Understanding the Mitre Attack Framework

Play

Before an organization can develop and maintain a successful and relevant threat detection and defense strategy, it must first gain a solid understanding of common adversary techniques. The organization needs to know the various activities that can pose a threat, and how to detect and mitigate them. With the current threat landscape featuring innumerable volumes of attack tactics and techniques, it proves challenging, if not nearly impossible, for every organization to monitor, document and communicate each of them. Cybersecurity frameworks provide a comprehensive plan of standards, guidelines and common language that can predict many of the challenges faced by organizations in protecting critical data and infrastructure in their efforts to better manage cybersecurity risks. Organizations commonly rely on these frameworks to alleviate guesswork, and provide a baseline structure that's further modified to meet the specific organization's needs and goals. After delving into the Nist Cybersecurity Framework, we now turn to another cybersecurity framework often used as a foundation for organizations developing customized threat models. Mitre has developed the attack framework, which systematically defines and organizes common behaviour observed to be carried out by malicious attackers in the wild. It provides a common language that can be used by security teams to communicate these activities. The attack framework is globally recognized as an authority on understanding the behaviour models and techniques that adversaries use against organizations. It allows industry professionals a way to discuss, collaborate on and share intelligence regarding adversary methods and provides practical applications of detection, mitigation and common attributes. What is the Mitre attack framework? Mitre attack, an abbreviation of Mitre'S Adversarial Tactics, Techniques and Common Knowledge is a comprehensive knowledge base and framework for understanding and categorizing adversary behaviour based on real-work observations of various phases of their attack lifecycle. Created in 2013 by the Mitre Corporation, a not-for-profit organization that works across government agencies and various industry and academic institutions, the framework is a globally available collection documenting malicious behaviors carried out by advanced persistent threat (APT) groups. While information found in attack does represent APT behaviors, those malicious behaviors occur every day in organizations of all sizes. Consequently, various public and private sector organizations, no matter the size, have adopted the framework. Importance of the Mitre attack framework attack is regularly updated by Mitre experts, industry researchers and contributors, thus providing a relevant resource for organizations to create their own threat models and test in-place cybersecurity controls against threats in the current landscape. The tactics, techniques and procedures (TTPs) documented in the framework provide a standardized way for threat hunters, red teams, security operations centers (SOCs), and defenders to understand the cybersecurity risks of known adversary actions and inform a more vigorous defense strategy. To better grasp the importance of knowledge Mitre attack engages, let's turn to a concept developed by David Bianco called "Pyramid of Pain". Bianco argues that not all indicators of compromise (IoCs) are created equal. Just as in attack, Pyramid of Pain takes the adversary's point of view, defining the pyramid with levels of pain the adversary will feel when they are denied a specific indicator. TTPs represent the apex of the pyramid, the highest pain level if denied to adversaries. When organizations detect and respond to threats at this level, it means they are operating based on adversary behaviors, rather than just their tools or parts of their attack sources. The thing is, tools can be replaced with other existing or newly created tools, but responding directly to adve...