How You Can Put the MITRE ATT&CK Matrix to Work for Your Security Operations Team
For many organizations, the goal of cybersecurity is about preventing attackers from breaching their networks, which of course is a valid and completely legitimate goal. But what these organizations aren’t planning for is that the security controls and policies they implement will be circumvented.
The best security prevention measures react to the threat landscape – they don’t shape it. Whether it’s a human being stealing usernames and passwords or an employee tricked into clicking a malicious link sent via email, intruders are often ahead of the curve.
Once the adversary has a foothold on the inside, the damage they can do only increases over weeks and months. Collecting personal information, stealing funds, installing additional malware and harvesting intellectual property are just some of the consequences a victim may face.
Dwell time is the term used to describe how long the intruder had access to an environment before being discovered. According to the SANS 2018 Threat Hunting Survey, average adversary dwell time exceeds 90 days, but can exceed many months or even years.
The longer a bad actor resides inside your company network, the greater the risk to your customers, finances and reputation – so it’s important to practice with scenarios that assume a successful foothold was obtained.
Many security practitioners are turning to the MITRE ATT&CK matrix as a means of understanding post-compromise techniques. The ATT&CK matrix is a collection of more than 200 adversary tactics and techniques based on real-world observations and research shared by the global security community. Each technique can be described in terms of the data sources necessary to detect whether it was used.
The organization behind this framework, MITRE, is a U.S. non-profit organization that manages federally funded research and development centers to gather, organize, and contextualize the universe of tactics and techniques used by cybercriminals.
Here are a few ways to help put the MITRE ATT&CK matrix to work for you.
1. Learn to walk before you run – If you’re just getting started with developing and establishing your security policies, the ATT&CK matrix is not the place to begin. Organizations in the early stages of building up their security processes need to make sure they have good hygiene. Do they have a strong password management system in place? Are they regularly applying patches to their systems? Can they see and stop common malware? Only once a strong foundation for security is in place does it makes sense to bring in ATT&CK.
2. Choose your plan of ATT&CK – They say you have to eat a whale one bite at a time, and ATT&CK requires a similar degree of commitment. Start with the basics: What are your sources of data and how much time do they cover? From there, you can get started with any one of several approaches based on your threat landscape, a specific threat group, a category of techniques, etc.
3. Test your team’s abilities – Cybersecurity teams frequently use the ATT&CK matrix as a framework to show where the organization has good visibility protections, and where identified weaknesses can be addressed. One way our customers have found success is by assessing which data sources they have in a centralized location, the quality of that data, and the period of time that data covers.
4. Report security readiness to management – ATT&CK can also help security teams have intelligent conversations with business leaders about the state of the organization’s cybersecurity posture. ATT&CK is a common language that organizational leadership can use to improve their ability to communicate with budget and risk owners about changes in people, process and technology that are necessary to reduce risk and exposure to adversaries. For example, when the security team requests a change to local auditing policies that enhance their visibility into a type of technique, the business can weigh the merits of that visibility against the very real cost of storing and querying that data.
5. Implement a knowledge management strategy – ATT&CK organizes and curates each technique’s attributes, something that as recently as a few years ago required human “tribal” knowledge. In that all-to-recent time, training might have meant having your security practitioners or analysts spend several months under the guidance of seasoned team members until they had learned all they could from them. Now, security teams have a wealth of knowledge at their fingertips through the ATT&CK knowledgebase, enabling you to set a plan of action that improves productivity and efficiencies.
6. Evaluate your security tools – MITRE conducts regular testing and evaluation of Endpoint Detection and Response (EDR) software against its ATT&CK database of activities. MITRE works with EDR vendors to determine how their products can be used to provide visibility into post-compromised events. Because ATT&CK only describes techniques that occur after an intrusion has occurred, organizations who make ATT&CK part of their security strategy automatically assume a breach is possible in spite of their preventative security stack.
While the ATT&CK matrix is extremely valuable in all these areas, it’s important to remember that the world of cyber attacks is constantly changing. The ATT&CK database is frequently updated, but it is a work in progress and can’t cover every technique or variation as they are discovered.
To take advantage of ATT&CK, you must accept and prioritize the importance of visibility within your security operation. Visibility is a word we hear commonly in security, and for good reason. You don’t find what you can’t look for.
Getting started with ATT&CK is all about understanding and improving visibility. Your teams’ endpoint insight ensures they have the right information at the right time to discover and respond to threats. Security teams that choose to leverage ATT&CK in this way will have a better understanding of observed activity, without wasting time trying to alert on every single technique.
The cybersecurity world is continuously and rapidly evolving and redefining itself. The best adversaries respond in turn by developing new tactics to achieve their goals. We need frameworks like the MITRE ATT&CK matrix to develop ever stronger cybersecurity programs.
Related: MITRE ATT&CK Matrix Used to Evaluate EDR Products
Related: MITRE Uses ATT&CK Framework to Evaluate Enterprise Security Products
Devon is a principal researcher at Endgame, focusing on detection and response technologies. Formerly a Mandiant incident response and remediation lead, Devon has over 6 years of experience in security professional services where he has worked with clients in a nearly every conceivable industry. He has significant experience helping Fortune 500 organizations with the detection, response, and containment of advanced targeted threat actors and has led large-scale network and application architecture reviews, post-incident strategic planning, and regulatory gap assessments. He has delivered a range of technical presentations for security conferences, industry organizations, and the United States Department of Defense. Prior to his career in information security, Devon spent 15 years in operations roles as a system administrator and network engineer.
Tags: 
