Why you should use the MITRE ATT&CK® framework for more than just compliance

Compliance is not security. 

While frameworks such as NIST Cybersecurity Framework and ISO 27001 prioritize and standardize security best practices to help organizations earn and maintain compliance, they lack the practical, daily guidance CISOs need to accurately identify and evaluate whether their current security controls can defend against cyber threats. 

For CISOs, trying to proactively prepare for unknown cyber threats means that securing funding for future security investments is essential. However, communicating these metrics to the board is complicated and difficult. 

CISOs have struggled in the past to properly identify and communicate the existing cyber security risk, and typically share metrics such as: 

• How many events did we work last quarter?  
• How many resulted in a breach/incident? Did we have any ransomware payments this month?
• What is the current state of our network? 

While these metrics are important, they do not properly capture the ability for your organization to prevent, detect, or respond to the latest attack trends. And without any context, this won’t mean much to your leadership.

Enter the MITRE ATT&CK® framework. It gives your teams a step-by-step playbook on the tools, tactics, and procedures a  future attack may apply. These playbooks are a tremendous resource that can be leveraged by security teams to validate their capabilities, or to reveal areas that require improvement in mitigating controls. 

Before, when an adversary attacked, the only way to determine their objective was based on institutional knowledge and gut instinct. And contrary to what we’d like to believe, our gut is not a reliable barometer to gauge cyber threats. 

Mapping out the characteristics and specific tools used in an attack across the MITRE ATT&CK® framework helps your SOC team assess the current effectiveness of your existing security measures and the impact of the attack. 

But rather than waiting for a potential attack, CISOs should encourage their teams to use the MITRE ATT&CK® framework as a granular approach to proactively and continuously build out and test your security measures against current cyber attack trends.  

By using the matrix to help measure your team’s capabilities, you can justify training and investment decisions in a very defensible manner based on the detection gaps that you reveal and you can track the performance of your team’s defensive posture against adversaries.

But a key piece of the puzzle is still missing: Without full visibility into your threat landscape, it’s hard  to detect and track behaviors early in the intrusion cycle. 

While it’s easy for hackers to bypass signature-based detection mechanisms, their attack behaviors, tools, tactics and procedures are very difficult to change, and a detection strategy focused on these behaviors remains the best way to improve our detection and response times. 

Because ATT&CK® is a constantly evolving open-source matrix, it helps uncover and reveal other attack groups that are coming into play, changes in attack groups, and changes in TTPs as adversaries adjust their approach. 

But to detect threats “left of boom,” you not only need to have fully visibility into your threat landscape, current security practices, but also know what’s happening within your industry. That’s where applying a Collective Defense strategy, in conjunction with the Mitre ATT&CK® framework, can help: Being able to see attack intelligence that has been shared in a secure and anonymous environment among companies across an industry sector  can give CISOs a unique level of visibility — think of it as an early warning system — into attacks that may be heading their way, compare notes with other security professionals, and take action before damage is done. 

Present that at your next board meeting, instead of the incident response results from your latest breach.