Leveraging the MITRE ATT&CK framework to build a threat-informed defense

In this guest blog post, Bradley Schaufenbuel of Paychex writes about how security teams can leverage the MITRE ATT&CK framework to mount a “threat-informed” defense. This post originally appeared as an article in SC Magazine. Read More

No security team has unlimited resources in which to fend off cyberattackers. Faced with limited time, energy, and budget amid a rapidly evolving cyberthreat landscape, many organizations are not achieving the visibility into the effectiveness of their security controls they need to ward off attackers successfully. Cybersecurity teams require a practical, straightforward way to stay on top of their company’s security performance. To do that, security teams must optimize where to focus their assets. We can do this by adopting a threat-informed defense.

This approach to cybersecurity strategy has been rooted in the belief that organizations must leverage their limited resources to defend against the known threats targeting them. But how will companies know what threat actors are taking aim at their organization? That’s where the MITRE ATT&CK frameworkcomes in. This globally available repository of known adversary tactics, techniques and procedures (TTPs) has delivered a reliable framework for organizations in the public and private sector to shape their defenses against since its public release in 2015. The MITRE Corporation functions as a federally-funded non-profit research and development organization working in the public interest. All intellectual property and tools developed by MITRE are free to use.

Let’s explore how the MITRE ATT&CK lets security teams move from an ad hoc mentality of meeting cybersecurity guidelines to thwarting known threats.

Understand the TTPs known adversaries use

Most organizations have an idea of the threat groups that are most likely targeting them. However, too often they do not have a clear understanding of the specific tactics and techniques most likely used by these attackers, so they have no real way of preventing an intrusion. That’s the beauty of leveraging MITRE ATT&CK data. Although it’s important not to ignore the attack techniques that are used by less likely attackers, the MITRE ATT&CK framework lets security teams easily focus their efforts by prioritizing guidance for detecting and blocking the techniques known adversaries use.

Security teams can use the ATT&CK Navigator to seamlessly discover and document the rate of recurrence for certain discovered techniques, as well as areas of improvement for red, blue, and purple team preparation. Users can simply open the ATT&CK Navigator in a web browser, select the “Search and Multi-select” button and choose the relevant threat actors from the “Threat Groups.” The techniques leveraged by the selected threat actors will be highlighted on an easy-to-understand dashboard. Security teams will likely find the attack techniques used by the threat actors targeting their organization represent a small subset of all techniques tracked by MITRE.

Mount a skilled defense

After establishing an understanding of which attack techniques are used by likely adversaries, now it’s time to learn which controls security teams must establish to detect and block these methods. The ATT&CK Navigator can help security teams with that as well. They can view any technique listed in the dashboard in more detail to understand specifics, including ways to detect its use by an adversary and important mitigations to block or reduce the impact of an attacker leveraging the technique.

The more detections and mitigations organizations put in place for each attack technique, the more likely their blue team can detect and stop an attacker using that technique. The ATT&CK Navigator also lets users create and combine multiple layers. That means security teams can create a layer for each of their likely threat actors, highlight all techniques used by assigning them a score under “Technique Controls,” then create a new layer and select “Create Layer from other layers,” creating a “Score Expression” with each layer that’s combined. The new layer will contain all the techniques used by all likely threat actors, with the techniques used by multiple threat actors highlighted in different colors. Combining layers will allow security teams to further prioritize the implementation of controls to detect and mitigate attack techniques.

Achieve a threat-informed defense

By focusing on known threats and testing defenses continuously, security teams will evolve from a reactive to proactive cybersecurity mentality and attain a threat-informed defense that puts them in a better position to make meaningful changes to improve their program performance. This comprehensive understanding of the most important threats means greater protection against, detection, and mitigation of cyberattacks.

Bradley Schaufenbuel is vice president and CISO of Paychex and a member of AttackIQ’s Informed Defenders Council. This article originally appeared here in SC Magazine on July 28, 2022.