top of page
Search

MAPPING MITRE AND ATT&CK TO YOUR ORGANIZATION'S CONTROLS

  • Writer: Jean-Camille LOISEAU
    Jean-Camille LOISEAU
  • May 13, 2021
  • 5 min read

Written by Jean-Camille LOISEAU | Published 18 February 2021


Cybersecurity teams always end up asked to map their existing controls and use case to MITRE and ATT&CK, we aim to give you the right approach to do it.


So you have been designated voluntary by your boss to map all of your cybersecurity controls and security use cases to MITRE and ATT&CK framework and you ended up googling because you're not even sure where to start and what to do? Fear not, for you are not the first (nor the last one) and there is a method to tame this madness.




What is MITRE and ATT&CK framework?


First and foremost, you need to understand what MITRE is and what the ATT&CK framework provides. There are tons of resources over the internet to explain that to you (the vast majority of which are often also trying to sell you their service or software).



MITRE is an American non-profit organization. Mitre maintains the Common Vulnerabilities and Exposures (CVE) system and they are working in the security field since 1958. In 2013, they published ATT&CK (Adversarial Tactics, Techniques & Common Knowledge).



ATT&CK is method to organize the vast amount of different ways someone who is out to get you will use to pawn you. This framework first document a known technique, what technology it affects and how it plays out. It then categorizes and organizes it with other known techniques.



The concept here to leverage real-world observations of adversarial behaviors in an understandable table that helps making sense of how someone will try to exploit a particular system or organization.




What the difference between Enterprise, Mobile, and PRE-ATT&CK?


Enterprise is the main matrix and focuses on techniques and tactics applying to Windows, Linux, and/or MacOS systems, Mobile focuses on… mobile devices. Shocking… I know.


PRE-ATT&CK is a different animal. It focuses on how the attacker decides to attack you, what they do in terms of intial intel gathering, target selection, reconnaissance, etc.



It is by MITRE’s own admission an approximation of what is publicly known about how hackers decide which shop they will attack, and how they are casing your joint. It is useful to detect preliminary signs that someone is determined and targeting you.



For the sake of simplicity. We’re leaving PRE-ATT&CK to the threat hunting team for now and focusing instead our efforts on the Enterprise matrix. So, someone is definitely out to get you: they have a tool box and so do you. How well do you think you’re doing?




How to read the Enterprise ATT&CK matrix?


The matrix list all known and documented techniques in alphabetical order under the tactics they belong into. For each technique, you can find a specific page that provide a description, related sub techniques (if any) mitigations that can be applied to reduce exposure, how the techniques can be detected (symptoms and what to look for), as well as references to affected technologies, permissions required and articles on the topic.



Tactic are ordered from left to right along the most likely kill chain scenario. These are the goals of the attacker: First they want to get in: that’s your initial access. They then want the ability to use their hacker tool box (Execution). They make sure they stay in despite controls (Persistence), increase their reach (Privilege Escalation), all the way to gain the ability of stealing, modifying or destroying your organization’s data (Impact).



Some techniques are useful at different stages of an attacker’s intrusion into your system. For this reason, you will that techniques such as Valid Account (T1078) appear under Initial Access, Persistence and Privilege Escalation tactics. You’ll want to keep an eye on those.



The obvious priority for you is to focus on the left-hand side of the matrix. The earlier you detect signs and symptoms of a potential intrusion in your system, the lower the risk to your organization. However, the ultimate goal of this matrix is to enable you to have detection in depth at every level and for every relevant technique that may affect your organization.




How do I figure what is relevant for my organization?


A lot of articles and resources online will boast about the merits of such and such methodology or tool or service to map your organization to the most up to date threats and bad actors. And it is great that ATT&CK can enable the ability to visualize your exposure to APT-27 and other bad actors.



But at the end of the day, each organization is different. What should matter to you is defined by where your critical data reside and on what technology it is transiting or stored.


You must not blindly assign your existing use cases and controls to related techniques. You simply cannot call it “green and good” when you have 1 use case for 1 technique. This will give you a false sense of security.



Your first focus is a proper inventory of all your assets, and technology stacks. If a technique is relevant only to Windows and Linux and your organization just runs on Mac OS, then you have no exposure to it and you don’t need to count it.



Next you must be able to address your asset & technology stacks inventory and be able to rate what criticality said asset / technology combination has for your organization. This will enable you to focus first on techniques affecting your most critical data.




What basic external resource can I use to get started?


An obvious and very good place to start is MITRE’s own ATT&CK website https://attack.mitre.org/. There you will find all the matrices, the pages describing in details each tactics and techniques, as well as providing the main first very good tool: the ATT&CK navigator: https://mitre-attack.github.io/attack-navigator/enterprise/.



The navigator is very useful as it will let you download the latest up to date list of all tactics and techniques. If you are so inclined, you can even use it as a backend (JSON) to code an automated system that keeps everything up to date (see this video for more info: https://www.youtube.com/watch?v=cmOAKLQnybk&t ).



Another great and even essential tool is Cyb3rPanda’s great TABLEAU table: https://public.tableau.com/profile/cyb3rpanda#!/vizhome/MITREATTCKMatrixforEnterpriseV2/ATTCK?publish=yes. It organizes most of your tactics and techniques in a great exportable format.


Note however that it is not fully up to date as of Q4 2020 and you will have to do some comparison with the navigator to get the latest (unless it is updated when you read this).



When it comes to articles and videos you should at the very least browse through, here is a list:


https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful


https://www.threatq.com/documentation/MITRE_ATTACK_Mapping_whitepaper.pdf


https://www.securonix.com/how-mitre-attack-alignment-supercharges-your-siem/


https://www.acalvio.com/important-use-cases-that-make-mitre-attck-compelling/


https://www.youtube.com/watch?v=bK5eFF-HgC4


https://www.youtube.com/watch?v=78RIsFqo9pM


https://www.youtube.com/watch?v=bkfwMADar0M


https://www.youtube.com/watch?v=cmOAKLQnybk



What should my mapping matrix look like?


Once you have clearly established what your technology stacks are, which are critical and what assets sit behind you can begin preparing your own organization’s matrix




TO BE CONTINUED

 
 
 

Comments

Post: Blog2_Post

©2021 by Cybersecurity Simplified. Proudly created with Wix.com

bottom of page