Applying MITRE ATT&CK to your CTI Program

Applying MITRE ATT&CK to your CTI Program
Lauren Place
Read More From Lauren Place
April 7, 2021 | 5 Min Read

In recent years, there’s been an industry-wide movement to look more externally to predict, prevent, and adapt to threats. This shift has resulted in increased demand and consumption of Cyber Threat Intelligence, but it’s often challenging to operationalize. Just reading about a malware a threat actor uses or purchasing access to profiles on the specific social engineering sub-techniques of a threat actor is not, in effect, reducing risk to the business or providing distinct value to security operations teams.

In this blog, we’ll explain the value of the MITRE ATT&CK framework to all sizes of security teams and provide use cases for how to take quicker, more confident action based on Cyber Threat Intelligence with MITRE technique mappings and recommended actions.

What is MITRE ATT&CK?

“MITRE ATT&CK helps you understand how adversaries might operate so you can plan how to detect or stop that behavior. Armed with this knowledge, you can better understand the different ways adversaries prepare for, launch, and execute their attacks.” —MITRE

MITRE ATT&CK is a knowledge base and framework that came about to systematically categorize the tactics, techniques, and procedures (TTPs) of threat actors. Its creation was in response to a more dynamic, fast-paced threat landscape in which defenders needed a better way to track and understand attackers. You can view the framework on the site here for both Enterprise and Mobile. 

At a high level, MITRE ATT&CK consists of the following taxonomy:

  • Tactics: Short-term, tactical goals of threat actors (i.e., Credential Access)
  • Techniques: How threat actors reach tactical goals (i.e., Brute Force)
  • Sub-techniques: More specific methods on how threat actors reach tactical goals (i.e., Password guessing, password cracking)
  • Goals at a lower level than techniques and documentation around threat actor usage of techniques, their procedures, and other metadata.

Why are security professionals using MITRE ATT&CK?

The value in MITRE ATT&CK is security preparedness across any industry vertical or geography. By creating a clear structure to understand how threat actors operators, security teams can better detect threats or put protections to prevent or mitigate a behavior. Through modeling threat actor tactics and techniques, teams can also better assess risk of certain TTPs and prioritize actions accordingly.

Still, many security practitioners struggle to implement MITRE ATT&CK in their organizations. In a recent survey by MITRE Engenuity, “The State of MITRE ATT&CK Threat Defense in 2021 found that while 82% of respondents were aware of the MITRE ATT&CK framework, only 8% reported regular use of the framework. Furthermore, 84% of respondents surveyed noted they had not mapped their data and analytics to ATT&CK techniques.

How to apply MITRE ATT&CK to your security organization?

Any security professional interested in applying MITRE techniques should read this excellent blog by Katie Nickels on getting started with MITRE. While teams of all sizes can forge their path with stand-alone investigations, approaches will differ on size and maturity.

All teams should start with threat actors who have recently targeted their industry and geography. For early-stage teams, it’s better to utilize MITRE to focus on detection, whereas later-stage and more mature teams can use this intelligence to begin to prioritize implementation of defense and mitigation procedures across the breadth of threat actors targeting their industry and geographic location. You can see a helpful list of mitigations on MITRE’s website.

How SearchLight Maps to MITRE ATT&CK

SearchLight first identifies threat actors targeting the organization’s sector and geography. This enables resource-stretched teams to focus on the most relevant threats. From here, users can navigate to the threat actor profiles and view the associated techniques. 

Filtering Actors By Target Sector in SearchLight

SearchLight provides mapping of MITRE techniques and powerful visualizations of threat actor associations and subtechniques. Clients get detailed insights into patterns of threat actor behavior with additional context and analysis provided by Photon Research, continually updated as new activity emerges. This enables security teams to take a more strategic response. 

Techniques and Subtechniques view in the Threat Actor Profile for Lazarus Group

For further details about the identified techniques, SearchLight users can navigate to the individual technique pages, which provide mitigation and detection advice. Our previous post on Mapping The ASD Essential 8 To The Mitre ATT&CK™ Framework outlines a pragmatic set of mitigation strategies applied to the MITRE framework.

Overview View of the MITRE Technique Profile for Phishing

Free resources to learn more on MITRE

To learn more about threats relevant to your sector and geography, Digital Shadows also offers a test drive of our Threat Intelligence library which can save hundreds of hours in analyst investigation on research, combing, analyzing, and reporting on TTP’s and threat actors across open, closed, and technical sources.

In search of ways to skill up yourself or your team on MITRE ATT&CK? Cybrary, and MITRE Engenuity recently announced a partnership to offer MITRE ATT&CK Defender (MAD), a new online training and certification solution designed to enable defenders to gain the advantage over cyber adversaries.

Alternatively, to view our previous intelligence on MITRE ATT&CK, check out our

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us