Put Together a Winning Game Plan Against Adversaries with MITRE ATT&CKPOSTED BY CYRILLE BADEAU
We recently held a seminar demonstrating how the MITRE ATT&CK framework can be leveraged across an entire cybersecurity practice. During the seminar it became clear to me that Red Team experts, Incident Responders and Cyber Threat Intelligence analysts have a clear understanding of the framework, but other teams and managers often don’t. So, I came up with an analogy to introduce the concept and make it easy for everyone in your organization to understand.
ATT&CK is a threat analysis framework developed by MITRE to provide a structured understanding of each attack phase (tactics), the possible methodology and tooling used for each phase (techniques), and detection and remediation capabilities (course of actions) for each of those techniques. When described like this, it is easy to see how the purpose and value of MITRE ATT&CK may not be apparent to everyone.
Now imagine that you are a soccer league-1 team coach…
MITRE ATT&CK is a tool that allows you to get a structured and detailed understanding of your opponents’ game strategies. Detailing their techniques (players’ movement combinations) and tactics (successive game phases from backfield up to shooting position), it also provides real-time detection capabilities for each game phase and countermeasures to apply to each player’s movement in each phase in order to prevent them from scoring.
Personally, as a coach, I would use this tool for two main purposes:
1 – Preparing for the next important match: If we are playing Real Madrid in two weeks, I would download the entire MITRE ATT&CK data set on Real Madrid and I would create a specific training program and game plan for my team using MITRE ATT&CK as a structured language to communicate with my players. If all of my players are able to “read” Real Madrid’s game in real time like an open book, as a team we can detect and understand each of their attack phases and prevent their execution. If we fail at stopping them at the initial phase, we will know what phase to expect next based on the players’ positions on the field. By applying this defensive strategy in a consistent way, Real Madrid may never pass the midfield line and never get to a shooting position.
2 – Working on our defensive weaknesses: As a coach, I can imagine being able to ingest into my MITRE ATT&CK framework all the film from my team’s previous games of the season in order to see if I can identify some useful analytics. I may be able to isolate specific, recurring weaknesses in my defense by realizing that most of the goals against us leverage midfield tactics (successive phases) that we don’t detect and mitigate early enough. Isolating those weaknesses and turning them into techniques and tactics would provide a very straight forward training plan for the team. We may have a really successful season!
This is exactly what MITRE ATT&CK is designed to do in the Cyber Defense Chain.
Preparing for the next important threat: Should your national CERT publish a report on a particularly aggressive attack campaign targeting your industry, ingesting this report into the MITRE ATT&CK framework will allow security teams to immediately translate this threat into actions and provide answers to their questions. For example: Is our infrastructure vulnerable to this threat? What has to be deployed in the SOC in order detect the various phases? What has to be deployed at perimeter SECOPS to prevent the initial phase of execution? What modifications to the infrastructure should be performed to prevent the final phases of execution? As a team, you are more prepared for this next threat. And should the threat have already infiltrated your organization, you know what phase you just detected and what action to take now to stop the attack.
Working on your weaknesses: You also now have “film” to work from! These are the past security incidents (with associated artifacts) and the past SOC sightings (even if those were not turned into incidents when they occurred). Using MITRE ATT&CK to perform analytics on your past incidents and sightings will immediately highlight the recurrent and most effective tactics and techniques used by adversaries against you. With this understanding, you can create a straightforward plan to enhance global defenses. By communicating to all departments the important countermeasures to be applied, using the shared, structured language of the ATT&CK framework, you are able to deliver on a consistent plan and set priorities for all your team players (SOC, IR, SECOPS, Risk management, etc.).
I am not sure if a soccer-specific, “MITRE ATT&CK like” tool exists for coaches (this may be a great business opportunity!), but fortunately this tool does exist for cyber defenders, and it is free of charge thanks to MITRE.
Good luck this season!