In my previous blog posts I’ve talked about the NIST CSF, and then I talked about another framework from the non-profit Center for Internet Security (CIS), which has a smaller set of controls to help companies and organizations secure their environment.
I promised at the end of that post that I would talk about the MITRE ATT&CK framework. But first—because I am sure some of you asked—I’ll tackle the questions: who is MITRE and what does ATT&CK mean?
MITRE is a non-profit organization that manages federally funded research and development centers that develop tools and research issues for various U.S. agencies, like aviation, healthcare, DHS, and others. ATT&CK is a framework that helps cybersecurity teams—both red and blue—figure out how threat actors gain access to computers and systems and what they do when they gain access.
ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge.
Think of it as a playbook that an adversary uses to break into your mobile phone, tablet, computer, or computer system. The ATT&CK framework is like having your opponent’s playbook in a football game. Every organization has limited resources and knowing where to focus your attention helps you utilize your resources most effectively. The framework is free and was first published in 2015, so it is well known in cybersecurity circles.
Here is an example of how to use it:
Imagine you are a nonprofit that supports human rights and because of what you do, you will be targeted by certain threat actors. As a non-profit, you have few resources to devote to cybersecurity, so you search ATT&CK for malicious actors who target organizations like yours and see what techniques they tend to use. The ATT&CK index identifies malicious actors and who they tend to attack. In your search of the ATT&CK site you see that APT18 (targets human rights groups and tends to focus on External Remote Services, like a VPN or a Citrix server rather than phishing emails to gain access to computer systems.
As you review one of the techniques APT18 uses, you find Technique T1133 and read the ways to mitigate that threat.).
You can now focus your limited resources on mitigation techniques for remote services to help block that threat actor.
If you look at APT18, you’ll see that they tend to use eleven techniques to gain access and ATT&CK has those techniques identified and how to mitigate those threats. The framework is useful for beginner, intermediate, and advance security teams because it has the technical depth to grow and mature your security posture.
If you are just starting your cybersecurity journey you will quickly discover that you need to log what is happening on your network and on your computers and systems in order to know what to look for and where. Are you looking for malicious network traffic or unusual activity on your mobile devices and Windows and Mac computers? Are you checking your firewall logs, your antivirus logs, and your system event logs for suspicious activity? If you are not logging that information in a central server you will have a hard time finding the threats to or on your network.
I’ll talk about getting all those log files together so you can go searching in my next blog post.
Need help with your cyber defense? Contact the CBTS cybersecurity team today.
Read more from CBTS Consulting CISO John Bruggeman: