What is the MITRE ATT&CK framework?

Summary

“The MITRE ATT&CK framework is a powerful tool to support enterprises in understanding adversaries’ tactics, techniques and procedures to better shore up security posture. This article answers the question, what is MITRE ATT&CK framework, and how you can use the MITRE ATT&CK matrix to support a robust AppSec strategy in your organization. ”

MITRE ATT&CK is an openly-accessible database which categorizes the methods that threat actors utilize to perform cyberattacks. The word ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge, although you may hear it verbally or informally described as MITRE ATTACK. The MITRE ATT&CK framework was developed in 2013 with the express purpose of improving enterprise ability to defend against cyber crime, and today it has become a crucial part of understanding and protecting against a wide range of threats. 

What is the MITRE ATT&CK Matrix?

The MITRE ATT&CK matrix is a grid that maps the relationships between attacker tactics and techniques. While every column is a tactic, each row points to associated techniques and sub-techniques. At a glance, security teams can see how attackers move through the different stages of an attack. Below you can see a small subset of information on tactics and techniques in the matrix. 

Key Components of the MITRE ATT&CK Matrix

There are three MITRE ATT&CK matrices, tailored to their own domains, for enterprise, cloud and mobile. Within the matrix, you’ll see the following elements: 

• Tactics: These cover the broad objectives an attacker may have, such as gaining initial access, execution tactics, and ways to achieve persistence in the target environment. 
• Techniques: Specific strategies used to achieve the objective, for example within persistence an attacker might create or modify a system process, while within initial access, a technique may be to use a valid account. 
• Sub-techniques: Here, MITRE includes detailed information on how a technique is implemented. For example, within the tactic of persistence, the technique may be account manipulation, and the sub-technique could be SSH authorized keys, or additional cloud roles. 
• Mitigations and detections: Against each technique, recommendations are included for defending against the technique, as well as identifying when threat actors are using this approach. 

Challenges for Using the MITRE ATT&CK Matrix

Studies have shown that more than 80% of enterprises use the MITRE ATT&CK framework, but there are certain considerations that you should be aware of. 

Most importantly, the framework has an overwhelming scope to contend with, and covers hundreds of techniques and sub-techniques. It can be almost impossible to prioritize which ones matter the most, especially when keeping in mind your own business context. Some techniques will not be relevant for your organization or even your industry, and without understanding that — you may channel resources ineffectively. Ensuring you have a risk-based approach is crucial, as you can’t cover it all. 

The matrix is also evolving all the time as threat actors change their behaviors and technology moves on at breakneck pace. It’s a true challenge to keep up to date with changes as they occur. 

How Do Companies Use the MITRE ATT&CK Framework?

Despite these challenges, the MITRE ATT&CK framework and its matrices are used to great effect to understand and combat cyber attacks across domains. Different cybersecurity teams will use MITRE ATT&CK for varying purposes. For example, threat intelligence teams will leverage the MITRE ATT&CK framework to document adversary TTPs and understand how threat actors operate, while defensive teams will map the activities they observe to specific techniques so that they can highlight gaps in their visibility or defense and accelerate incident response.

Other use cases can include in red teaming, pen testing or threat simulations, where teams can use MITRE ATT&CK as a playbook to emulate adversarial techniques and test organizations’ defenses, or work as blue teams to rehearse responses to attacks that could occur in the wild.  

As a comprehensive database of adversarial tactics and techniques, MITRE ATT&CK also allows organizations to evaluate how effective their security controls are and validate that they are protected against known attacks. 

Using the MITRE Framework for Application Security

As well as all of these use cases and more, MITRE ATT&CK can be invaluable for AppSec teams, helping to identify and prevent application layer-attacks that target APIs, web applications or microservices. Examples include: 

• Mapping AppSec threats: MITRE ATT&CK can help organizations to identify where attackers are exploiting application vulnerabilities to escalate privileges, or where stolen credentials have been used to access sensitive APIs or databases. It can also support identification of remote services being exploited — where attackers target APIs or web services that are exposed. 
• Securing the SDLC: AppSec starts from the first line of code, and securing the Software Development Lifecycle (SDLC) is one of the main goals of an application security platform. MITRE ATT&CK can help teams to identify which adversary techniques are relevant during code reviews, including input validation issues, poor authentication or exposed debug interfaces or endpoints. It can also support enhanced security testing through simulations, and promote secure-by-design applications by addressing the most common TTPs early and continuously. 
• Improving prevention and incident response: By mapping application-related incidents to MITRE ATT&CK techniques, teams can ensure faster root cause analysis in the event of an attack, and prioritize the vulnerabilities that matter in their environment ahead of time — those that are most likely to be exploited. 

Best Practices for Using MITRE ATT&CK in AppSec

As part of a robust application security platform, Checkmarx One leverages techniques and tactics from the MITRE ATT&CK matrix to deliver a threat-informed approach to application security. 

Checkmarx provides contextual insight into potential methods of exploitation, correlating vulnerabilities with specific ATT&CK techniques, helping companies to prioritize remediation efforts and gain clarity on how vulnerabilities can be exploited. 

Using the comprehensive knowledge offered by the MITRE ATT&CK framework, teams can perform security testing that is aligned with the threat landscape, configuring their automation to detect patterns and anomalies that suggest specific MITRE ATT&CK techniques, enhancing their ability to detect and respond quickly. 

By leaning on the MITRE ATT&CK matrix, this knowledge can also be integrated into training programs for security teams and developers, so that even those without a security background can gain hands-on experience in identifying techniques that are documented in the framework. It also facilitates clear communication between Development, Security and Operations teams through standardized terminology that’s recognized industry-wide. In this way, organizations can promote #DevSecTrust across the organization.

A Final Word on MITRE ATT&CK

By utilizing the MITRE ATT&CK framework and its enterprise matrix, organizations can gain an understanding of the tactics, techniques and procedures of adversaries, and strengthen their own security posture in alignment. It gives a full view of the ways that attackers operate, and for application security professionals — can be a powerful way to coordinate and build defenses that prioritize the right vulnerabilities to ship resilient applications and secure the SDLC from the earliest stages. 

As attacks continue to evolve, using MITRE ATT&CK proactively is crucial for staying ahead of the game. By using an AppSec platform like Checkmarx one, its insights are already embedded into the way you work, protecting your apps, data and ultimately your users from day one.

Speak to us about a demo of Checkmarx One.