What’s New in MITRE ATT&CK?
Before the most recent update, the MITRE ATT&CK framework had two layers of classification: tactics and techniques. Tactics mapped to a particular stage in the cyberattack lifecycle, while techniques described a particular means of accomplishing a specific tactic.
While this structure makes it easy to understand various methods of accomplishing a particular stage of the cyberattack lifecycle, and it made MITRE ATT&CK one of the most actionable cybersecurity references available, large amounts of information were still lumped together under a single technique. For example, the Credential Dumping technique included eight different sources of user credentials within a single technique.
The recent update to the ATT&CK framework addresses this issue with the introduction of sub-techniques. Each technique contains zero or more sub-techniques, which describe the unique ways in which particular techniques (e.g. Credential Dumping) can be used to achieve the overall goal of the associated tactic (e.g. Credential Access).
Operational Impacts of the Updated Framework
This new structure provides additional visibility into all of the different means of accomplishing a particular stage of the cyberattack lifecycle. Additionally, organizations may find the increased granularity to be helpful in defining the final scope of their security programs. For example, the Initial Access and Execution tactics have nine and ten techniques respectively, making it appear that an effort to achieve full coverage of the two carries relatively equal complexity. However, with the introduction of sub-techniques, Execution has 23 sub-techniques, compared to Initial Access’s 16 sub-techniques.
Leveraging the Updated MITRE ATT&CK
In a previous blog post, we discussed how the MITRE ATT&CK framework can be operationalized by using it to inform the creation of SIEM detection rules. By using potential tactic and technique information, an organization can develop custom alerts that inform SOC analysts if an attacker on the network takes any of the actions required to achieve their final objectives.
The updates to the MITRE ATT&CK framework do not change how the framework can be used, but instead make these activities easier to plan, scope, perform, and evaluate. Clear delineation between distinct sub-techniques eliminates the confusion that arose from having all of them included on a single page, subsequently creaeting a clearer and more manageable framework.