MITRE ATT&K and the Pyramid of Pain: An Introduction
Before we delve into the MITRE ATT&CK framework, I’d like to give a little context to set the stage. Though wheels are turning, much of cybersecurity is still mired in “tradition.” That is to say, analysts are reading reports, journals, academic papers, news stories, etc. Relevant data is then transferred to a database or stored in their personal biological hard drive, their head. All of this data is then transferred to written reports that are then given to consumers.
One of the key data points that these reports contain are lists of indicators. In this context, indicators are pieces of evidence that when connected with malicious or suspicious activity can point to a specific adversary group. Much the same way you might be able to point to the coworker who made a mess in the kitchen based on if the cupboard doors were left open versus coffee grounds not making it to the trash. We all have our own quirks and methods of operation, conscious or unconscious. However, not all indicators are created equal when it comes to cybersecurity and parsing/vetting them from massive volumes of text can be time consuming. In his blog post “Pyramid of Pain,” David Bianco rates and explains different indicators and the ease with which malicious actors can adapt if a specific indicator becomes compromised. The pain in this pyramid is the amount of pain a cybersecurity professional can cause an adversary by neutralizing a specific indicator. Blocking a specific IP Address might cause a momentary grimace, but if you understand the tactics, techniques and procedures of an adversary and respond “quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors.”
So moral of the story: blocking an IP Address or Domain Name are all well and good, but that’s a never-ending game of whack-a-mole. If you really want to throw a wrench in the gears of a malicious actor’s game-plan, go after their tools and methods.
Now enter: MITRE ATT&K.
What’s the 4-1-1?
MITRE ATT&K is a knowledge base created in 2013 that seeks to document adversarial groups along with their tactics, techniques and goals using a standardized methodology and vocabulary. It’s meant to be used by both offensive and defensive cybersecurity professionals to recognize gaps in their defenses, link abnormal behavior to possible attack techniques, simulate attacks and possible counters, and enhance their cyber threat intelligence. Of course, the previous list is not exhaustive. MITRE ATT&K is a tool used to augment and guide an enterprise’s already existing security infrastructure and practices.
Let’s get into the (high-level) details.
The current MITRE ATT&K framework contains documentation of 129 adversarial groups, a list of 188 techniques along with 379 sub-techniques used by these groups, and 14 tactics or the threat actor’s objective. The techniques are arranged under a corresponding tactic within a specified matrix. Clicking on a technique leads to a detailed breakdown of the technique and possible methods of mitigation. Further investigation of procedures within a technique leads to a list of known adversary groups that have used that specific technique. You could also look at a specific group to understand their currently known methods. Besides being an excellent resource, MITRE ATT&CK has great potential for anyone wishing to spend a lunch hour falling into rabbit holes.
How can MITRE ATT&CK be used effectively?
Using MITRE ATT&CK is most beneficial when a cybersecurity framework is already in place and well-established within an organization. ATT&CK should be used to augment this framework and provide quality intelligence that can be acted upon when red teaming, looking for defensive gaps, assessing your SOC’s effectiveness, and organizing suspicious activity. Of course, as always, context is absolutely key. Evaluating the threat of every single technique would be an extreme waste of resources, and one of the greatest benefits to MITRE ATT&CK is the insight it provides into how attackers work based on the vulnerabilities in the environment they’re attacking. An organization’s existing framework should already have a detailed map of its infrastructure and attack surfaces. If not, an all-in-one vulnerability management platform like TOPIA can help you map all of the endpoints, applications, and OSes your organization contains along with their contextual risk. But once the mapping has been done and the context understood, a cybersecurity team can cross-reference high-risk areas or attack susceptibilities with MITRE ATT&CK in an effort to summarily route would-be attacks and dish out some pain.
Are there any drawbacks?
Perhaps the largest challenge right now with using MITRE ATT&CK is its size and complexity. Given the current list of 188 techniques and 378 sub-techniques, mapping this data to an already existing system is daunting, especially for a field experiencing a dearth of prospective workers. There also appear to be some inconsistencies and organizational shortcomings in the framework according to SCIP, a German cybersecurity company. Also, according to a study done by McAfee and UC Berkeley Center for Long-term Cybersecurity, “Nearly half of respondents find it challenging to use MITRE ATT&CK because of a lack of interoperability with their security products” even though an estimated 80% of enterprises say they use the framework. Looking at the above issues, it would seem that automation is absolutely required to use ATT&CK effectively.
In conclusion…
It seems that MITRE ATT&CK is waiting for the right bit of leverage to push cybersecurity into a new direction. A direction that could possibly allow a cascading automatization of security responses to increasingly complex and unorthodox threats. Of course, in this ever-evolving arms race of cybersecurity and malicious actors, there is not a silver bullet solution or mithridate that will eliminate the need for a strong and synergistic IT and security infrastructure. The real solution is much more complex and requires a mix of platforms for a robust and secure digital infrastructure. One of these platforms could be TOPIA. TOPIA is a lightweight, all-in-one vulnerability management system that offers easy-to-use patch management, team management, an intuitive user-interface and simple yet powerful automation possibilities.
Resources:
https://attack.mitre.org/matrices/enterprise/
https://attack.mitre.org/groups/
https://medium.com/mitre-attack/using-att-ck-to-advance-cyber-threat-intelligence-part-2-6f21fdba80c
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
