The MITRE ATT&CK® knowledge base was developed to help security professionals make sense of the near-infinite variety of tactics and techniques attackers use to infiltrate networks, steal data, extort payments, or otherwise do harm to legitimate businesses and their reputations. This “globally accessible knowledge base of adversary tactics and techniques based on real-world observations” has become popular as it meets a very real need: it provides a list of methods by which enterprise IT environments can be compromised, and the information is detailed and highly specific. If you can defend against every technique that’s mentioned in the framework, the common wisdom goes, your environment will be fundamentally secure.

Respond Analyst & MITRE ATT&CK

MITRE ATT&CK: Strengths and Limitations

The MITRE ATT&CK knowledgebase enables security professionals to move beyond identifying the simplest—and easiest to modify—indicators of malicious activity, such as file signatures associated with known malware or IP addresses linked to phishing attempts, to instead train their attention upon adversaries’ behaviors.

Because it’s grounded in real-world observations, it’s applicable to real IT environments: any of the attack scenarios described in the ATT&CK framework can be emulated by red teams or in penetration tests. And because it’s behavior-focused, the framework can help security analysts understand the “how” and “why” of particular malicious activities.

However, with more than 500 activities described among the adversarial techniques, the framework is large and complex. It would be extremely challenging for any organization to defend against all of them, all the time.


Mapping your sensor grid’s detection capabilities against actual attacker tactics and behaviors

Security teams can employ the ATT&CK framework as a way to map their sensor grid’s detection capabilities against real-world attackers’ tactics, techniques, and procedures.

For example, the coverage offered by an individual network intrusion detection system (NIDS) can be compared with the full catalog of attack techniques in the framework to evaluate how well it can actually monitor—and thus enable protection of—the environment. Security sensors are like the eyes and ears of a security operations team: the higher the quality—and the greater the quantity—of the information they report, the better you’ll be able to detect malicious activity.


Designing a sensor grid according to the MITRE ATT&CK framework

Sensor diversity and overlapping coverage is best. It might seem obvious, but if you were to compare the volume and quality of the sensor data you’d get from implementing tools from all the various NIDS, endpoint protection platforms (EPPs), endpoint detection and response (EDR) systems, URL filtering tools, and other security sensors, you’d find that all of them, used together, would provide tremendously deeper coverage across the entire taxonomy of attacks than any single data source.

Because any individual vendor’s solution has the potential to miss particular attack techniques, this really is a case where “the more, the merrier” is true. What types of traffic are you monitoring? Does your sensor grid include east-west network coverage? The depth and breadth of information you are gathering is of critical importance here. Including solutions from multiple vendors can help ensure you against security flaws or poor signature-writing on one vendor’s part.

Tune to 11 - Marshall Font (1)

Turn up the volume, tune up your sensors

Whenever you tune down your network sensors, you are excluding potentially valuable and illuminating information from consideration. No matter how carefully you construct rules and policies, you still inherently increase the risk that an attacker will evade detection with every alert you dismiss without analysis or consideration.

Unless it’s being managed and monitored, you’re not deriving real value from your security sensor data.

Information that’s collected only to be stored within a data lake or security information and event management (SIEM) software without subject to monitoring or analysis will never help you detect attacks that are in progress. Though the argument is often made that this log data can be useful after the fact for forensic purposes, making post-breach investigations easier isn’t the same as reducing your organization’s real risks.

Security analysis software:
the most critical tool for deepening sensor grid coverage

Designing a security sensor grid that can monitor for more of the techniques and procedures in the ATT&CK framework also demands that your SecOps team maintain the capability to monitor these sensors—thoroughly, with care, and continuously. Implementing an automated software solution that’s able to make deeply analytical decisions about what’s likely to be worthy of further investigation is essential to achieving this degree of coverage.

With the latest generation of automated security monitoring technologies, including Decision Automation, you’re able to bring together a broad array of information from multiple security sensor sources within a single, integrated virtual analyst. The intelligent decision engine can correlate data across the various sources for enhanced effectiveness; the more multi-source corroboration that can be achieved, the more accurate and comprehensive your monitoring will be.

Given the MITRE ATT&CK framework’s complexity, it’s near-impossible for human security analysts working without the assistance of security automation software to achieve real coverage of even a small fraction of the attack methods it catalogs. With Decision Automation onboard your team, however, it’s possible to perform at an entirely new level.