MITRE ATT&CK: The Magic of Mitigations
That “aha!” second n’t away usually happen right.
When learning new items, we need to decelerate and go on it all in sometimes. For me personally, understanding MITRE ATT&CK was like this. Sure, the idea of thinking as an attacker made feeling, and its own structure was clear. Arrived the “today what then?” moment.
I discovered the main element to starting out soon. May it really is shared by me personally with you?
ATT&CK Essentials
ATT&CK is brief for Adversarial Tactics, Methods, and Common Information. For a long time, MITRE researchers have already been investigating the strategies, techniques, and processes (TTPs) utilized by cyber attackers. They cataloged TTPs in ATT&CK Matrices, leading to a thorough knowledge base and typical language on adversary habits.
A unique approach it’s, sort of just like the invert of typical best exercise just like the NIST Cybersecurity Framework or even the CIS Controls. For instance, than saying “drive back email threats rather,” ATT&CK describes how hackers send spearphishing emails with URL-shortened links made to trick individuals. The emails look genuine and their shortened hyperlinks disguise the true destination. When users click on, the web site continues its exploit contrary to the device or user. Observe how ATT&CK differs? It starts by displaying how attackers behave.
Getting Began with ATT&CK
It appears I’m not when I wondered how to begin alone. MITRE has several resources open to help with that: a blog series, an eBook, a philosophy paper. I’m right here being truly a bit facetious, but they require a Getting Started Guide so you can get Started maybe.
One suggestion would be to focus on one Tactic at the same time. In the Enterprise Matrix, you can find 12 of these just. But complexity grows as soon as you drill in to the Techniques and Sub-Techniques connected with each one. A lot more when you drill into Treatment examples. 156 Strategies and 272 Sub-Methods, anyone? I haven’t also tried counting all of the Procedures. Sheeeesh.
But here’s finished ..
Despite the long set of Tactics, Strategies, and Procedures, every one of them result in a finite and brief set of ATT& relatively;CK Mitigations. And Mitigations will be the “how to proceed” concerning the TTPs. Business ATT&CK has 41 just. For me personally, Mitigations will be the key.
The Miracle of Mitigations
So, if you’re getting started off with ATT& just;CK, I highly 1st recommend considering Mitigations. It is possible to assess your discover and program weaknesses using them. Then you can discuss your priorities with vendors who speak ATT& also;CK.
After all, it’s easier have conversations concerning the have to “Restrict Web-Based Articles” than it really is to ask a litany of questions like, “how can you prevent someone from stealing a credit card applicatoin access token? And how exactly to you stop a drive-by compromise?”
That’s precisely why, at Cisco here, we’ve mapped our capabilities to ATT&CK Mitigations. In the end, once you’ve appeared through the set of Mitigations and determined your priorities, it’s likely that you’ll require a cyber goods and services to assist you along.
And there you own it: The miracle of mitigations may be the key to getting started off with ATT&CK.
ATT&CK Procedures and Methods are of help for deeper conversations.
If you’ve currently discovered MITRE’s Use Cases, it is possible to probably tell that I’ve focused this entire dialogue on Defensive Gap Assessment. I assumed that it’s the key reason why you’re thinking about ATT&CK too. But I’m wrong maybe.
There exists a complete large amount of value beyond mitigation, so don’t forget the detail. Maybe you’re interested in the other use situations like Adversary Reddish and Emulation Teaming, so ATT&CK’s TTPs will be incredible valuable for you. Have a look at this post from Security Research Business lead Tim Brown for a lot more about ATT&CK for risk cleverness, modeling, and hunting.
At Cisco, we understand MITRE ATT&CK, we realize our options, and we are able to answer all of the technical queries you have. Ask us just. We’re to help here.
Find out more at www.cisco.com/go/cyberframeworks