How to use the MITRE ATT&CK framework with threat intelligence

What is the MITRE Att&CK framework?

MITRE ATT&CK® is a globally accessible knowledge base of 14 adversary tactics and over 500 techniques based on real-world observations. The first model was proposed in 2013 and publicly released in 2015 which has been gathering momentum over the last couple of years. The MITRE ATT&CK framework provides an industry leading standard to help organizations develop, organize and use a risk-based strategy to inform defense strategies – that can be communicated in a standardized way across organizations and vendors to drive effective risk assessment based on observed incidents.

In the past, security teams have struggled to understand their entire attack surface and verifying attack methods, leading to them falling victim to cyber-attack from a false sense of security and overconfidence in their ability to defend against it. The ATT&CK project came along with the goal of eliminating this problem – the knowledge base was born to create a clear structure by providing a categorized list of all known attack methods and marrying it with threat intelligence on groups that use them.

In addition, the ATT&CK framework identifies critical information on the software hackers will look at to implement an attack and provides direction on the most effective defense measures to reduce this risk. The objective of the ATT&CK framework is to provide an evolving list of techniques used by adversaries so that security teams can trust and use with confidence to defend against them.

Source: https://attack.mitre.org/

Using MITRE ATT&CK framework with threat intelligence

Organizations can use the ATT&CK framework to form conclusions based on verified data and the kill chain structure to improve prioritization and remediation strategies based on observations from real-world cybercriminal activity. Gartner’s analysis of the framework says the criteria for defining Tactics, Techniques, and Procedures (TTPs) in MITRE’s data provides an in-depth knowledge base of attack intelligence – making it easier and more straightforward to apply these into your own investigations.

Organizations can start by looking at a specific threat groups with an interest in stealing your data or assets based on who they’ve previously targeted. Once the threat groups of interest are identified from MITRE, you can leverage the insights to look at the specific TTPs being used. By understanding common TTPs from groups who you think will attack your organization, you can begin to form a prioritized list of detection and prevention controls that your security teams need to put in place and to reduce risk.

For more mature organizations, you can leverage threat intelligence to enrich what is already known about these groups by linking attack patterns and behaviors from specific threat actor campaigns, tools and feeds this information in an automated and usable way to help focus defensive activities. Identifying if specific tools and/ or software are being used, and whether these are reliant on any known vulnerabilities to gain access and establish a foothold.

Having access to this level of information allows businesses to better understand adversary behavior, campaigns and targets – including planned attacks on a specific company or sector, and advanced knowledge on the TTPs threat actors are using – to drive defensive responses and preventive action strategies ahead of time to deal with potential exploits.

Mapping MITRE ATT&CK to CVEs

While the ATT&CK framework and threat intelligence seem a natural fit, can it be applied to CVEs? Historically threat management and vulnerability management have been seen as separate disciplines, but as the vast majority of attacks in the wild target a handful of CVEs, there’s a strong case for linking CVE exploits to what the attacker is trying to achieve. Let’s look at how traditional vulnerability management can be improved with threat intelligence and TTPs from the ATT&CK framework:

“Find and fix” game – traditional vulnerability management takes a ‘find and fix’ approach by scanning infrastructure and assessing for vulnerabilities, and using the CVSS severity score to prioritize remediation. Despite being a severity indicator, CVSS score is static and limited – as it doesn’t take the external threat context into account and has no links to critical assets within your business, meaning you could be wasting time on fixing vulnerabilities that doesn’t pose a risk in the first place. So it’s only good for less mature organizations with smaller and static digital estates.

“Vulnerability risk” game – level 2 is risk-based vulnerability management. This approach enables organizations to better understand the asset exposure with added threat intelligence to include information on whether a vulnerability is being exploited in the wild or how likely it will be exploited – essentially a vital prediction to help drive proactive remediation by surfacing the most dangerous and imminent risks first to aid vulnerability prioritization and shorten exposure time. Ideal for organizations with larger estates and security teams overwhelmed by the growing number of CVEs to remediate.

“Threat vector” game – level 3 is about understanding how the attacker uses vulnerabilities to achieve their goals and linking these to TTPs from the MITRE ATT&CK framework. This approach starts with the attacker and uses threat intelligence to evaluate who may pose a risk to your organization, combining that with the MITRE ATT&CK framework to understand how they can compromise your organization i.e. TTPs, and then assess how a CVE can impact you across the attack path. This advanced approach means you can map and narrow down risks against your own list of hacker centric criteria, such as geographical spread, specific sectors and the types of organizations being targeted. Many security tools now come with signature sets already classified into categories that label alerts with the corresponding ATT&CK tactics and techniques they represent. This classification makes it easy to immediately start creating metrics and labeling the activity security teams can be alerted to with verified information from the ATT&CK techniques framework to direct effective remediation. This is the most effective form of threat intelligence—information sourced from actual attacks that have already occurred and categorized by MITRE, providing vital intelligence that can be fed into your vulnerability risk management process easily and automatically – empowering security teams to act quickly and decisively.

This hacker centric approach helps sift down millions of CVEs to imminent threats and drives a more proactive approach to vulnerability remediation which is crucial in the race against Ransomware. This was the case for CVE-2017-0144 (WannaCry vulnerability in 2017) and how TTPs were detected to show the threat of ransomware and mapping this to the vulnerability from MITRE to identify the three areas for patching (active scanning; file and directory discovery and remote system discovery). This might’ve been scored as a medium/ high criticality vulnerability by traditional vulnerability management methods using CVSS, however the additional threat intelligence information provides a quick win from a remediation perspective to prevent elements of this ransomware from taking hold inside an organization.

Conclusion

To advance your vulnerability management program it’s important to use both views from a risk-based angle and threat intelligence angle to understand what risks exist and how threat actors can compromise your organization to create a remediation ‘sweet spot’.

With improved understanding and data it’s possible to map CVEs to the MITRE ATT&CK framework and spot areas where the attack chains exist – allowing businesses to get ahead of exploits which could lead to ransomware and malware attacks.

Finally it’s important to implement changes in a way that matches your organizations maturity level, size and risk appetite. Then thinking about how you can utilize advanced information from MITRE to analyze vulnerabilities from all angles (threat vectors and risk based views) to drive targeted remediation which isn’t always as effective with a traditional CVSS model

Watch our on demand Mapping Vulnerabilities with the MITRE ATT&CK Framework webinar where we discuss how you can map CVE records with the MITRE ATT&CK framework.