The MITRE ATT&CK framework has become a game-changing tool for security teams to assess their organization’s security posture vis-á-vis specific attack methods. Prior to its introduction, hours stretched into days as teams tried to verify attack methods, but it was impossible to know what they didn’t know. With ATT&CK, teams can assess themselves against a continuously updated knowledge base for greater confidence that they aren’t missing critical elements of an attack. 

The increasing popularity of the ATT&CK framework comes as no surprise, but in the rush to use it some organizations have encountered challenges or haven’t taken the time to understand and take advantage of its many uses. Now is an ideal time to gain a deeper understanding of ATT&CK as MITRE is making a few important changes to the framework, specifically changing how the data in the knowledge base is structured to include sub-techniques—additional child techniques under each technique, where appropriate. 

To help educate the breadth of MITRE ATT&CK users on its value to security operations and beyond, SANS has issued a new whitepaper, Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework. Download your complimentary copy for an overview of the key concepts of the framework (including the addition of sub-techniques), as well as tips to overcome challenges and gain even more value.

As the paper outlines, a primary use of the ATT&CK knowledge base is as a source of cyber threat intelligence—a way to know your enemy. For the greatest success, SANS recommends integrating ATT&CK data with your existing tools and correlating the data with data from other internal and external sources for context and relevancy. ThreatQuotient integrates components of the framework into the ThreatQ platform to make the information contained within the framework actionable for a range of use cases, including spearphishing, threat hunting, incident response, vulnerability management and alert triage. The ThreatQ MITRE Mapper integration offers a tool to automatically establish relationships between MITRE ATT&CK techniques and threat and event data that has been ingested into the ThreatQ platform from internal and external sources. While working within the ThreatQ platform, teams can use the framework to accelerate detection and response proactively and collaboratively. You can learn more here.

Security teams can also use the framework to understand their own ability to defend against specific techniques, and can prioritize plans for improvement because each adversary technique includes information about how teams detect and mitigate the technique. With this information you can home in on gaps in data sources, aggregation tools and analytic capabilities. A third use for the framework is to perform analytic testing via atomic testing, red and purple team exercises, and adversary emulation. SANS describes each of these in detail.

In the paper, SANS also shares a few common pitfalls and how to avoid them. For instance, becoming overwhelmed with the number of options of techniques to focus on, finding a balance in assessment detail, and staying current with the continuous updates to the framework. If you’re using, or thinking of using, MITRE ATT&CK to strengthen your security operations, download this valuable resource now.