Gaining an Edge on Attackers with the MITRE ATT&CK® Knowledge Base

Security analysts feel a constant, intense pressure to review security alerts. Indicators of compromise (IOC) can pop up anytime from any vector – but are they always viable determinants of an attack? What if you misinterpret one of these clues of an intrusion? Or overlook one that matters amidst a river of alerts swamping a typical security operations center (SOC)? Clearly, analysts need a reliable edge to stay in front of attacks.

Analysts are not the only people seeking an edge. So do cyber criminals, who leverage anything they can to breach the network and execute an attack.

In response to these effective exploits, many SOC analysts are finding that a reliable, effective and proven edge against attackers is the MITRE ATT&CK (Attacker tactics, techniques and common knowledge) knowledge base. Our paper Using the MITRE ATT&CK Knowledge Base to Improve Threat Hunting & Incident Response shows how the MITRE framework is an important tool for analysts and threat hunters.

About MITRE ATT&CK

The MITRE ATT&CK framework provides SOC analysts with an open knowledge base of adversary tactics, techniques and procedures (TTPs) based on real-world observations – i.e., the endpoint and network telemetry data collected 24×7 by an array of tools and usually centralized for threat hunting in a modern security information and event management (SIEM) platform. MITRE says the “knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”

Practical help for security analysts

The practical schema of MITRE ATT&CK is a matrix of 12 Enterprise Tactics used by attackers, including 266 Enterprise Techniques (as of December 2019), that attackers use to implement tactics, from breaching defenses to exfiltrating sensitive data.

The Common Knowledge for each technique includes a description, examples of how the technique can be implemented (including adversaries such as individuals and groups, and software tools), advice on how to mitigate the technique, and advice on how to detect the technique. This information about adversaries and software is a work in progress so analysts must remain alert for variations in how techniques could be applied to various tactics.

By systematically categorizing real-world attack behavior, MITRE ATT&CK provides a concrete tool for helping security analysts and other stakeholders create more effective strategies and processes to detect, investigate and respond to known, new and emerging attacks.

Why you should consider using MITRE ATT&CK

Strategic use of the ATT&CK model provides evidence-grounded guidance for helping SOC analysts keep their organizations more secure. MITRE ATT&CK is useful to SOCs because it’s focused on post-breach part of the attack chain, which applies to analysts’ roles for detection, investigation and response. The framework’s data-proven tactics, techniques and procedures provide a reliable and effective edge for detection and mitigation of security incidents.

The framework becomes especially useful and practical when used in conjunction with a modern SIEM, which can be used to detect and threat hunt for attacker behavior and help automate investigation and incident response.

Exabeam makes it easy to use the MITRE ATT&CK framework with our modern SIEM. Exabeam identifies techniques across all 12 tactics, and tells you which incidents to prioritize, converting “signal from noise” to identify risky behaviors. You can also threat hunt by attacker behavior.

To learn more about MITRE ATT&CK and Exabeam’s support for the framework, I invite you to read our new white paper, Using the MITRE ATT&CK Knowledge Base to Improve Threat Hunting & Incident Response.