The MITRE ATT&CK framework is one of the most commonly used resources within the SafeBreach platform. At SafeBreach’s 2023 Validate Summit—an event that brings security experts together to discuss challenges and best practices in proactive cybersecurity—SafeBreach Co-Founder and CTO Itzik Kotler sat down with Frank Duff, the Chief Innovation Officer at Tidal Cyber, to discuss threat informed defense and MITRE ATT&CK.
In this installment of our Voices from Validate blog series, we will revisit some of the insights shared by Duff, who spent 18 years working for MITRE.
Background: MITRE and Threat Informed Defense
Created in 2013, the MITRE ATT&CK framework is a knowledge base that classifies the tactics, techniques, and procedures (TTPs) employed by advanced persistent threat (APT) groups. With this shared framework, the security community can compare adversary groups, defenses, and take actionable steps to mitigate threats.
In his time working at MITRE, Frank Duff began to wonder how one could actually measure security using the ATT&CK framework. He and two of his colleagues wanted to be able to turn the framework into something that organizations could actually adopt and operationalize at scale—and that is how Tidal Cyber was developed.
SafeBreach co-founders Guy Bejerano and Itzik Kotler were on the same page. “Guy and I set out to define a new category to be a leader of a new space,” explains Kotler. As the two SafeBreach founders began to develop the SafeBreach breach and attack simulation (BAS) platform, they struggled to find the right language to describe things more complex than straightforward vulnerabilities. “Everybody knows CVEs. And so when there’s a new vulnerability, there’s a new CVE… But when you wanted to talk about ransomware, they didn’t have a framework. Today, they’re part of MITRE ATT&CK.”
When Kolter discovered the important work that Frank and his team were doing at MITRE, he became an early contributor to the ATT&CK framework. Later, when Tidal Cyber was founded, the two considered it only natural to form a partnership between Tidal and SafeBreach.
Want to learn more about how to use BAS and ATT&CK? Check out our webinars.
Where MITRE ATT&CK Starts & Ends
When adding to the ATT&CK framework, MITRE has rule sets that they must abide by. “At the end of the day,” says Duff, “they go with publicly sourced intel that they’ve seen an adversary use, that has been publicly reported. That’s what gets into the ATT&CK knowledge base.”
MITRE does not include red-team techniques or more advanced tactics. “It was a conscious decision that they made that they wanted to be the encyclopedia of known adversary behavior—and known is the key word there.”
Both Duff and Kotler recognize the value of being able to understand and test against known attacks, but they also believe that you should not stop there. “Just because it’s not reported, does that mean that it’s not happening?” The answer is definitely “no.”
Threat Informed Defense in the Context of Your Organization’s Needs
Not all IT environments are the same; therefore, when testing your environment against the ATT&CK framework, it’s important to be able to customize the framework’s TTPs. “Sometimes people literally take MITRE ATT&CK and literally follow the IOCs one to one,” says Kotler. “There is merit to providing coverage for some of these commands as is, but some of the actual malicious actions [in the framework] are benign within a different context.”
“Understand that there are certain techniques that matter more for your organization,” adds Duff. “It might depend on the types of tooling you already have in place.” He explains that, for instance, one organization may want to prevent credential dumping; however, if an organization has honey credentials, they might want attackers to access them. “Because now you have a high fidelity tripwire. And so you and your organization need to understand which techniques matter, how much they matter, and what you can do about it.”
Customizing ATT&CK Techniques to Better Fit Your Environment
For both Kotler and Duff, it was important to be able to customize ATT&CK TTPs, and both SafeBreach and Tidal allow users to customize MITRE TTPs for their own specific environments. Beyond ATT&CK and other frameworks, the SafeBreach platform includes other sources like threat intelligence and original attacks.
“The SafeBreach platform has a clone and duplicate feature, which allows you to basically click on every attack that we’ve developed, click on the clone and customize and essentially customize the different parameters,” Kotler explains.
Duff agrees. “You have to be prepared for what happens when changes [are made to techniques]. Some variation is really important to be able to include.”
Learn more about leveraging BAS to improve ATT&CK coverage, including common use cases in: Getting Started with the MITRE ATT&CK® Framework and SafeBreach.
Looking to the Future: Extending Your Threat Informed Defense
Organizations shouldn’t stop at customization within the ATT&CK framework. For Kolter, it’s important for customers to understand the attackers perspective and to test beyond the limits of MITRE. “SafeBreach Labs is an example of a research entity that is not satisfied with only providing existing coverage,” he says, referring to the organization’s research team. “We’re also trying to push the envelope and create future attacks. So you can then investigate and understand the impacts of these attacks before they become a reality.”
“At the end of the day, one of the core tenants of Tidal Cyber is making ATT&CK your own,” says Duff, “But another is being able to extend it.” He explains that sophisticated organizations with red teams and vendors like SafeBreach provide additional intelligence to Tidal beyond the limits of ATT&CK. “We look forward to giving back to the community as we can through partners like SafeBreach.”Interested in seeing how your organization can use BAS to operationalize MITRE ATT&CK? Check out our MITRE ATT&CK Guide or connect with a SafeBreach cybersecurity expert. You can also check out Tidal’s free community edition to see how SafeBreach stacks up to other BAS vendors.