The CISO’s Guide to MITRE ATT&CK
As a CISO, you are continually seeking more effective ways to assure executive leadership that you are aware of all the threats that might affect your organization and that you have the means to defend yourself against them. With today’s rapidly evolving threat landscape and the diffusion of global threats, threat awareness is a Herculean task that no single organization can tackle on its own.
For many years, threat defenders and testers have turned to cybersecurity frameworks. These frameworks provide models that can inform both threat investigations and the design of security controls. MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is one of the most authoritative and widely used frameworks, and it focuses on adversary behavior. Comprised of a knowledge base organized into the MITRE ATT&CK matrix, the framework is wide-ranging and based on real-world data from a global community of cybersecurity researchers and practitioners.
Because its depth and comprehensiveness can make the MITRE ATT&CK framework appear somewhat daunting on first look, AttackIQ is pleased to offer the CISO’s Guide to MITRE ATT&CK. This eight-page guide outlines the key principles of the framework, the structure of the knowledge base, and an effective path to start employing MITRE ATT&CK. From there, we recommend that users dive into the longer and more comprehensive MITRE ATT&CK for Dummies, which we produced on the basis of research and analysis from MITRE Engenuity and the MITRE ATT&CK team, and with a foreword by Richard Struse, Director of MITRE Engenuity’s Center for Threat-Informed Defense, for which we are a founding research partner.
At a high-level, this short CISO’s Guide to MITRE ATT&CK helps pave the way to answering the following questions:
- What adversary tactics and techniques are most likely to impact your organization?
- Do you have the security control coverage you need to protect against these tactics and techniques?
- What changes can you make to technologies, processes, and staff skills to address the coverage gaps?
The brief paper also describes how you can employ MITRE ATT&CK to achieve operational objectives through five use cases:
- Improving red team penetration testing performance
- Helping blue teams stop attacks faster and mitigate their impact
- Integrating threat intelligence into your cyberdefense operations
- Selecting the security vendor offerings that are most effective at protecting your organization from the tactics and techniques you have prioritized
- Continuously testing and validating your existing security controls through automated breach and attack simulation.
These use cases give CISOs just a taste of the enormous operational potential of MITRE ATT&CK. For more in-depth information on the use of the MITRE ATT&CK matrix, AttackIQ also provides a technical guide for security analysts, industry-specific guidance for security professionals in healthcare organizations, and the deeper MITRE ATT&CK for Dummies.
Finally, a highly effective way to learn more about the framework is to enroll in the free MITRE ATT&CK courses at AttackIQ Academy. The ATT&CK learning path starts with the basics of operationalizing the framework, then moves on to more specifics, such as implementing the FIN6 emulation plan. AttackIQ Academy courses include video instruction, interactive labs, and quizzes to help you and your team digest the new knowledge and quickly get started applying MITRE ATT&CK in your organization.
Learn more about why AttackIQ is so invested in MITRE ATT&CK, and why we’ve made it the core of our Security Optimization Platform.
Introduction to FIN6 Emulation Plans
The emulation plan, focused on FIN6, marks the first time in history that industry giants have collaborated with threat researchers to produce an emulation plan for the public.
Foundations of Operationalizing MITRE ATT&CK
This training session introduces students to the basics of the MITRE ATT&CK Framework.
Foundations of Breach & Attack Simulation
This session is a hands-on training program designed to introduce the capabilities and deployment options in a BAS (breach and attack simulation) platform.