MITRE ATT&CK and Threat-Informed Defense

and Threat-informed defense.

Any strategy starts with a foundation.

For us at AttackIQ, that foundation is MITRE ATT&CK. ATT&CK is a globally available, free, open framework of known adversary tactics, techniques and procedures (TTPs). The MITRE Corporation, a federally funded non-profit research and development organization working in the public interest, built and publicly released the original ATT&CK framework in 2015 to help defenders all over the world focus on the threats that matter most to cybersecurity.

Since its release, the ATT&CK framework has gained significant momentum in the public and private sectors as a globally-vetted, all-source repository of adversary behavior. The release of ATT&CK has given organizations a stable framework against which they can design their defenses. By understanding how adversaries target your data, you are in a better position to secure yourself. A natural next step is for organizations to deploy automated adversary emulations to test their cyberdefenses. That is why AttackIQ is closely aligned with MITRE.

Operationalize the MITRE ATT&CK Framework with AttackIQ

At AttackIQ we help organizations test the effectiveness of their security controls safely, continuously, at scale, in production, and with threat coverage across the kill chain. Customers use AttackIQ and the ATT&CK framework to enable a threat-informed defense across all aspects of their security organization. With ATT&CK as a foundation, the AttackIQ Security Optimization Platform grounds organizations in a shared understanding of threats and threat behaviors. Our alignment with ATT&CK and the automation we provide helps customers make meaningful improvements to their security program by providing granular data about performance effectiveness. The maturity of the ATT&CK framework has spawned dozens of solutions in the AttackIQ platform.

We’ve incorporated ATT&CK seamlessly into our platform workflows so that our emulation plans provide a clear visualization of adversary behaviors. Here is an example of how the Security Optimization Platform reports out performance data to help organizations adopt a threat-informed defense. It outlines the performance of the vendor, the adversary behavior, and the ATT&CK technique revealed. ATT&CK techniques are represented by cards organized in columns, each one representing a specific ATT&CK tactic.

The white tiles on the top of the column are labeled with the tactic and list the number of techniques in each column. The black tiles in each column represent individual techniques and, where applicable, provide a pull down to reveal the sub-techniques.

Founding Member of MITRE’s Center for Threat-Informed Defense

Our close alignment with MITRE ATT&CK is why we became a founding member of MITRE’s Center for Threat-Informed Defense (CTID). The CTID is an organization within MITRE that conducts applied research and advanced development to improve cyberdefense at scale for the global community. It brings together the best cybersecurity researchers from across the globe.

 

 

In its first major research project, on September 15, 2020, the Center for Threat-Informed Defense released a groundbreaking, detailed plan for security teams to emulate the cybercrime group FIN6. This is the first entry into a public library of adversary emulation plans that the Center has planned to replicate the tactics and techniques of known cyberspace adversaries. The MITRE team worked with AttackIQ and leading global companies to emulate a dangerous and adaptive threat.  

The emulation library is a logical next step in the historic evolution of MITRE’s work. In 2015, MITRE released the ATT&CK framework to help defenders all over the world focus on the threats that matter most. ATT&CK provides a collaborative means for sharing threat information, a baseline analytic foundation for security teams to defend themselves. 

How does the emulation library further that mission? Historically, most organizations lacked the resources and personnel to study adversaries and build emulation plans. Only Fortune 1000 companies or government agencies had the resources to do so. As a founding research partner of the Center for Threat-Informed Defense, we are immensely proud that AttackIQ is working with MITRE and the Center team to make this emulation plan publicly available. It is a part of our mission to work in the public interest and help every organization become more resilient to cyberattacks.

Going forward, AttackIQ’s close partnership with MITRE and the CTID will help AttackIQ stay informed of emerging best practices in threat-informed defense and to educate the market through white papers and MITRE-informed AttackIQ Academy courses in Purple Teaming, Operationalizing MITRE ATT&CK, and Breach and Attack Simulation. To accelerate the practice of threat-informed defense (TID) across the industry, AttackIQ launched AttackIQ Academy in 2020. AttackIQ Academy is dedicated to giving back to the community and advancing the art and practice of MITRE ATT&CK and threat-informed defense. We offer these courses and more at no cost as a public good, and welcome your feedback on how else Academy can serve each of you.