The MITRE ATT&CK Framework
The MITRE ATT&CK framework is designed to build awareness and understanding of how cyberattacks work. To accomplish this, it organizes information into a hierarchy, including:
- Tactics: MITRE ATT&CK Tactics are high-level objectives that an attacker may wish to achieve during a cyberattack. This includes stages of an attack like gaining initial access to a system, compromising user accounts, and moving laterally through the network.
- Techniques: For each of the high-level Tactics, MITRE ATT&CK defines multiple Techniques for achieving the goal. For example, an attacker can gain access to user credentials via a brute force guessing attack, stealing them from the operating system, and other methods.
- Sub-Techniques: Some MITRE ATT&CK Techniques can be achieved in various other ways (called Sub-Techniques). For example, a brute force password attack could be accomplished by cracking password hashes, credential stuffing, or other means.
MITRE ATT&CK’s Tactics, Techniques, and Sub-Techniques drill down to a specific way in which an attacker can achieve a goal. For each of these techniques, MITRE ATT&CK includes a description of the attack, as well as the following:
- Procedures: Procedures describe specific examples of using a technique. This includes malware, hacking tools, and threat actors known to use that particular technique.
- Detection: For a given technique, MITRE ATT&CK recommends methods of detecting the technique. This section is invaluable for designing cybersecurity defenses because it outlines the types of information that need to be collected to detect a particular attack.
- Mitigation: The mitigation section describes steps that an organization can take to prevent or reduce the impact of a particular technique. For example, the use of multi-factor authentication (MFA) is a common mitigation for techniques designed to achieve access to user accounts.
Leveraging MITRE ATT&CK for Cyber Defense
The MITRE ATT&CK framework is designed as a tool, not solely a repository of information. Security operation center (SOC) teams can operationalize the MITRE ATT&CK matrix in a number of ways, including:
- Designing Defenses: The MITRE ATT&Ck framework outlines methods for detecting and mitigating different cyberattack techniques. This information can be used to ensure that an organization has the right defenses in place and is collecting the information required to detect a specific threat. Threat intelligence can be used to prioritize the techniques that an organization focuses on.
- Incident Detection: The MITRE ATT&CK framework describes the ways in which a particular threat can be detected. This information should be used to develop detection rules in a security information and event management (SIEM) solution, next-generation firewall (NGFW), and other security solutions.
- Incident Investigation: The MITRE ATT&CK framework describes how a particular attack works, and the malware that uses certain techniques. This information is invaluable for incident investigation because it allows an investigator to identify the MITRE ATT&CK Technique in use and take advantage of the additional data provided by the framework.
- Infection Remediation: The MITRE ATT&CK framework describes how a particular technique is carried out and the capabilities of different malware samples and threat actors. This can help with remediation efforts since it outlines the actions that an attacker has taken and that must be undone to remove the infection.
- Reporting: By standardizing terminology, the MITRE ATT&CK framework makes reporting simpler. Tools and analysts can generate reports referencing particular techniques in the framework, which provides additional detail and mitigation steps if needed.
- Threat Hunting: The descriptions and detection information provided in MITRE ATT&CK can be invaluable for threat hunting. By performing a MITRE ATT&CK evaluation and working through each of the techniques described in the framework, threat hunters can determine if they have been targeted by attackers using a particular technique and whether or not existing security solutions are capable of detecting and preventing these attacks.
Check Point and MITRE ATT&CK
The MITRE ATT&CK framework is a valuable tool for improving communication and understanding of cyberattacks. CheckPoint has integrated MITRE ATT&CK’s taxonomy into its entire solution portfolio, including Horizon SOC and Infinity XDR. Mappings to MITRE ATT&CK techniques are included in forensic reports, malware capability descriptions, and more.
This provides a SOC analyst with a number of advantages. When analyzing a particular attack, the use of MITRE ATT&CK makes it easy to understand the root causes, attack flow, and the attacker’s intent in each stage. By understanding what the attacker is trying to achieve and how, a SOC team can easily understand the scope of an attack, any necessary remediation, and how to improve defenses for the future.
By integrating MITRE ATT&CK, Check Point Horizon SOC makes cyberattacks more transparent and comprehensible. To see for yourself, check out this demo video. You’re also welcome to sign up for a free trial to see how Check Point and MITRE ATT&CK can simplify and optimize incident detection and response.