context, an alert can be little more than useless noise.
So the task is to determine which threats are legitimate based on a deeper dive into all the details. The MITRE ATT&CK framework has become the industry gold standard for this purpose.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a proprietary framework that translates raw data into an actionable narrative of threat actor behavior.
MITRE ATT&CK mapping utilizes this framework to create a meticulous and detailed analysis of a targeted intrusion.
Mapping Anatomy Is Key
Effective mapping is built on three key principles. Combined, these principles make up the anatomy of MITRE ATT&CK mapping. They are the same three principles associated with the Tactics, Techniques, and Procedures (TTPs) concept. Each one tells part of the story:
- Tactics – To a cybersecurity analyst, tactics answer the question of why a hacker is doing what he does. Tactics represent an adversary’s strategic goals. At the current time, the MITRE ATT&CK framework accounts for fourteen tactics. Three of the most common are Initial Access, Lateral Movement, and Exfiltration.
- Techniques – As the name implies, ‘techniques’ refer to the methods a hacker uses to achieve the desired tactic. Consider an adversary known to be utilizing the Execution tactic. His main technique might be a PowerShell script.
- Procedures – Procedures are classified as the specific implementations of a given technique. While one adversary might use an outdated script pattern in PowerShell, another might rely on a well-known tool like Cobalt Strike.
Proper mapping takes a single piece of evidence and follows it through each of these three layers. What comes out the other end is actionable data that gives analysts insight into how and why their adversaries are attacking. But mapping doesn’t stop there.
Linking Mapping to Life Cycle
DarkOwl, a cybersecurity specialist whose platform can be integrated with MITRE ATT&CK mapping, explains that the real power of mapping is its ability to link TTPs to Adversarial Life Cycle. Mapping goes above and beyond legacy Indicators of Compromise (IoCs) as they constantly change to analyze long-term behaviors. Once again, three components are in play:
- Preparation – Mapping helps analysts understand how their systems are being scanned and/or the types of infrastructure being weaponized against them.
- Infiltration – Mapping can help reveal previously unknown front-door vulnerabilities.
- Post-Breach – Mapping allows analysts to see how an adversary continues post-breach, learning how they are able to maintain a foothold in the compromised network.
MITRE ATT&CK mapping gives analysts the ability to observe an incident unfold across its entire lifecycle. This is helpful in the sense that it equips analysts to predict an adversary’s next move. For example, proper analysis could indicate that future credential access by a known adversary virtually guarantees that lateral movement will follow.
A Bridge Between Teams
MITRE ATT&CK mapping benefits organizations in many ways, not the least of which is providing a bridge between teams. The data it generates allows security analysts to transition from a wait-and-see strategy to a more proactive strategy that goes out and actually looks for threats. It also equips analysts with gap-analysis capabilities.
Meanwhile, mapping transforms abstract security requests into actionable tasks the IT department can undertake. Instead of simply being told to beef up the network, they are given specific tasks – like disabling LLMNR to mitigate poisoning.
MITRE ATT&CK mapping is considered an advanced cybersecurity strategy. It is one that is becoming increasingly important to the difficult task of understanding adversaries and how they operate.
