Adopting the MITR ATT&CK Framework by SMBs
For small and medium businesses who typically do not have large cybersecurity departments or budgets, mitigating security vulnerabilities is difficult. It is true that attackers need to exploit just one vulnerability to breach your network, but defenders have to secure everything. This the reason why security programs have been shifting resources toward detection and response: detecting when the bad guys are in your network and then responding to their actions efficiently to gather evidence and mitigate the risk.
Categorizing the threat behaviours in a clear and easily understandable manner is always a challenge for cybersecurity professionals. To understand the specifics of an attack, professionals normally need to analyse indicators, search for findings from other security researchers, and read reports, articles, and papers describing similar threats. This can also be a daunting task for small businesses.
Analysis and investigation can be overwhelming and resource intensive for cybersecurity professionals, especially if a threat shows a high sophistication level and several components. This is further complicated by the fact that a threat actor can modify these components (hashes, command-and-control (C&C) servers, IP addresses) making threats not only more efficient but also more difficult to detect and analyse. However, attacks and campaigns typically display certain patterns depending on the attacker’s motivations and targets. The challenge is how to cross-check findings against data from various sources.
The MITRE ATT&CK is a knowledge base which can be accessible from anywhere in the world that contains adversary tactics and techniques based on real-world observations of cyberattacks.
ATT&CK stands for adversarial tactics, techniques, and common knowledge. In recent times, tactics and techniques are the default way of assessing cyberattacks. Security analysts no longer investigate the results of an attack, such as an indicator of compromise, but look at the tactics and techniques that signify an attack is in progress. Tactics are the why of an attack technique while techniques represent how an adversary achieves a tactical objective by performing an action. In addition, common knowledge refers to the documented use of tactics and techniques by adversaries. Common knowledge may also be called procedures.
MITRE is not an acronym, but a government funded organisation with a well-developed cybersecurity practice that is funded by the National Institute of Standards and Technology (NIST). Together, the MITRE ATT&CK has a goal to assemble a thorough list of known enemy tactics and techniques used during a cyberattack. It is available to government, education, and commercial organizations, thereby making it be able to collect a wide, and hopefully exhaustive, range of attack stages and sequences. MITRE ATT&CK also intends to create a standard taxonomy for easier communications between organizations more specific.
The framework is divided into 12 categories of tactics for Enterprise. These include initial action, privilege access, and lateral movement. Beneath these are specific techniques observed with these attack activities. There is also a list of pre-attack activities such as pre-purchasing domain names and obtaining third-party software defences as well as 64 tactics observed through mobile attacks.
The MITRE ATT&CK framework is a popular template that business organisations can use for building cybersecurity detection and response programs. It is very useful because all the tactics, techniques and procedures (TTP) are based on what has been observed by actual attacking groups in the real world. Many of these groups use the same techniques. It is almost as if the hacking groups have their own playbook when attacking systems and they use this playbook to get new members productive quickly. The TTP of an attacker is like a behaviour and behaviours are much harder to change. Unlike evading a signature-based detection tool which only requires the attacker changing the attack method. Yet, finding an account that eventually becomes an administrator is much difficult for the attacker to avoid and hide. The malicious actor is forced to change their behaviour.
Business organisations are faced with the challenge associated with traditional threat intelligence because it is often a time-consuming effort that requires scrutinising through reports, articles, news stories, and even social media posts to find and analyse indicators as well as determine which information is useful for a current investigation or worth adding to an internal knowledge base. Given enough time, a dedicated security researcher would probably be able to piece together the details of the story. But in cybersecurity, time is always of the essence. Threat investigation needs to be as quick as possible to properly categorize a threat and identify where the security gaps are and how they can be addressed.
Thus ATT&CK can aid in threat investigations because it allows cybersecurity teams to narrow down their search to specific tactics and techniques, reducing the time needed to map out the details of an attack. The eventual goal, with the help of ATT&CK, is not only to tell the story of the why, how, and what of an attack but also to help pinpoint security weaknesses within the system that a security team can work on strengthening.
Cyberpal, is the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports. It is where providers of MITR ATT&CK can be assessed and engaged to safeguard your business. CyberPal, the world’s first Cyber Security Marketplace that enables end-users to compare, review, ask peers, buy research reports for all your Cyber Security requirements. Locate and connect with nearest Resellers for all Vendor solutions. End-users can post a project and Independent cyber experts can send proposals to these end-users and buyers can simply purchase it via the cyberpal platform and award the vendors / contractors the contract. It’s a secure payment platform and endusers benefit from private communication as well. This can help you to drive your cyber security strategy for your business rather than it being a non-starter.