The ATT&CK Matrix Revolution in Security
Twenty years ago a group of infosec experts testified to Congress on the fragility of digital security. To commemorate that testimony, they returned to Capitol Hill last week with a similar conclusion. Over the last twenty years, digital security has not advanced beyond incremental changes, and is even more complex and insecure given the greater scale and diversity of devices. A complete rethinking of defense is necessary and technology alone will not solve this problem. It requires a re-evaluation of security programs and crafting defenses in a new way built off an open and evolving attack model.
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework addresses many of the core challenges enterprises face today. First, ATT&CK provides the most comprehensive model of modern attacker behavior. This framework can directly inform defensive and gap assessments, allowing organizations to intelligently prioritize areas for additional data collection, analysis, and detection. When operationalized, the framework moves organizations from reactive to proactive postures. Second, ATT&CK helps bridge the gap between practitioners and executives, enabling leadership to make more informed risk management and resource allocation decisions. Each of these will be discussed in turn, but first let’s take a quick look at how security arrived at the current quagmire, followed by how to operationalize the ATT&CK Matrix. With the move to this new framework, organizations can innovate all aspects of enterprise defense, and better prioritize and tailor resource allocation based upon their own unique threat model.
Why Current Strategies Are Not Working
Organizations cannot easily identify true gaps in their defenses due to a patchwork of one-off solutions and outdated threat models built upon a high-level view of the world, lacking the depth needed to properly describe today’s attacks. These older models either attempt to summarize the threat to the point of oversimplification, or focus too heavily on the early pre-compromise stages of the attack (i.e., exploitation and initial malware infection). This, in turn, makes it extremely difficult for security teams to understand where to spend the next dollar of funding, and for executives to explain to their boards the breadth and effectiveness of their defenses. Blind spots persist in security assessments, significantly impacting the full range of defense considerations including both resource allocation and detection.
These problems are confounded thanks to the word-salad of buzzwords that tries to catch a buyer’s eye, but lacks any substance to help buyers make more informed decisions. Assessments similarly can lead to confusion, given the inconsistencies of metrics, models, and self-evaluation. Even product purchase evaluations (i.e., proof of concepts) are often not as informative as they should be. Based on evaluations I’ve observed over the years, they tend to be more generic than tailored, and rarely dive into the depth of problems customers encounter. The product may test well based on a generic framework, but the top risks for specific organizations may not be addressed due to the metrics used and lack of transparency, and customers may even purchase products that lead to redundancy of defenses instead of addressing the real risks.
You Say You Want a Revolution
It’s time to progress beyond the decades of incremental changes in defenses. We need revolution, not evolution. To leapfrog, we need to understand adversary behavior: where they have gone and where they may go in the future. Fortunately, there’s a framework that does just this - MITRE’s ATT&CK Matrix.
MITRE is a U.S. not-for-profit organization managing federally funded research and development centers (FFRDCs), making them an impartial, respected, and knowledgeable voice. They have developed and help maintain the ATT&CK Matrix. According to MITRE, "ATT&CK for Enterprise is an adversary behavior model that describes the actions an adversary may take to compromise and operate within an enterprise network." Security teams that assess and validate their visibility and protection across the range of behaviors in the Matrix are those best equipped to defend against today's threats.
The ATT&CK Matrix may seem overwhelming at first glance given its coverage of hundreds of techniques and tactics (see Figure 1). The good news is full coverage is not needed to make a significant improvement to your security program. The best place to start is to learn from history. Identify those groups who have previously targeted your corporate ecosystem (e.g., parent company, supply chain, industry). With this knowledge you can begin to prioritize your ATT&CK coverage against previously observed attacks. If you do not know where to begin, MITRE’s Groups page provides an overview of attack groups and the industries they frequently target.
Figure 1: A Partial Screenshot of MITRE’s ATT&CK Matrix
MITRE also offers a free open-source tool called Navigator to help organizations understand what areas of the Matrix should be prioritized. You can select a threat group or a malicious software kit and Navigator will highlight the tactics on the ATT&CK Matrix previously utilized by that group. For example, selecting APT29 reduces the focus from over 280 individual techniques (cells in the Matrix) to just 22. This number is far easier to digest as a security team, and a plan of action can be made to ensure those areas are covered. Advanced and well-resourced teams can dive deeper, analyzing data availability and detection capabilities for larger chunks of the Matrix and formulating plans to close gaps in response.
Aligning security priorities to ATT&CK doesn't need to be an all or nothing proposition. Even without the people in place to immediately act on the data gathered during the prioritization, the ATT&CK Matrix could still save millions in damages by reducing the time for an external incident response team to contain an attack. The visibility gained through ATT&CK can be a vital addition to an incident response plan. If you were notified of a breach today an external team would have to start from scratch: deploying their security stack, gathering data, and trying to stop the bleeding. Imagine instead if you can direct them to your data lake filled with critical information covering the depth of ATT&CK. They can immediately begin to detect and stop the adversary, greatly reducing the time to containment and stemming damage and loss.
Trust But Verify
With this new list of prioritized ATT&CK techniques to assess, organizations can ask security vendors to demonstrate their protections against these prioritized tactics and behaviors. Do not accept a binary “protected” or “not protected”; depth and transparency is the goal in this exercise. Only by truly understanding your gaps can you begin to build your revolutionary security operation center. With the vendors’ lists in hand, now it is time to verify their claims. There are a few good free tools for testing your coverage against ATT&CK, including a free and open-source project developed by Endgame called Red Team Automation (RTA). RTA facilitates testing security stacks against ATT&CK techniques without having to detonate nation-state malware in your production environment. Dozens of scripts are available to test coverage against the prioritized list of techniques developed in the previous section.
By reducing the entire Matrix to a prioritized list of techniques used by previously observed threats, understanding your perceived coverage through visibility gap analysis informed in part or entirely by detailed reports of coverage from your vendors, and validating your coverage with free tools like Endgame RTA, you are now in a position of power. You know exactly where to focus your security program. Do you have complete gaps in the technique list? Look for (and test) technology that provides visibility, protection, or both on those cells in the Matrix. Do you have data, but lack the ability to proactively analyze the information? You may need more security analysts or better automation and security tooling. The information gleaned using the ATT&CK Matrix can inform updates to security roadmaps in a far more detailed way than saying “we need next-gen AV”.
An attack model also helps quantify the success of the security team. Fewer alerts, fewer incidents, and less damage and loss are the result of a mature security organization. This leads to a challenge, though, when talking to leadership about budgeting for more security products and more people. The challenge is often in proving the negative. A security team needs to demonstrate that the absence of a breach is due to the successful defense posture of the security program, not because of a lack of attempted attacks. A huge benefit of adopting an attack model is that is provides a way to show increasing value through coverage. Teams can begin to report the increase in coverage of the ATT&CK Matrix as an indicator of security effectiveness. A strong case for analysts or technology can be made when there are gaps in the Matrix, and validation can occur when the organization increases its percentage of coverage.
Roberto Rodriguez, an adversary researcher at Specter Ops, has a very well-written blog describing a scaled model for assessing ATT&CK coverage as well as some open-source tools to help develop this mapping. In his blog post, he describes a great way to report the upward trend of coverage (Figure 2). Tools like these serve an essential role to help identify gaps in coverage while facilitating executive level discussions about the various aspects of a security program and coverage.
Figure 2: Roberto Rodriguez’s Upward Trend Based on ATT&CK Matrix Coverage
With the ATT&CK framework in hand, organizations gain a range of security benefits. I’ve already addressed the value for executive decision making and communication, as well as the holistic coverage, but the ATT&CK framework enables so much more. Organizations can begin to optimize other aspects of their security program as well. For instance, ATT&CK helps organizations move from reactive to proactive defense postures. By gaining visibility and protection across the threat groups known to have attacked the corporate ecosystem, security teams can set their sights more broadly. They can look at attacks against other verticals which may target them in the future and expand defenses against other cells in the ATT&CK matrix. This can also enable threat hunters to have tactical focus in these areas, honing in on those gaps until coverage is in place. This saves time and creates efficiencies.
In addition, ATT&CK augments purple teaming by using red team exercises to not only find unknown security gaps, but also to verify defenses. The red team focus on previously proven behaviors strengthens the security posture and facilitates maintenance, while blue teams are able to ensure they have the processes and protections in place and up to date to cover these attacker techniques.
Because MITRE also updates the framework with feedback from the community, it is well situated to remain on top of the latest adversarial behavior and to continue to provide benefits as adversarial behavior changes. At Endgame, we have fully embraced the ATT&CK framework and believe it best reflects the constantly and rapidly changing threat environment. Our coverage is directly tied to MITRE ATT&CK behavioral tactics and techniques, our alerts link to MITRE’s Wiki for analyst training and reference, and we contribute back to MITRE. For more information on how Endgame can help you outpace the adversary by embracing MITRE ATT&CK as a core protection strategy, contact us firstname.lastname@example.org.