Attacks evolve infinitely and cybercriminals are getting more creative every day. As cybersecurity professionals, we need to be experts on the tactics, techniques, and procedures used by the attackers. Fortunately, we don’t need to reinvent the wheel and we can use frameworks that help us with this important task.
What is MITRE ATT&CK®?
MITRE, a non-profit organization managing U.S. federal research centers, started ATT&CK® in 2013 to document the methods used by attackers to perpetrate advanced persistent threats. It is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. One of the reasons for the popularity of the MITRE ATT&CK is its shared language that enables clear communication among the cyber defense community about precise characteristics of a threat.
What are tactics, techniques, and procedures?
Tactics: These are the “why” of an attack, it is the goal of the attacker, for example, achieving credential access.
Techniques: These are the “how” of an attack, for example, an adversary may dump credentials to achieve credential access.
Procedures: These are the specific implementations used by the adversary. For example, using PowerShell to inject malicious code into an executable.®
How to Interpret the ATT&CK® Matrix
The Matrix categorizes over 200 techniques spread across 12 columns or tactics. The columns are arranged from left to right according to the order in which an attack will generally be carried out. At each stage of the attack, the adversary may use one or more of the listed techniques to carry out that tactic.
Each technique can be expanded to show its description, as well as links to additional research. Following those links will direct you to the MITRE website, where you can dive deeper into the procedures that adversaries have been observed to use in carrying out that technique, as well as notes on its mitigation and detection.
Introducing the automated ATT&CK® Matrix
We are thrilled to introduce this new feature (included with Lumu Insights) that is sure to be a game-changer for your cybersecurity team. Lumu automates and operationalizes this framework by presenting the ATT&CK Matrix for each compromise found on the portal, helping organizations spot gaps in defenses, identifying priorities, and making more accurate decisions about approaching risks.
When a compromise is detected, we already show the threat details and Compromise Context for that incident. Now you can navigate to the ATT&CK Matrix tab to see all the relevant tactics and techniques associated with that compromise. Toggling the ‘All’ button expands the entire matrix, for easy visualization of where this incident falls within the chain of events of the attacker’s incursion.
Please note that the ATT&CK matrix is a reference guide for TTPs typically associated with specific compromises. Therefore, it does not necessarily mean that all the highlighted techniques are being carried out by the adversary.
If you are a CISO / Cybersecurity Director / Manager, you can:
- Strategically evaluate defenses and prioritize security investments.
- Plan red team tests of your organization’s cyber preparedness against its most relevant adversarial TTPs.
- Help blue teams tune cyberdefenses and response capabilities with factual data.
If you are a cybersecurity operator, you can:
- Operationalize the MITRE ATT&CK framework into your incident response playbooks.
- See where the incident fits into the attacker’s overall incursion.
- Perform faster and more precise threat hunting operations.
- Understand how each threat operates and what its end goal is.
- Identify opportunities for expanding your knowledge, based on relevant threats
How do I gain access to the automated MITRE ATT&CK® Matrix?
If you are a Lumu Insights customer, you are in luck! This capability is included in your current subscription. You can start enjoying the benefits of this matrix, by clicking here.
If you are a Lumu Free customer, we invite you to upgrade your account to access this feature, obtain additional correlation capability, and overall better compromise detection. You can request your upgrade here.