MITRE ATT&CK and Threat-Informed Defense
and Threat-Informed Defense
Any strategy starts with a foundation.
For us at AttackIQ, that foundation is MITRE ATT&CK®. ATT&CK is a globally available, free, open framework of known adversary tactics, techniques and procedures (TTPs). The MITRE Corporation, a federally funded non-profit research and development organization working in the public interest, built and publicly released the original ATT&CK framework in 2015 to help defenders all over the world focus on the threats that matter most to cybersecurity.
Since its release, the ATT&CK framework has gained significant momentum in the public and private sectors as a globally-vetted, all-source repository of adversary behavior. The release of ATT&CK has given organizations a stable framework against which they can design their defenses. By understanding how adversaries target your data, you are in a better position to secure yourself. A natural next step is for organizations to deploy automated adversary emulations to test their cyberdefenses. That is why AttackIQ is closely aligned with MITRE.
Download MITRE ATT&CK for Dummies
To learn how to use MITRE ATT&CK to improve your cybersecurity effectiveness, download this easy to read Dummies’ guide that will help you improve your security effectiveness, strengthen your cybersecurity program, and maximize your resources. Plus, it’s free. You can use this guide to train your teams, transition from a manual approach to threat intelligence, and guide your entire security team with a unified threat framework. Once you learn ATT&CK, you can then deploy an automated breach and attack simulation platform to test your security controls and generate real performance data to improve your security program at scale.
Operationalize the MITRE ATT&CK Framework with AttackIQ
At AttackIQ we help organizations test the effectiveness of their security controls safely, continuously, at scale, in production, and with threat coverage across the kill chain. Customers use AttackIQ and the ATT&CK framework to enable a threat-informed defense across all aspects of their security organization. With ATT&CK as a foundation, the AttackIQ Security Optimization Platform grounds organizations in a shared understanding of threats and threat behaviors. Our alignment with ATT&CK and the automation we provide helps customers make meaningful improvements to their security program by providing granular data about performance effectiveness. The maturity of the ATT&CK framework has spawned dozens of solutions in the AttackIQ platform.
We’ve incorporated ATT&CK seamlessly into our platform workflows so that our emulation plans provide a clear visualization of adversary behaviors. Here is an example of how the Security Optimization Platform reports out performance data to help organizations adopt a threat-informed defense. It outlines the performance of the vendor, the adversary behavior, and the ATT&CK technique revealed. ATT&CK techniques are represented by cards organized in columns, each one representing a specific ATT&CK tactic.
The white tiles on the top of the column are labeled with the tactic and list the number of techniques in each column. The black tiles in each column represent individual techniques and, where applicable, provide a pull down to reveal the sub-techniques.
Founding Member of MITRE’s Center for Threat-Informed Defense
Our close alignment with MITRE ATT&CK is why we became a founding member of MITRE Engenuity’s Center for Threat-Informed Defense (CTID). The CTID is an organization within MITRE that conducts applied research and advanced development to improve cyberdefense at scale for the global community. It brings together the best cybersecurity researchers from across the globe.
In its first major research project, on September 15, 2020, the Center for Threat-Informed Defense released a groundbreaking, detailed plan for security teams to emulate the cybercrime group FIN6. This is the first entry into a public library of adversary emulation plans that the Center has planned to replicate the tactics and techniques of known cyberspace adversaries. The MITRE team worked with AttackIQ and leading global companies to emulate a dangerous and adaptive threat.
The emulation library is a logical next step in the historic evolution of MITRE’s work. In 2015, MITRE released the ATT&CK framework to help defenders all over the world focus on the threats that matter most. ATT&CK provides a collaborative means for sharing threat information, a baseline analytic foundation for security teams to defend themselves
How does the emulation library further that mission? Historically, most organizations lacked the resources and personnel to study adversaries and build emulation plans. Only Fortune 1000 companies or government agencies had the resources to do so. As a founding research partner of the Center for Threat-Informed Defense, we are immensely proud that AttackIQ is working with MITRE and the Center team to make this emulation plan publicly available. It is a part of our mission to work in the public interest and help every organization become more resilient to cyberattacks.
Going forward, AttackIQ’s close partnership with MITRE and the CTID will help AttackIQ stay informed of emerging best practices in threat-informed defense and to educate the market through white papers and MITRE-informed AttackIQ Academy courses in Purple Teaming, Operationalizing MITRE ATT&CK, and Breach and Attack Simulation. To accelerate the practice of threat-informed defense (TID) across the industry, AttackIQ launched AttackIQ Academy in 2020. AttackIQ Academy is dedicated to giving back to the community and advancing the art and practice of MITRE ATT&CK and threat-informed defense. We offer these courses and more at no cost as a public good, and welcome your feedback on how else Academy can serve each of you.
ATT&CK Navigator Heatmap
MITRE ATT&CK Navigator allows users to select threat actors from its menu and build a color-coded “heatmap” to see a range of key actors. This specific heatmap shows the techniques and subtechniques of the threat actors APT29 and FIN6, but your cyberthreat intelligence team can select the threat actors that are most important to you.
How and why would your team use Navigator in this way? If your sector spaces a specific threat group, you can select that group in Navigator, have the group appear in color on the the heatmap, focus on the techniques and subtechniques of the actor that ATT&CK reveals, and test and validate your security controls using the ATT&CK framework and AttackIQ to improve your security program effectiveness.
View the full ATT&CK Navigator Heatmap here.
The CISO's Guide to NIST Security Control Compliance
Get the guide on how to validate NIST 800-53 security controls against MITRE ATT&CK®
Uniting Threat and Risk Management with NIST 800-53 & MITRE ATT&CK
New Academy class: Discover how to increase cybersecurity effectiveness and improve NIST compliance.
Introduction to FIN6 Emulation Plans
The emulation plan, focused on FIN6, marks the first time in history that industry giants have collaborated with threat researchers to produce an emulation plan for the public.