Getting Started With the MITRE ATT&CK Framework: Lessons Learned

2.15.2018 | Mike Middleton

To address questions about where to invest finite resources and how to measure success, our cybersecurity team aimed to develop a mechanism to identify gaps and assign corresponding risk to those gaps. In doing so, we discovered a variety of ways the MITRE ATT&CK™ framework can be applied. We’re sharing our learnings here for you to consider as you look to implement the framework to meet your own cybersecurity needs. In the first of this two-part series, we detail the three elements of the framework we found most valuable.

(Image: Gerd Altmann / Pixabay)

At Tanium, our mission is to keep our customers safe and secure. As part of that mission, it’s crucial for the Tanium IT Security organization to operate according to the highest cybersecurity standards. To that end, our cybersecurity team has been working to adopt the MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) framework to help us improve and measure the effectiveness of our detection capabilities. In the process, we’ve learned a great deal about how this recent and evolving framework can be applied. We think our lessons learned will provide value to you as you look to implement the framework to meet your own cybersecurity needs.

Since the use of the MITRE ATT&CK™ framework is still evolving, we hesitate to identify these lessons as “best practices.” Rather, we share our experience in the interest of providing  guidelines to help you and your team explore this framework. For this article, when we refer to the MITRE ATT&CK™ framework, we’re referring specifically to the post-compromise collection of adversary techniques, ATT&CK™ for Enterprise, and we’ll be discussing how we began this journey by mapping some Tanium product module components that we use in our own IT environment.

Like most security teams, we find it can be challenging to determine where to invest finite resources and how to measure the success of our detection program. To address these questions, we required a mechanism to identify gaps in our existing detection strategy. In doing so, we discovered how metrics and the MITRE ATT&CK™ framework provided a solution to our problem.

Begin at the beginning: What does your security team work on and in what order?

The Tanium security team categorizes our work as either operational or enhancement based. Operational, or run-focused work, tends to consist of shorter term tasks, such as break fixes, security operations functions and incident response. Enhancement, or build-focused work, tends to consist of longer term projects aimed at improving the ability to perform operations.

What we discovered – and is likely happening at your own organization – is that our security team was deprioritizing enhancement projects to handle operational needs. While keeping the lights on seemed intuitive, we wanted to avoid falling into a perpetual loop of running day-to-day operations, without making substantive improvements that increased our effectiveness and efficiency. By analyzing risk associated with known gaps in detection capabilities, our team hoped to identify higher value alerts with a lower operational burden.

Getting on the same page: How does your security team measure success?

Metrics play a vital role in helping our team assess its operational components. We measure alert distribution, volume, outcome (e.g., true positive, false positive, defective alert, etc.) and time to detect, triage and resolve an incident, amongst other factors.

While these metrics help us identify problems and identify trends based on what has already happened and allow us to track how we improve over time, they do not provide insight into the maturity of our program or help us identify what the team might be missing. By creating the right benchmark to assess our detection capability, we hoped to carefully track, assess and ultimately communicate our evolution of detection capabilities.

This need for benchmarks is what led us to explore MITRE ATT&CK™. The framework is flexible, actionable, aligned with our team’s behavior-focused detection strategy and gives us the ability  to improve how we prioritize initiatives and measure our progress towards our goals. It is maintained by The MITRE Corporation with individual and organizational contributors who respond to breaches, and it is growing rapidly. Here are the three elements of the framework we find most valuable:

It’s actionable. We view MITRE ATT&CK™ through two different lenses: strategic and tactical. From a strategic perspective, it can be used as a part of a security program to assess risk, prioritize, or measure progress. Above all, it provides an actionable “punch-list” for building detection capabilities.

Why this matters: By taking a tactical approach and finding ways to identify the techniques outlined in the framework, our organization can meaningfully improve our ability to detect malicious activities.

It’s behavior focused. MITRE ATT&CK™ stood out most for us for its technique-focused approach in describing post-compromise behavior. Developing detection that identifies the behaviors of software or adversaries is challenging but a more durable form of detection.

Why this matters: Instead of detecting malicious software by hash, we can increase our ability to detect malicious software by describing a behavior of the software. Let’s use process injection as an example. In this case, attackers can swap out different software to inject their malicious code into a process, thwarting atomic indicator detection, but the underlying behaviors still exist. The same applies for people (attackers).

It’s risk informed. The decisions we make as a security organization are based on risk. From the order in which we triage and investigate alerts to the urgency of patches applied to the systems we engineer, we are continuously prioritizing based on risk. This approach works well when prioritizing a list of known alerts or to-dos, but does not help to identify or prioritize the tasks you do don’t know exist.

Why this matters: When it comes to detection, MITRE ATT&CK™ provides a straightforward way to identify gaps, and it contextualizes those gaps within the adversary’s lifecycle. It also helps to assess the risks of those gaps and ultimately inform better prioritization for our practitioners. The framework provides an intuitive mapping of higher level tactics and contains linkage and context to software used by adversaries and adversary groups, which aids in making additional connections and visualizing progress for leadership.

After using these elements to identify our path forward, we then tactically started improving our detection capabilities using MITRE ATT&CK™ as a punch-list. In part two of this series, we explore the steps we took, which we believe you can apply in your own organization.

Additional Insight from Pricewaterhouse Coopers (PwC): We have worked closely with our partners at PwC for over four years to build EDR service offerings for our customers. PwC has also provided more information about the application of the MITRE ATT&CK™ framework. They discuss how they leveraged Tanium Signal to enhance their detection capabilities and explain the importance of orchestration in building a strong EDR practice. Learn more by visiting the following links:

Signal the ATT&CK: Part 1

Signal the ATT&CK: Part 2

Interested in seeing Tanium in action? Schedule a one-to-one demo or attend our weekly webinar. Talk to our Tanium experts at our upcoming events.

About the Author: In his role as Principal Security Engineer with Tanium’s cybersecurity team, Mike Middleton focuses on security operations, threat detection, incident response and automation. Prior to joining Tanium, Mike worked for a hedge fund based in the northeast U.S., where he helped establish an external threat security program. Prior to that, Mike worked in professional services, where he conducted forensics and incident response investigations.