The MITRE ATT&CK Framework has gained a lot of popularity in the security industry over the past year.

I have spent a lot of time researching the hundreds of techniques, writing content to support the techniques, and talking about the value to anyone who will listen.

What is the MITRE ATT&CK Framework?

For those who are not familiar, ATT&CK is the Adversarial Tactics Techniques and Common Knowledge framework available from MITRE. It is a curated knowledge base of 11 tactics and hundreds of techniques that attackers can leverage when compromising enterprises.

There are five things I love about the various techniques.

Description

First is the description that each provides. Even though I have been in the security industry for what seems like a long time now, there’s always something new to learn. For all of the techniques with which I was not familiar, there were descriptions breaking down how the technique is leveraged and why it may be important for defenders to take a look.

Platform and Data Sources

From a practitioner standpoint, the platform and data sources sections are incredibly valuable because they tell me what systems I need to be monitoring and what I need to be collecting from them to mitigate and/or detect abuse of the technique. In some cases, there is detailed guidance on how to specifically mitigate or what to specifically monitor for the technique. However, many of the techniques lack prescriptive guidance.

Examples and Guidance

That’s where the examples come in handy. Every technique is based on real-world examples of how it has been leveraged by a piece of malware or campaign by a threat actor group. Each example and many of the other sources are cited Wikipedia style to published articles from various blogs and security research teams.

If there isn’t guidance directly (Read more...)