How to Apply MITER ATT&CK to Your Organization

4 minutes read

Discover all the ways MITER ATT&CK can help you sustain your organization. Build your security strategy and policies by leveraging this essential framework.

What is MITER ATT&CK Framework?

MITER ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes tactics, techniques, and procedures (TTP) used in cyberattacks. Created by the non-profit organization MITER, this framework provides security professionals with the insights and context that can help them effectively understand, identify, and mitigate cyber threats.

The techniques and tactics in the framework are arranged in a dynamic matrix. This makes navigation easy and also provides a holistic view of the entire spectrum of enemy behavior. As a result, frameworks are more actionable and usable than static lists.

The MITER ATT&CK framework can be found here: https://attack.mitre.org/

Note: MITER ATT&CK Framework Bias

According to Etay Maor, Senior Director of Security Strategy at Catos Network“Knowledge provided within the MITER ATT&CK framework comes from evidence of real-world behavior of attackers. This makes it susceptible to certain biases that security professionals should be aware of. It is important to understand these limitations.”

Novelty Bias – New or interesting techniques or actors are reported, whereas techniques used repeatedly are not.
Visibility Bias – Intel report publishers have a visibility bias based on how they collect data, resulting in visibility for some techniques and not others. In addition, technique is viewed differently during the incident and afterward.
Producer Bias – Reports published by multiple organizations may not reflect the industry or the wider world as a whole.
Victim Bias – Some victim organizations are more likely to report, or be reported on, than others.
Availability Bias – Report writers often include techniques that immediately come to mind in their reports.

MITER ATT&CK Defender Use Case

The MITER ATT&CK framework helps security professionals research and analyze various attacks and procedures. This can help with threat intelligence, detection and analytics, simulation, and assessment and engineering. That MITER ATT&CK Navigator is a tool that can help explore and visualize matrices, enhancing analysis for defense coverage, security planning, engineering frequency, and more.

Etay Maor adds, “A framework can go as deep as you want or it can go as high as you want. It can be used as a tool to show mapping and if we are good or bad in certain areas, but it can go deeper to understand very specific procedures and even lines code used in certain attacks.”

Here are some examples of how the framework and Navigator can be used:

Threat Actor Analysis

Security professionals can leverage MITER ATT&CK to investigate specific threat actors. For example, they can walk through the matrix and learn which techniques different actors use, how they are executed, what tools they use, etc. This information helps investigate specific attacks. It also expands the knowledge and way of thinking of researchers by exposing them to additional modes of operation that attackers engage in.

At a higher level, the framework can be used to answer level C questions about the breach or threat actor. For example, if asked- “We think we may be the target of the Iranian nation state threat actor.” This framework allows tracing Iranian threat actors such as APT33, indicating which techniques they used, attack IDs, and much more.

Multiple Threat Actor Analysis

Apart from researching specific actors, the MITER ATT&CK framework also allows analysis of multiple threat actors. For example, if a concern arises that “Due to recent political and military events in Iran, we believe there will be retaliation in the form of cyber attacks. What are the common attack tactics of Iranian threat actors?”, the framework can be used to identify common tactics used used by a number of nation-state actors.

Below is a visualized analysis of several threat actors, with red and yellow representing techniques used by different actors and green representing overlap.

Gap Analysis

The MITER ATT&CK framework also helps analyze gaps in defense. This allows defenders to identify, visualize and sort what is not covered by the organization.

Here’s how it looks, with the colors used for priority.

Atomic Testing

Finally, Atomic Red Team is an open source testing library mapped to the MITER ATT&CK framework. These tests can be used to test your infrastructure and systems against the framework, to help identify and mitigate coverage gaps.

MITER CTID (Threat Information Defense Center)

That MITER CTID (Center for Threat-Informed Defense) is an R&D center, funded by a private entity, that works with private sector and non-profit organizations. Their goal is to revolutionize the approach to adversaries through pooling resources and emphasizing proactive incident response over reactive action. This mission was driven by the belief, inspired by John Lambert, that defenders must move from thinking in lists to thinking in charts if they are to overcome an attacker’s advantage.

Etay Maor commented, “This is very important. We need to facilitate collaboration between Defenders at various levels. We are very passionate about this.”

An important initiative in this context is the “Attack Stream” project. Attack Flow addresses the challenges faced by defenders, often focusing on the behavior of individual atomic attackers. In contrast, Attack Flow uses new language and tools to describe ATT&CK’s engineering flow. These techniques are then combined into patterns of behavior. This approach allows defenders and leaders to gain a deeper understanding of how the enemy operates, so they can refine their strategy accordingly.

You can look here what Attack Stream was like.

With this attack stream, defenders can answer questions such as: