As cyber threats are clearly multiplying, organizations must recognize that gathering threat intelligence is ineffective if organizations find it difficult to use the information. This is where the MITRE ATT&CK Framework comes in, helping security teams confidently and quickly take the appropriate actions to fend off attacks and protect themselves from future ones.
What is MITRE?
Used increasingly in diverse areas of cybersecurity, MITRE ATT&CK is a framework intended to systematically categorize TTPs (tactics, techniques, and procedures) of threat actors. It came about as companies needed more information about cyber threat typology to prepare better defenses. The best way to come up with this information was to group the knowledge already extracted from observations of other security players’ telemetry for events that already took place.
What happens to a company in one industry becomes relevant to similar organizations as behaviors can be studied and knowledge gaps and security blind spots can be addressed. The MITRE ATT&CK Framework gives them information about their preferred IoCs and IoAs, as well as the techniques, and tools they use.
There are three ways in which an organization can use the structured information of the framework, depending on the experience level of its security team. A basic level one team with limited resources can use the framework together with operational and tactical TI information as a threat actor library and draw conclusions as to the potential threats specific actors pose to the industry, why and how they target a specific geographic area, and how to try to avoid it.
A level two team, with more experienced cybersecurity analysts, could contribute to the framework and enhance existing information with conclusions drawn from their own experiences from internal incidents. This is how the database can be improved with real-world experiences. The information is processed by the organizations’ analysts, but also by the analysts using the framework once the data has been made available. It’s these conclusions, which may at times vary between professionals, that enrich the framework.
A level three team, with the most mature cyber experts, will not only be able to contribute with their own knowledge and internal reports to the framework, but they will be capable of building a strategic response to the identified threats as well. This manner of adding and helping process valuable information is what gives organizations a shot at keeping up with the dynamics of the cyberthreat landscape.
How does threat intelligence help?
Anyone who has ever encountered any form of threat intelligence solution knows that, once you pick a product, you are connected to a stream (more like a river) of information coming your way at certain time periods. This information needs to be filtered, made relevant, and then operationalized so it helps the organization protect against attacks. Threat data feeds may be massive, and simply going through this vendor-structured information would be a lot of work.
What the MITRE ATT&CK framework does for threat intelligence is that it finds a way in which the information is standardized and made digestible for all levels of security teams. It works well together with a library of threat actors, which all security teams = can browse through and prepare their defenses.
Even a Level 1 security team can use the framework and structured TI information, select their organization’s industry, and discover the threat actors targeting the industry in a specific area and how. This is valuable information that will allow even smaller organizations to set up ground-level defenses.
The second level of security experts have some analytical skills that will allow them to identify the behavior of threat actors who have previously targeted the organization, to research their behavior and translate it into a tactic, then associate it to a technique and include this information in the framework for the rest of the world to benefit from their conclusions as well.
How does the analyst benefit from it?
As with any other analytical tool, the more mature teams benefit the most from the information because they have their own impressive background to fall back on and know how to best react to the data and its context. However, keep in mind that this is a very dynamic environment that changes very rapidly.
More experienced teams will use the information from the framework to better implement their defenses and match the threat from the specific actors targeting their industry and location. It may sound accessible to someone who knows how to interpret the information, but it still takes a lot of time and focus -- some of the reports need to be read line by line, using the proper tools like highlighting tools or standard structure format tools. The information is well indexed and classified, but it’s how you use it and how you place it against the information from your internal reports, that is more time consuming.
Apart from giving the SOC team a clear view of external threats, the MITRE ATT&CK Framework can also give organizations an inward view and help analysts discover gaps in visibility and coverage. Security departments can better understand their own ability to react after they extract information on how other departments identify and contain threats.
Although Threat Intelligence is recognized as crucial to an organization’s cyber security and the MITRE ATT&CK Framework is seen as very useful in this respect, a 2021 study shows that only 8% of companies have used it. Why do so few turn to this valuable tool? Because the level of proactiveness when it comes to cybersecurity is still low. Another interesting piece of information from the same study shows that 84% of these users have not introduced their internal reports, thus failing to contribute to the enrichment of the data base.
Even so, the MITRE ATT&CK framework gives organizations detailed insights into observable patterns of threat actors’ behavior. With the right context, analysis and countermeasures, they could seal off many potential entry points into their system and eliminate a lot of vulnerabilities.
Learn more about Bitdefender's Advanced Threat Intelligence solution.