No one can dispute that MITRE ATT&CK is now a cornerstone of modern Cyber Threat Intelligence.
Many security programs have been built around the framework, including Elemendar’s flagship tool, READ.
READ. uses machine learning to extract ATT&CK tactics, techniques, and procedures (TTPs) from text documents.
But despite its lauded status, familiar questions still remain in CTI circles: Does MITRE ATT&CK stand up to the cyber-defender’s lofty expectations? Can it really combat cyber threats?
Here at Elemendar, we are in constant conversation with users of the framework. Here are some key points we have learned about ATT&CK.
(Note: all observations made within this blog are based on the MITRE ATT&CK Navigator, and the sample data contained within based on various threat groups).
Tipping the Scales: MITRE’s APT-centric Tendencies
The MITRE ATT&CK Navigator comes pre-loaded with data for roughly 135 cyber-threat actors. The example below highlights the TTPs associated with “APT 28”.
Figure 1: APT 28 maneuvers (in red) viewed in the MITRE ATT&CK Navigator
Of the 135 or so scrutinised groups, the vast majority are advanced persistent threat (APT) groups often linked to nation states.
This APT-centric approach is not unsurprising, for a couple of reasons:
- “Moonlight Maze” and other APT groups stimulated the growth of the whole CTI industry over 20 years ago. This aligned with the movement of knowledge about their activities, from US intelligence agencies into the private sector.
- APT operations have—almost by default—a more complex life-cycle than cybercrime or activism. So there is often more to deconstruct and categorise in a campaign. The ATT&CK framework owes much of its detail to that operational APT complexity.
So what are the implications? Your “off the shelf” ATT&CK framework excels when it comes to APT threats. However, it can be limited when facing cybercriminal or activist threats.
ATT&CK Tactics in the Spotlight: Who’s Using What?
The MITRE ATT&CK Navigator neatly displays 14 tactic categories horizontally, with nearly 600 techniques and sub-techniques shown vertically below them (see below).
Figure 2: Tactics and techniques in the MITRE ATT&CK matrix
Figure 3: T1110 Brute Force technique nested within the TA0006:Credential Access tactic
If we examine the 135 pre-loaded group profiles (let’s say admin@338 + Ajax Security Team + ALLANITE + Andariel + Aoqin Dragon + APT-C-36 + APT1 etc), the revelations do not disappoint.
- The most common techniques fall within the Defense-Evasion basket. As shown below, at least 114 groups have used one or more.
Figure 4: Number of threat groups observed acting within ATT&CK tactic categories
- Compared to Defense-Evasion, the remaining categories are notably less represented. The second- and third-most common techniques are Credential-Access and Command-and-Control, but they follow at a distance.
- Curiously, reconnaissance use is ranked lower (7th), despite the strong probability that all threat actors conduct this phase of their operations.
- A whopping 53 techniques have not however been seen in use by any of the 135 threat groups.
One thing to remember is that the Mitre ATT&CK framework’s data is drawn from observed threat activity. Not all groups are observed by threat researchers while they are performing reconnaissance. What are those bad actors most likely to be spotted doing? Evading defences. So, that closes the case on two of the framework’s biggest discoveries.
What do all of our observations say about the MITRE ATT&CK framework’s applicability? Here are our three “big picture” conclusions:
- MITRE ATT&CK needs data to be useful, and we have mainly pointed out data limitations with the standard version of ATT&CK. But that off-the-shelf framework is really just a “starter pack” for a CTI capability. Curating relevant data for both hacktivists and cybercriminal groups is critical when building a useful framework for an operational environment.
- In terms of threat-group data and MITRE, quantity has a quality all of its own, as they say. Adding hundreds of groups is viable and easily handled by the framework, often stacking the odds in your favour when it comes to managing threats.
- Operationalising MITRE ATT&CK takes effort. Feeding data into the framework is hard work and time consuming—for humans, that is. That is why we developed READ. Among its other capabilities, READ. automatically extracts threat-actor TTPs from text, mapping these to the MITRE ATT&CK framework.
Our view of the MITRE ATT&CK framework may not conclude the overall debate regarding the utility of the framework. However, hopefully this blog has added some conscious thought to such discussions.