That “aha!” moment doesn’t always happen right away.
When learning new things, sometimes we need to slow down and take it all in. For me, understanding MITRE ATT&CK was like that. Sure, the notion of thinking like an attacker made sense, and its structure was clear. Then came the “now what?” moment.
Soon I discovered the key to getting started. May I share it with you?
ATT&CK is short for Adversarial Tactics, Techniques, and Common Knowledge. For years, MITRE researchers have been investigating the tactics, techniques, and procedures (TTPs) used by cyber attackers. Then they cataloged TTPs in ATT&CK Matrices, resulting in an extensive knowledge base and common language on adversary behavior.
It’s a unique approach, sort of like the reverse of typical best practice like the NIST Cybersecurity Framework or the CIS Controls. For example, rather than saying “protect against email threats,” ATT&CK describes how hackers send spearphishing emails with URL-shortened links designed to trick people. The emails look legitimate and their shortened links disguise the real destination. When users click, the website continues its exploit against the user or device. See how ATT&CK is different? It starts by showing how attackers behave.
Getting Started with ATT&CK
It seems I’m not alone when I wondered how to get started. MITRE has several resources available to help with that: a blog series, an eBook, a philosophy paper. I’m being a bit facetious here, but maybe they need a Getting Started Guide for Getting Started.
One suggestion is to start with one Tactic at a time. In the Enterprise Matrix, there are just 12 of them. But complexity grows once you drill into the Techniques and Sub-Techniques associated with each one. Even more so when you drill into Procedure examples. 156 Techniques and 272 Sub-Techniques, anyone? I haven’t even tried counting all the Procedures. Sheeeesh.
But here’s the thing.
Despite the long list of Tactics, Techniques, and Procedures, all of them lead to a finite and relatively short list of ATT&CK Mitigations. And Mitigations are the “what to do” about the TTPs. Enterprise ATT&CK has just 41. For me, Mitigations are the key.
The Magic of Mitigations
So, if you’re just getting started with ATT&CK, I highly recommend looking at Mitigations first. You can assess your program and discover weaknesses with them. Then you can talk about your priorities with vendors who also speak ATT&CK.
After all, it’s much easier have conversations about the need to “Restrict Web-Based Content” than it is to ask a litany of questions like, “how do you prevent someone from stealing an application access token? And how to you stop a drive-by compromise?”
That’s precisely why, here at Cisco, we’ve mapped our capabilities to ATT&CK Mitigations. After all, once you’ve looked through the list of Mitigations and decided your priorities, chances are you’ll need a cyber product or service to help you along.
And there you have it: The magic of mitigations is the key to getting started with ATT&CK.
ATT&CK Techniques and Procedures are useful for deeper conversations.
If you’ve already discovered MITRE’s Use Cases, you can probably tell that I’ve focused this entire discussion on Defensive Gap Assessment. I assumed that it’s the reason why you’re interested in ATT&CK too. But maybe I’m wrong.
There is a lot of value beyond mitigation, so don’t overlook the detail. Maybe you’re more interested in the other use cases like Adversary Emulation and Red Teaming, so ATT&CK’s TTPs will be incredible valuable to you. Check out this post from Security Research Lead Tim Brown for more about ATT&CK for threat intelligence, modeling, and hunting.
At Cisco, we understand MITRE ATT&CK, we know our solutions, and we can answer all the technical questions you have. Just ask us. We’re here to help.
Learn more at www.cisco.com/go/cyberframeworks