Jul 8, 2020

MITRE Sub-Techniques in SafeBreach

MITRE has come a long way since 2013, when it had 64 techniques in the ATT&CK framework, to its status today as the industry leader in cyber attack frameworks. As adversaries advance their techniques, the framework needs to advance as well. The ATT&CK framework laid a solid foundation to get everyone speaking the same language, with a shared understanding of how threat actors maneuver. The framework also delivers a visual representation to better understand weaknesses in security defenses. An excellent example of MITRE helping organizations gain visibility into advanced persistent threat groups comes from their year-long, comprehensive evaluation of endpoint solutions with attack simulations from the notorious threat Group APT29. As with all great things, there are still ways to improve the framework. Security teams have long struggled with some techniques being too narrow and others being too broad; MITRE has now addressed this problem with an updated framework structure to support Sub-Techniques.

An early contributor to the MITRE ATT&CK Framework, SafeBreach understands the value of using a framework to define attacker TTPs. We have built various tools to test, visualize, and remediate attacks. Many organizations validate and visualize their security posture with SafeBreach, which gives them industry-leading coverage of the MITRE ATT&CK framework. The SafeBreach Platform leverages the framework in several ways. One example is an interactive heat map of the data-driven results from running thousands of breach and attack simulations to test TTPs of threat groups that cause the greatest concern.

This helps organizations to quickly visualize their security posture and bring security and infrastructure teams together to update security controls and more effectively harden defenses.

We have improved and added capabilities in the SafeBreach Platform to support the updates to the techniques and the addition of the sub-techniques:

  • All attacks have been classified and updated according to the new MITRE ATT&CK structure, with techniques updated and sub-techniques added.
  • Filter by sub-techniques from the SafeBreach Hacker’s PlaybookTM
  • Filter by sub-techniques from the Simulation Results
  • MITRE ATT&CK Heat Map has been updated to support inclusion of sub-technique details when selecting the higher-level technique

SafeBreach users can run selected tactics, techniques, and procedures (TTPs) – or all TTPs used by specific threat groups – to test security controls and ensure the enterprise will be safe against an attack. The SafeBreach Hacker’s Playbook has over 15,000 breach and attack methods to exercise the TTPs to map to the MITRE ATT&CK framework. The data-driven results define actionable insights to adjust configurations and improve the overall security posture.

See how you can put the SafeBreach Platform to work testing all your security controls, not just endpoint controls, against the TTPs of APT29.

Other recommended resources related to the MITRE ATT&CK framework can be found here:

Get the latest
research and news