In 2013, MITRE created the ATT&CK framework to give security practitioners a shared language for the tactics, techniques, and procedures (TTPs) employed by advanced persistent threat (APT) groups. The result is a knowledge source that provides valuable threat information, allowing teams to take a proactive approach in identifying and mitigating potential cybersecurity threats.
Though the framework is widely used, most organizations struggle to effectively utilize it. This is due in part to the extensiveness of the framework, the ever-increasing attack surface, limited team bandwidth, and the hurdles that come with trying to balance discovery and remediation.
In this new blog series, we’ll explore the intersection of BAS and MITRE ATT&CK, including how the two tools complement each other, what common use cases they support, and more. In today’s post, we’ll discuss the challenges security teams often face when attempting to utilize the ATT&CK framework and how breach and attack simulation (BAS) can help.
Stay tuned for Part 2, where we dive into use cases, or download the full whitepaper now: Getting Started with the MITRE ATT&CK® Framework and SafeBreach.
The Challenge of Operationalizing MITRE ATT&CK
As of version 12, ATT&CK includes 14 tactics, 193 techniques, and 401 sub-techniques. While this scope makes it difficult to scale across an organization’s network, it isn’t the only barrier for organizations attempting to incorporate ATT&CK into their security programs.
Leveraging ATT&CK requires resources and expertise.
To be effective, implementing the framework takes a significant amount of time—and that’s not counting the expertise required to do so. With security teams already stretched thin in their efforts to secure the growing attack surface, most organizations can’t spare the time, talent, or budget necessary to enable full and effective use of the MITRE ATT&CK framework.
No two organizations’ needs are the same.
What’s more, following ATT&CK guidance without taking into account an organization’s specific security controls and policies can end up being a waste of valuable time. Teams may end up guarding against threats that are unlikely to materialize or even those that they have already effectively mitigated. Knowing where to start and what aspects of the framework will provide the most benefit based on an organization’s security environment can be a challenging hurdle.
Conflicting priorities can lead to reduced efficacy.
Even when an organization can effectively customize attacks to their specific environment, prioritization can create confusion and conflict. For example, when a team exposes a security gap using ATT&CK TTPs, they must then decide if it is better to remediate or continue testing the TTPs for threats that may be more pressing. Once a remediation is complete, security teams must then decide whether to rerun tests to ensure the security gap is resolved or focus their efforts elsewhere. This constant shuffling may mean that the team is doing a lot of work, with little to show in the way of tangible results.
Want to learn more about how to use BAS and ATT&CK? Check out our webinars.
Leveraging Breach and Attack Simulation (BAS) to Make MITRE ATT&CK More Effective
Breach and attack simulation is an automated solution that safely runs real-world attacks against an organization’s own IT environment in order to test its resilience. Through a BAS platform’s detailed analysis and reporting, teams can identify and communicate what gaps exist in the organization’s security controls and take meaningful steps to close them.
The right BAS tool can not only help defenders test against ATT&CK TTPs, but can also help security teams quickly prioritize and customize the attacks based on an organization’s specific needs, continually re-run tests to validate remediations, and reduce overall workload to allow them to focus on other pressing needs.
Accelerate the team’s approach and reduce manual steps.
BAS tools give your team an automated platform that can intelligently scale to the size of your organization’s network. Security teams can reduce the time spent running manual tests by leveraging BAS to continuously validate all deployed defenses against various attacker TTPs listed in the MITRE ATT&CK. This includes the ability to simulate advanced threats, quickly identify security gaps arising from security control misconfigurations, and easily execute a full kill chain attack.
Measure the impact of the team’s efforts.
One of the key benefits of a BAS platform is its ability to aggregate and visualize attack simulation data into customizable dashboards and reports that can be used to carry out performance analyses based on specific tactics and techniques, including those found in MITRE ATT&CK.
With SafeBreach, you can even leverage pre-built MITRE dashboards. These visualize simulation results and MITRE-level mitigation and detection guidance, so security practitioners can quickly understand gaps, communicate with key stakeholders, and take meaningful action to reduce mean time to detect or discover (MTTD) and mean time to respond (MTTR).
Get started with ATT&CK using the top 15 attacks.
To help practitioners get started, MITRE provides a list of 15 techniques with sub techniques based on attack data collected from recent years. As of this writing, these TTPs make up 90 percent of the observed techniques from April 2019 to July 2021. If your team does not have threat intelligence feeds or if your organization does not have its own 10 or 15 priorities to to start with, you can leverage a BAS solution to quickly run the attacks on MITRE’s list.
SafeBreach has taken this list even further: through our own research, the SafeBreach team gives users the ability to run the top 16 techniques, including their subtechniques.
ATT&CK and Beyond with SafeBreach
SafeBreach boasts the most coverage of any BAS provider in the market when it comes to MITRE. As an early contributor to the framework, we believe ATT&CK is a great starting point when it comes to testing your security controls against real world attacks; however, it’s not all encompassing.
MITRE only includes known adversary behaviors in the ATT&CK framework. That is to say, all the TTPs included are those reported to be in use by known adversaries. However, “not reported” doesn’t mean “not in use”. Red team techniques, zero-days, and other verified attacks, while not included in MITRE’s framework, are still very real threats that should be accounted for when testing a network’s security controls. And that is where the true value of the SafeBreach BAS platform begins.
The SafeBreach Hacker’s Playbook
SafeBreach has the largest collection of known attacks with more than 25,000 documented attack types. The Hacker’s Playbook contributes back to the ATT&CK framework, but it also includes a wide range of other indicators of compromise (IOCs), attacks, and TTPs not found in ATT&CK. SafeBreach customers have access to all the latest attacks in real time—we uphold a 24-hour SLA on US-CERT and FBI Flash alerts so that our users can always feel confident in their coverage.
SafeBreach Original Attacks – Coverage You Can’t Find Anywhere Else
We don’t just wait for adversaries to find vulnerabilities. The SafeBreach Labs team proactively researches vulnerabilities and reports them before malicious actors can exploit them. To date the Labs team has discovered 40 CVEs and has presented their research at Black Hat, DEF CON, and other top tier conferences around the world. They then take the most critical research and turn them into original attacks, available on the SafeBreach platform.
Where ATT&CK provides the foundation, threat intelligence provides the most up-to-date details on more recent and advanced attacks. Through partnerships and integrations with the industry’s top threat intelligence vendors, SafeBreach ensures that users can leverage the latest threat intelligence in their attack simulations. As a result, analysts can gain more insights into these advanced TTPs and narrow down the potential attack scenarios to what is most relevant to the organization. They can then run these attack methods in order to validate the protection provided by their current security controls.