By Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy; Chris Kennedy, CISO and VP for Customer Success; and Vinod Peris, VP of Engineering.
Over the past year, the MITRE ATT&CK team has been beta testing ATT&CK sub-techniques, a major restructuring of the ATT&CK framework that provides a more granular organization of adversary tactics, techniques, and procedures (TTPs). The word sub-techniques underplays the magnitude and historical importance of this evolution of ATT&CK: In this new version of ATT&CK for Enterprise, MITRE has consolidated its original techniques from 266 to 156 and added 260 sub-techniques to deepen the framework’s specificity.1 The net result is an overall improvement in the specificity of the threat information in the framework that will help defenders improve their cybersecurity posture significantly.
MITRE will launch these techniques tomorrow. As a consequence of AttackIQ’s deep and continuous commitment to using MITRE ATT&CK as the foundation for a threat-informed defense, we are simultaneously releasing ATT&CK sub-techniques to our existing customers by updating the MITRE Matrix in our platform scenario library and in our reporting process to enable customers to validate their security controls using sub-techniques.
This blog post reflects on the evolution of the MITRE ATT&CK framework and outlines the value of these new sub-techniques for the public and for AttackIQ customers.
Background: MITRE ATT&CK
MITRE ATT&CK is a globally available, free, open framework of known adversary tactics, techniques and procedures. Knowledge of adversary behavior was previously reserved for elite operators or national security practitioners in a classified environment, yet even in the national security community, there was no single, holistic repository of adversary tactics, techniques, and procedures. These elite operators were largely focused on temporal attributes of adversary intrusions as their currency, like indicators of compromise, until the concept of the kill chain was developed. The temporal nature of signatures and indicators of compromise meant that organizations were constrained by needing to protect their intelligence sources and methods, and that made it harder for them to share information broadly. The kill-chain methodology led to a broader understanding of adversary tactics, techniques, and behaviors.
In 2015, the MITRE Corporation, a federally funded non-profit research and development organization working in the public interest, built and publicly released the original ATT&CK framework to help defenders all over the world focus on the threats that matter most. Since then the framework has gained significant momentum in the public and private sectors as a globally-vetted, all-source repository of adversary threat behaviors.
How has ATT&CK been received by the public and private sectors? In a word: tremendously. As one recent indicator, a few weeks ago the office of the Prime Minister of Australia referenced the importance of the ATT&CK framework in the face of escalating nation-state attacks against Australian infrastructure by calling out the Australian government’s ATT&CK-focused approach. This public statement by a head of state reflects the broad adoption of the framework as a global standard. In the private sector, customers derive deep value from the ATT&CK framework. As one customer told our research team, “MITRE ATT&CK gave us the ideal framework to meet our target use cases… we could continually validate the performance of our production system security controls in real time.” ATT&CK transforms organizations from taking an ad hoc approach to security operations to adopting a data-driven, threat-informed approach — and it has caught on globally.
Which brings us to today. All of the new 260 sub-techniques help defenders better prepare for known threats, sharpen their defenses, and improve enterprise preparedness. This an historic evolution of MITRE ATT&CK that better organizes the framework. What are some of the specific elements of this update and how will they help defenders anticipate adversary attacks? The update:
- Tightens ATT&CK’s categories, making the framework more accessible and easier for the user to use. Previously you would find a technique buried in a vertical; now you can find specific techniques in the subtechniques;
- Restructures the framework so that it can continue to grow and scale, making it more easily and logically navigable for the end user;
- It modifies tactics, techniques, and procedures that that have been historically imbalanced in the framework — some that were too broad; some that were too granular — to make them more useful to the user;
- The improved foundation will enable continued research investment to enhance the value of ATT&CK for TTP probability weighting, research, and threat intelligence integration.
In terms of specific threat actors, the framework also updates sub-techniques by state and non-state group categories, to include updates to the North Korean government, Russian government, Iranian government, and non-state groups and criminal groups; it also includes the addition of one new group, “Bouncing Golf,” a cyberespionage campaign that targets Middle Eastern governments in recent years.
AttackIQ: Operationalizing MITRE ATT&CK
Practically, at AttackIQ we help organizations test the effectiveness of their security controls safely, continuously, at scale, in production, and with threat coverage across the kill chain. To enable a threat-informed defense, the AttackIQ platform grounds organizations in a shared understanding of threats and threat behaviors using the MITRE ATT&CK framework, and the maturity of ATT&CK has spawned dozens of solutions with AttackIQ. We see customers across all pillars of the traditional security organization taking advantage of the way AttackIQ allows them to operationalize the ATT&CK framework. From purple team enablement, to threat modelling, to strategic security strategy shaping, our alignment with ATT&CK and the automation we provide enables customers to make meaningful improvements to their security program.
Our platform has incorporated the new ATT&CK sub-techniques seamlessly into all of its workflows, and we welcome the changes from MITRE. As shown below, the techniques are represented by cards organized in columns, each one representing a specific ATT&CK tactic. The white tiles on the top of the column are labeled with the tactic and list the number of techniques in each column. The black tiles in each column represent individual techniques and, where applicable, provide a pull down to reveal the sub-techniques.
For instance, the “Hijack Execution Flow” technique found in the middle of the below picture has two sub-techniques below it, DLL Search Order Hijacking and DLL side-loading. This same mechanism is used for all of our depictions of the ATT&CK matrix, including the prevention and detection results. It provides a consistent and uncluttered view of the ATT&CK tactics, techniques, and sub-techniques on a single pane.
We have updated the AttackIQ platform to reflect the new ATT&CK sub-techniques in a seamless manner and help you defend your enterprise.
There is no company more closely aligned with MITRE ATT&CK than AttackIQ. That is why AttackIQ is proud to support the ATT&CK framework not only by making it operational for all of our customers, but through our contributions as one of the thirteen founding members of the MITRE Center for Threat-Informed Defense (CTID). In addition to the CTID, AttackIQ promotes the practice of threat-informed defense through AttackIQ Academy, which includes courses on purple team operations, MITRE ATT&CK, and attack simulation.
Our company is deeply committed to the evolution of the MITRE ATT&CK framework and will continue to strengthen our partnership with the MITRE Corporation to bring operational value to the global cybersecurity community.