As we have discussed before in previous blogs, MITRE ATT&CK is a critical and important technology tools that can help you logically assess your security controls against the risks you are likely to face. It is critical for all of us to understand the gaps we have in your current cyberdefense. There are several important use cases that make MITRE ATT&CK compelling – let’s take a closer look.
#1 Important Use Case – Application of Threat Intelligence
The first and highly important use case is the application of threat intelligence. Threat intelligence data is pouring into most security operation centers in reaction to observed attacker activity. Cyber defenders are often confused about what to do with threat intelligence. Most of the time they are wrapped-up deciphering incidents of compromise and trying to resolve high priority alerts. They will tell you honestly that they don’t have much time to step back and view the picture more strategically.
MITRE ATT&CK gives you a way to integrate the threat intelligence you feel relates to the probably high-risk activity your organization may face and then permanently make it part of your assurance for your cyber-defense environment. You can map prospective attacker tactics and the techniques they use to the risks that your threat intelligence deems most likely. The result? MITRE ATT&CK helps you document a good view of the gaps you have when facing these likely threats. Then you can build a plan to close those gaps and improve your defenses.
Red Team Penetration Testing
Perhaps the most popular and well known use case is red team penetration testing. Most read teams have a spreadsheet or checklist of the things that they do. And even from tester to tester that checklist and the tasks they actually do will vary from day-to-day. Spreadsheets rarely use a common language. 🙂 MITRE ATT&CK provides a standard language and taxonomy that you can use. This brings a well organized approach to selecting the techniques that your red team can use consistently, and in a highly repeatable way. Because MITRE ATT&CK is best at modeling real-world attackers it is an ideal tool for red teams to use to build out detailed and accurate penetration plans.
Powerful Use Case for Blue Team and Security Operations Center Team
MITRE ATT&CK can also provide a powerful use case to your blue team and your security operations center team. MITRE ATT&CK enables your blue team to more rapidly and correctly assess a current ongoing attack and logically categorize the symptoms that they see into these technique categories. Now by observing the techniques used, and the sequence in which they are used, you can start to get a sense of who the attacker might be and what you need to do the stop the attack chain before it can reach its objectives. MITRE ATT&CK’s adversary emulation plans help you recognize the fingerprint of a specific attacker, based upon what they do, and the sequence in which they do it.
It is important to remember that attacks take time. You don’t need to stop them in the beginning, but you certainly must stop them before they can exfiltrate data or damage your operations. MITRE ATT&CK can give you an organizational advantage in determining your best counter-moves in real time, even during an ongoing attack.
Another important use case is centered around vendor assessment. MITRE ATT&CK enables you to more carefully and logically assess your current vendors and their security controls and then making very informed decisions before you bring new security controls in. Not all firewalls are alike. Not all endpoint detection and response (EDR) security controls are alike. MITRE ATT&CK gives you a way to compare vendors and the security controls they provide on a very objective basis. Once you contrast your current vendors, you’re in a better position to understand the gaps and then decide on the changes you need to make to your security controls to get the protection you need.
Breach and Attack Simulation or BAS
My last and favorite use case is called breach and attack simulation or BAS. Gartner has defined this rapidly emerging market and it is almost completely about software platforms that operationalize and automate the MITRE ATT&CK framework. Once you automate the framework it enables you to test your production environments and your test environments with these emulated attacks on a schedule and ongoing basis. Production environments can often change under, and around you, based upon what seem to be very minor changes, that in turn, expose new vulnerabilities and problems. MITRE ATT&CK automated by a BAS platform can help you find those almost in real time.
MITRE ATT&CK automation helps you answer every day the question that no security operations center can answer reliably, “Are my security controls really working right now?” Breach and attack simulation gives you the answer to that question. Also, consider that you are now in a position to objectively define the return on investment on your security expenditure and relate that to requests for additional cybersecurity budgets.
Mapping Acalvio ShadowPlex Precisely to the Various Attacker Techniques in MITRE ATT&CK
Now it gets very interesting. You can take Acalvio ShadowPlex and map it precisely to the various attacker techniques in MITRE ATT&CK. You will be surprised to see that deception technology will get in the middle of many attack chains and can disrupt them rapidly. Deception technology is almost always toxic to any considered effort by an attacker to perform reconnaissance in your network regardless of their access point. The odds are overwhelmingly against them as they will likely stumble into deception technology at almost every turn.
Acalvio ShadowPlex was made for the detection of the most sophisticated attackers and the tools, tactics, and techniques which they deploy. Acalvio’s ShadowPlex Acalvio ShadowPlex technology is not conditional, nor probabilistic. The detection is absolute and 100% certain. Deception technology provides virtually flawless detection to ensure that threats are rapidly identified, and then rapidly shut down. Speed and accuracy combine to meet and defeat ransomware threats.
Acalvio deception technology is optimized and well-architected to protect any enterprise against most sophisticated threats. Now with MITRE ATT&CK you can more logically organize your efforts and better understand how deception technology can improve your cyber defense resiliency.