Many security executives have fundamental familiarity with the MITRE ATT&CK framework, although most perceive it within a narrow set of use cases specific to deeply-technical cyber threat intelligence (CTI) analysts. The truth though, is that when integrated into overall security operations, it can produce profound security and risk benefits.
What is MITRE ATT&CK?
MITRE ATT&CK serves as a global knowledge base for understanding threats across their entire lifecycle. The framework’s differentiator is its focus on tactics, techniques, and procedures (TTPs) that threats use to operate in the real world, rather than just on typical indicators like IP addresses, file hashes, registry keys, and so on. MITRE ATT&CK offers a rigorous and holistic method for understanding the types of adversaries operating in the wild and their most observed behaviors, and for defining and classifying those behaviors with a common taxonomy. This is an advantage that brings a much-needed level of organization to the chaotic threat landscape organizations face.
MITRE ATT&CK has practical applications across a range of security functions when security tooling and processes are mapped to it. By characterizing threats and their TTPs in a standardized way and visualizing them through the MITRE ATT&CK matrix, the framework makes it easier for security leaders and their direct reports to determine and communicate the highest priority threats they are facing and to take more sweeping, strategic actions to mitigate them.
In the Weeds? Yes and No
At first glance, MITRE ATT&CK can be intimidating. It may even seem too technically in the weeds for executives who are grappling with leadership-level security concerns. However, the truth is that MITRE ATT&CK holds tremendous strategic potential. It can also help accelerate the cybersecurity maturation process.
The framework does undoubtedly help security practitioners with their day-to-day technical analysis, making them better at their jobs. However, when used to its full potential, MITRE ATT&CK can help security executives gain better value out of existing technologies, with threat intelligence platforms (TIPs), SIEMs, and other security analytics tools being among these.
More importantly, it helps establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions. CISOs and other security executives could almost think of it as a tool that automates the creation of a roadmap, showing them precisely where the onramps to threats are located in their networks and what vehicles adversaries are using to enter.
Let’s take a closer look at how MITRE ATT&CK works and why those in charge of security shouldn’t wait to adopt it into their strategic arsenals.
Having established that MITRE ATT&CK provides value to security leaders, let’s consider a few of the genuine benefits it delivers, as it isn’t just in the day-to-day minutiae of security operations where MITRE ATT&CK shines.
- Overlay. When an organization overlays its existing security posture and controls on top of MITRE ATT&CK-contextualized CTI, it becomes much easier to identify the riskiest control gaps present in the security ecosystem.
- Productivity. When looking at workflows and the teams available to respond to the MITRE ATT&CK-delineated TTPs most likely to target the organization, leaders can more easily identify at-risk talent and process gaps and then take steps to better address both.
- Prioritization. As security leaders go through their regularly scheduled validation of security coverage, they should leverage their CTI to identify the most common TTPs relevant to their environments. MITRE ATT&CK can crisply articulate this. With an understanding of where their biggest risks reside, executives can prioritize their threat mitigation efforts, measure the efficacy of security controls, and eliminate spend in areas that are not providing measurable impact. All of which leads to greater efficiency, productivity, and defense.
- Communications. MITRE ATT&CK is likely to never be the subject of a board-level discussion. Nevertheless, decision makers who use it are better able to understand where technology and talent gaps exist, and which threats are of most concern. Such insights make it easier to explain risk levels as well as justify investment requests and decisions.
Communications Double Click
On the subject of “communications,” especially as it relates to top leadership and boards of directors, it’s worth noting how MITRE ATT&CK helps. In Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer, Gartner points out that there are common questions CISOs should be ready to respond to when it comes to talking with boards about security operations. Split into categories, among these are questions related to the threat landscape, risk level, incident response, and performance and investment. The report goes on to provide guidance on how to handle the lines of inquiry. Although it makes clear that there are not always going to be concrete answers, it’s worth mentioning that the strategic information MITRE ATT&CK provides does indeed respond to these types of questions by helping to inform users on all these topics. When used in conjunction with CTI, MITRE ATT&CK is especially helpful in providing situational awareness over the threat landscape.
How to View MITRE ATT&CK
Adversaries continuously improve their stealth and TTPs to bypass existing security controls, a reality that is forcing organizations to change how they approach threat detection and response. MITRE ATT&CK is helping organizations to see the bigger and more strategic security picture by shifting focus away from purely tactical indicators (like IP addresses and domain names) to a view that illuminates threats within the context of what’s relevant to a business’s overall security posture. With MITRE ATT&CK, enterprises and government agencies are building more secure futures, where they can detect incoming threats and identify and mitigate any that have already breached networks. It is time to stop viewing MITRE ATT&CK as a low-level tool and to embrace it as a strategic decision-making resource.