The MITRE ATT&CK framework is a tool created by the MITRE Corporation, a U.S. government federally funded research and development center (FFRDC). On July 8th, 2020, MITRE released a major update that restructured the information provided within the framework.

What’s New in MITRE ATT&CK?

Before the most recent update, the MITRE ATT&CK framework had two layers of classification: tactics and techniques. Tactics mapped to a particular stage in the cyberattack lifecycle, while techniques described a particular means of accomplishing a specific tactic.

While this structure makes it easy to understand various methods of accomplishing a particular stage of the cyberattack lifecycle, and it made MITRE ATT&CK one of the most actionable cybersecurity references available, large amounts of information were still lumped together under a single technique. For example, the Credential Dumping technique included eight different sources of user credentials within a single technique.

The recent update to the ATT&CK framework addresses this issue with the introduction of sub-techniques. Each technique contains zero or more sub-techniques, which describe the unique ways in which particular techniques (e.g. Credential Dumping) can be used to achieve the overall goal of the associated tactic (e.g. Credential Access).

Operational Impacts of the Updated Framework

This new structure provides additional visibility into all of the different means of accomplishing a particular stage of the cyberattack lifecycle. Additionally, organizations may find the increased granularity to be helpful in defining the final scope of their security programs. For example, the Initial Access and Execution tactics have nine and ten techniques respectively, making it appear that an effort to achieve full coverage of the two carries relatively equal complexity. However, with the introduction of sub-techniques, Execution has 23 sub-techniques, compared to Initial Access’s 16 sub-techniques.

Leveraging the Updated MITRE ATT&CK

In a previous blog post, we discussed how the MITRE ATT&CK framework can be operationalized by using it to inform the creation of SIEM detection rules. By using potential tactic and technique information, an organization can develop custom alerts that inform SOC analysts if an attacker on the network takes any of the actions required to achieve their final objectives.

The updates to the MITRE ATT&CK framework do not change how the framework can be used, but instead make these activities easier to plan, scope, perform, and evaluate. Clear delineation between distinct sub-techniques eliminates the confusion that arose from having all of them included on a single page, subsequently creaeting a clearer and more manageable framework.

How MorganFranklin Can Help

The MITRE ATT&CK framework is interesting from a purely theoretical standpoint; however, its real value originates from its ability to support an organization’s defensive efforts. By combining threat descriptions from the MITRE ATT&CK framework with the knowledge of an organization’s unique environment, a company can identify likely attack vectors and decrease the probability that a cyberattack goes unnoticed or succeeds.

MorganFranklin advisors have extensive experience in mapping theoretical tools, like the MITRE ATT&CK framework, to an organization’s real-world environment. They can help with the identification of overlooked attack vectors, the development of remediation strategies, and the creation of custom detection rules that ensure cyber threats are rapidly detected and remediated.