Launched in 2015, the MITRE ATTA&CK framework has grown to become a globally accessible knowledge base of adversarial cyberattack tactics and techniques based on real-world observations.
The framework’s knowledge base is used by both private and public-sector organisations of all sizes as a guide for the development of specific IT security threat models and methodologies.
When it created the ATT&CK knowledge base, the US-based MITRE organisation effectively fulfilled its mission to solve problems and create a safer world by bringing together communities that develop more effective cybersecurity.
MITRE ATT&CK helps organisations improve their cyberattack intelligence and build more resilient security defences.
Beginning the challenge
For many organisations looking to improve their IT security defences, the first question asked is where is the best place to start. They wonder how they can gain a better understanding of the threats they face and the best ways to mitigate them.
MITRE ATT&CK is a great place to start. It provides real-world examples of threats and their potential to inflict disruption and damage.
It is also a good way to also gain an understanding of some of the less common attack techniques that could be experienced. Dubbed the ‘long tail’, these techniques could have been in the wild for an extended period and still pose a significant threat, however they tend to not be the focus of attention for IT security teams.
MITRE ATT&CK also helps security teams better discover events on a network that could be indicators of an attack. When certain events occur at a similar time, they could indicate that a cybercriminal has gained access and is moving laterally through a network.
Such events can be difficult to spot among the large volume of legitimate activity taking place. However, by taking advantage of the MITRE ATT&CK knowledge database, security teams are better able to spot grouped events that indicate a security breach.
Artificial intelligence tools can also help security teams with this challenge. The tools can scour large volumes of events and flag those that appear anomalous. In this way teams don’t have to spend large amounts of time combing through event logs but can instead focus their attention on a much smaller number that might actually be an indication of a threat.
The result is significantly improved security for the organisation. Resources are focused on the areas that can deliver the most value rather than being spread across areas and events that are inconsequential in the bigger scheme of things.
Threat-informed defence
The MITRE approach has been dubbed ‘threat-informed defence’ and is being used by increasing numbers of organisations around the world. It essentially shifts the focus of IT security from preparing for all attacks to being watchful for those that are currently being used by cybercriminals.
It can also change the way that IT security is funded. In the past, security teams have either requested funding when a specific threat is identified or worked with a percentage of the overall IT budget that is in line with other organisations of a similar size.
These approaches, however, don’t result in the best possible cybersecurity defences. A better approach is to use a threat-informed defence strategy – supported by MITRE ATT&CK – to focus resources on the areas in which they will make the most difference.
This, in turn, delivers the best returns from money spent while driving up overall protection. It can also help to improve compliance with regulatory requirements.
The cybersecurity landscape is going to continue to evolve in the months and years ahead. By using MITRE ATT&CK to focus resources in the areas and on the threats most likely to cause damage and harm, organisations will be as well placed as they can be to withstand attack.