Security fragmentation is one of the biggest issues facing cybersecurity leaders today. The threat landscape is growing rapidly – there are now over 130 targeted, large-scale data breaches in America each year – yet no rules addressing threat actors and their operations exist. There isn’t even a common language in place, which makes discussing cyber-attacks almost as hard as stopping them.
There’s no doubt that experts can communicate among themselves, but security teams alone don’t prevent cyber-attacks. It takes companywide awareness and cohesion, as businesses are only as secure as their weakest link.
So, what happens when an attack does hit? Today over half of all breaches incorporate hacking, which means the bad guys are as sophisticated as they are numerous. To discuss, prepare for, and ultimately respond to these advanced attacks, organizations are moving towards cybersecurity frameworks – documents that outline the policies, procedures and processes to follow in the case of a breach.
MITRE ATT&CK, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, seems to be cementing its place as the leading cybersecurity framework in 2019. Using ATT&CK, it’s possible to identify security weaknesses before you find out the hard way.
When it comes to guidance on building detection and response programs, MITRE ATT&CK trumps traditional frameworks such as the Diamond Model, which lacks technical depth, and Lockheed Martin’s Cyber Kill Chain, which offers little from the attacker's perspective. At Immersive Labs, we believe to keep pace you need to learn like hackers – and this is where ATT&CK, which has a strong adversarial focus, can help.
Unlike defenders who must secure their entire surface of attack, hackers need to find just one weakness to penetrate a network. This first-mover advantage means that, historically, attackers have had control. However, ATT&CK is levelling the playing field with its numerous tactics, techniques and procedures (TTPs), which are based on real-world observation.
Thanks to this basis in real life, ATT&CK provides unrivalled detail regarding the ways threat actors can run an attack, starting with the initial access phase. It organizes the building blocks of an attack so that organizations can visualize exactly what adversaries could achieve on their network, making it easier to put relevant defenses in place. So, when a business identifies an attacker on its network, it has a ready-made list of responses for mitigation – meaning less time wasted filling in gaps.
One of MITRE ATT&CK’s biggest wins is that it can evaluate the capabilities of security technology. This means organizations can identify which tech covers the risks most relevant to them before splashing out. Alternatively, if their existing tech doesn’t cover a certain area, they can do something about patching that weakness – like upskilling staff.
ATT&CK can integrate with threat intelligence to drive security, too. When a new threat is discovered, for example, the categories in the framework enable security teams to respond or confirm current levels of protection.
While MITRE ATT&CK is primarily used to reduce cyber risk, it is also an excellent resource for cyber workforce development. At present many training programs and certifications teach skills that are not useful in the real world. Or perhaps the skills being taught are useful – but not to the organization paying the course graduate’s wages.
Immersive Labs maps its cyber skills content against the MITRE ATT&CK framework, which enables organizations to see where their staff are proficient and where they are lacking. This means managers can take a proactive approach to developing the skills of their security teams, as they can visualize their business’s risk profile.
A healthcare organization, for example, might be at high risk from a certain APT group. The organization’s security team would do their research into the tactics that said group were using, and then begin ticking off skills against the ATT&CK framework. Any key missing skills could then be developed through Immersive Labs. This is a focused way of learning that boosts the effectiveness of your cyber workforce.
We have some useful resources that can help you start using ATT&CK to measure, validate, and visualize the human capabilities in your organization. Our short eBook explains the framework and how it can be used to map tactics and techniques to skills. You can download it here.
If you’d rather see ATT&CK in action, Immersive Labs Lite has an example heatmap that you can explore for yourself.