MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a powerful tool for improving cyber defense by creating a smarter security operations center (SOC). 

The MITRE ATT&CK framework creates a categorized list of all known attack methods, and marries each method with:

• The threat intelligence groups that are known to utilize these attack methods
• Unique methods used by malicious actors in implementing the attacks
• Mitigations and detection methods for preventing or identifying attacker techniques

Why is this so significant to your security operations center? 

In a nutshell, cybersecurity teams can now assess their organizations’ cyber defenses against the MITRE ATT&CK’s body of knowledge – and use this information in decision-making related to developing their security operations center strategy. 

Fundamentally, by leveraging the information in the MITRE ATT&CK to support agile use case development, organizations can better protect themselves from cyber attacks. Let’s have a look at how this works, and then talk about how we’re leveraging the framework at Coro to better protect ourselves and our customers.

What is the MITRE ATT&CK?

The MITRE ATT&CK framework provides organizations with a way to develop, organize, and use a threat-informed defensive strategy that can be communicated in a standardized way. 

The goal of the MITRE ATT&CK is to be a living dataset that is continuously evolving – updated with new threat information on a continual basis. It is a framework that organizes known cyber threats, and categorizes the activities of malicious actors in terms of their tactics, techniques, and procedures (TTPs).

A technique is a unique method identified by MITRE in achieving a specific tactic, which is an intrusion goal. For example: Privilege Escalation is listed as a tactic, while AppCert DLLs is a technique to achieve it. 

For each technique listed in the MITRE ATT&CK, the following information is provided:

• An identifier
• Tactic that it’s associated with
• Platform it’s applicable to
• System or permission requirements
• Defense strategies bypassed
• Data sources that identify use of the technique
• Mitigations and detection methods

Note that MITRE recently changed how the framework is organized with the introduction of sub-techniques. The addition of sub-techniques enables even more granular tracking within vendor tools, use cases, and detection analytics.

How the MITRE ATT&CK Improves Security Operations

Using the MITRE ATT&CK, organizations can perform evaluations that are both external-facing and inward-looking, such as:

• Threat intelligence mapping – This external-facing assessment is the primary use of the ATT&CK framework. Listing attackers’ TTPs in a structured and usable way is a useful resource for threat intelligence teams, enabling threat-informed cyber defense. The assumption is that it is possible to predict an attacker’s future behavior based on past observed TTPs – and having this information listed in a structured way (with supporting details) is useful for both cyber defenders and threat intelligence teams.
  
• Data source gap identification – The next common use for ATT&CK is an inward-looking assessment. Each technique in the ATT&CK is listed together with information on how to identify, detect, and mitigate that technique. And by programmatically extracting data source information for techniques that are of interest, you can highlight an organization’s visibility gaps. ATT&CK allows you to focus on what data is missing and gain a more measurable understanding of your organization’s ability to defend itself.

How Coro Leverages the MITRE ATT&CK 

At Coro, the MITRE ATT&CK framework provides us with the ability to work closely with our customers in improving their security posture effectively in several important ways:

• Visibility into what matters – ATT&CK creates a map that makes it very easy to see, visually, where an organization is protected and where the vulnerable areas are. By combining the known threat techniques from the MITRE ATT&CK framework and our own investigations into the clear, deep, and dark web for unknown threats, Coro is helping security teams discover high-risk vulnerabilities and prioritize remediation.
  
• Collaboration – ATT&CK allows Coro to work together collaboratively with our customers. As part of our hybrid engagement model, we work as an extension of our customers’ teams to define a target response window that is aligned to their acceptable level of risk, baseline their detection gaps against the MITRE ATT&CK framework, and continuously tune their detection and response controls to measurably reduce risk. Thus, Coro ensures our customers’ security capabilities are mapped to ATT&CK and we can understand exactly where the problems are and work effectively to improve their security posture. 
• Continuous improvement – ATT&CK provides an extensive knowledge base of threat-based information that is continuously being updated. The constantly-evolving nature of threats  can make it difficult for security teams to update their defenses quickly before a vulnerability is exploited. Coro maps its extensive library of use cases and playbooks (called a Use Case Factory) to the MITRE ATT&CK framework to continuously reduce detection gaps and automate responses to threats. Together with our customers, the ATT&CK framework helps Coro’s team identify the security gaps that are most significant, from a risk perspective, and prioritize which use cases should be developed first.

Thus, by using the MITRE ATT&CK, Coro gains greater visibility and ensures that new use cases are aligned accurately with specific threats that are putting both our organization and customers at the greatest risk.