In this week’s Whiteboard Wednesday, Eric Sun, Senior Solutions Manager for Incident Detection and Response, runs through the MITRE ATT&CK™ framework in under 4 minutes. Learn what MITRE ATT&CK™ is, how your security team can use it, and how it’s changing the mindset for blue teams around the world around “Assume Breach.” Understand how the three parts of the framework—pre-ATT&CK, ATT&CK, and Mobile—come together to form an attack chain that allows blue teams to build a more effective security system.
Welcome to this week's Whiteboard Wednesday. Today we're talking all about MITRE ATT&CK™. What it is, how your security team can use it, and how it's helping drive a larger mindset shift for blue teams all around the world for Assume Breach. I'm Eric Sun. Part of the Detection Response Team here at Rapid7.
So first off, who is MITRE? MITRE is a non-profit organization that does work with private industry and the U.S. government and their mission is to solve problems to make the world a safer place. They've done a ton of work around counter-terrorism, bank fraud, and certainly cybersecurity. Many of us are familiar with MITRE for helping maintain the common vulnerabilities and exposures, or CVE, list: super valuable input for vulnerability management technology around the world.
MITRE ATT&CK™ consists of three matrices. pre-ATT&CK, ATT&CK, and Mobile. Together they comprise an end-to-end ATT&CK chain filled with all of the successful techniques that adversaries use to breach organizations. And so while the concept of an attack chain is not new, the visibility into the confirmed techniques really provides information to blue teams that previously was only reserved for elite incident responders or otherwise classified information.
And so it starts with initial reconnaissance and scouting out the delivery mechanism, whether it be phishing or malware with pre-ATT&CK and then once the adversary has internal access to the network, certainly that privilege escalation, lateral movement, data infiltration and ending with command and control.
So the reason that this is valuable for blue teams is that you can map this against your current detection and data collection in your environment. And so a lot of teams are taking this even a step further by emulating, for example, advanced persistent threats and seeing the true risk of these techniques in their internal environment. The thing to consider is that MITRE ATT&CK™ is very focused on protecting the internal network for compromise. So if you also have to monitor, for example, infrastructure-as-a-service or web applications, you should prioritize the techniques you're going to monitor for and simulate accordingly to really match with the most frequent threats to your organization.
But perhaps the most valuable point is that MITRE ATT&CK™ isn't just a list of techniques. We've all heard the adage, "It's not if a company is going to get breached, but when." And so that FUD-dy phrase really takes on new meaning when we have really good information on the adversary groups, what techniques they are likely to use, and what they're going to do once they're on the internal network. And so instead of thinking an attacker only needs to be right once to successfully get in and breach a company, instead we can flip it on it's head by the attacker only needs to slip up or get detected once for the blue team to detect, contain, and ultimately eradicate that threat from the environment.
So this community led initiative is really shedding a ton of great visibility into confirmed attacks, techniques that adversaries are using every day. So that's a brief overview of MITRE. If you'd like to learn more, certainly check out their Wiki. ATT&CKcon concluded recently. All of those sessions are available for streaming on YouTube. Ton of great content and if you're looking at detection response for your organization, check out Rapid7's detection focused sim InsightIDR, as well as our 24/7 managed detection response service.
That's it for this week's Whiteboard Wednesday. Catch you at the next one.
Form a faster, more unified incident detection and response plan. Try InsightIDR–free for 30 days.Try Now
Learn how to choose a detection and response provider, and what services Rapid7 has to offer to help evaluate your plan.Learn More