8 March 2023

How to use the MITRE ATT&CK Framework

Quentin Xu
Senior Consultant

elevenM Senior Consultant Quentin Xu describes how using the ATT&CK framework can help organisations implement a threat-based approach.

In our previous two posts, we explored the benefits in organisations adopting a threat-based approach to managing cyber security risks.  

A practical way to achieve this is by using the MITRE ATT&CK framework, developed by US non-profit organisation MITRE. In this post, we explain what the ATT&CK framework is and give a practical example on how it can be used to support threat-based thinking. 

Understanding and using the ATT&CK framework 

The ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a repository of tactics and techniques commonly used by threat actors to achieve their goals. Attacker techniques are indexed and broken down into sub-sections outlining the exact methods that adversaries use “in the wild”.  

Using the ATT&CK framework for the first time can seem quite daunting due to its size and complexity. However, the matrix structure is relatively simple to understand.  

The horizontal column headers (circled in blue below) refer to the tactics used by adversaries and can be thought of as “what” attackers are trying to achieve (i.e. reconnaissance, initial access, lateral movement).  

The vertical rows underneath (circled in red) detail the various techniques used to achieve each respective tactic and can be thought of as “how” attackers are achieving their tactic (i.e. active scanning, phishing). 

image

How can the ATT&CK framework be operationalised? 

Consider the following case: “CISO of Company Y is concerned about ransomware being a threat to the business. They have limited funding to invest in threat mitigation and need to prioritise spending to get the most benefit”. 

This is a common scenario that many organisations face. Fortunately, a threat-based approach using the MITRE ATT&CK framework can point us in the right direction. 

We are starting off on the right foot, by identifying a key threat as the focus for mitigation activities.  

Typically, an organisation might identify 6-8 top threats to focus on. This is normally done in the form of a “Threat Assessment”, where various data points are aggregated together at a global, local and company level. This is something we provide for our clients and provides visibility and detail on the threats that matter most. 

Given the prevalence of ransomware attacks, it would be no surprise to see ransomware in this list of top threats for most organisations – and it’s an ideal candidate for this example scenario. However, ransomware used in the wild are diverse and numerous, so we need to conduct additional investigative work to understand the specific types of ransomware most relevant to the organisation. This will help us to better understand the mitigation techniques to apply.  

In the case of “Company Y”, an initial threat assessment identified the “WannaCry” ransomware as most relevant. This is usually based on threat intelligence from recent events of companies in similar geolocation and industries.   

Here is where the ATT&CK framework can be applied. A security analyst can search the ATT&CK database for the specific ransomware strain and find the techniques used and the relevant mitigations/controls to counteract them.  

MITRE assigns a unique ID and entry to each known ransomware type – the entry for “WannaCry” can be found here. Techniques used by the “WannaCry” ransomware will be listed, with each technique being mapped to their respective mitigating controls. So as an example, a common technique used by “WannaCry” is T1486 – Data Encrypted for Impact. One of the linked mitigating controls for this will be M1053 – Data Backup. This view of technique and mitigating control will then allow the CISO to prioritise funding to mitigate one of Company Y’s top threats. 

Of course, every organisation is different and customisation will be required when using ATT&CK to ensure an appropriate approach is adopted and controls are specific to your operations. The key takeaway here is that a threat-based approach is key and that frameworks like MITRE ATT&CK compliment this method. 

If you’re interested in learning more about how elevenM can help your organisation leverage best practice frameworks to improve overall security posture, contact us at hello@elevenm.com.au


References 

  1. https://attack.mitre.org/ 
  2. https://www.mitre.org/who-we-are 
  3. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack 
  4. https://attack.mitre.org/software/S0366/