MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques and Common Knowledge. It’s a curated knowledge base of adversarial behavior based on real-world observation of APT campaigns.

The original impetus for the project was to answer the question, “How are we doing at detecting documented adversary behavior?” MITRE ATT&CK v1 was released in 2015, and since then, it has seen rapid growth and adoption across multiple domains such as risk management, threat intelligence, incident response and threat hunting, secure configuration and security engineering, among others.

The main components of ATT&CK, adversarial behaviors, are structured as a taxonomy of tactics, techniques and sub-techniques with other components such as software, APT groups and mitigations standing in various relations between each other and the behaviors. Techniques and sub-techniques are abstracted from actual procedures used by adversaries, while tactics represent a classification of adversary objectives similar to a kill chain but nonlinear. These provide a common vocabulary to categorize specific attacking or defending behavior.

However, because ATT&CK is abstracted from specific procedures, it may not be immediately clear how to use the framework in a practical way. This is an issue that affects all taxonomies, classifications and ontologies. On their own, they don’t do much.

So, here are five things you can do with ATT&CK.

Map defensive controls to ATT&CK.

A mapping between defensive controls and ATT&CK—for example, the Center for Threat Informed Defense’s mapping of NIST SP 800-53 to ATT&CK—provides a foundation for organizations to assess their security controls against classes of adversarial behavior.

Drive Threat Intelligence

According to Sergio Caltagirone, threat intelligence is “actionable knowledge and insight on adversaries and their malicious activities enabling defenders and their organizations to reduce harm through better security decision-making.” The practice of producing threat intelligence is answering the who, what, (Read more...)