#CyberThreat19: How to Make a Start Using Attack Frameworks

Written by

Frameworks like MITRE ATT&CK matrix are not just for large enterprises, and can be used by businesses small and large to better protect themselves and categorize attackers.

Speaking at the SANS and NCSC Cyber Threat conference in London, Katie Nickels, MITRE ATT&CK threat intelligence lead and SANS Instructor said that often, people have heard of MITRE ATT&CK but are not sure what it is and don’t know where to start with it.

Featuring an imagined company under attack, Nickels said that often they will see an active attack, search for details and block based on their tactics, techniques and procedures (TTPs), but this does not consider a change in behavior by the attacker.

Nickels said that too often, a lack of a framework can lead to a breakdown in communications and collaboration between different parts of a company and security team. “You should communicate your confidence level as you can never be sure how secure you are,” she argued, recommending using a traffic light and shades of color system for confidence levels. “You can never be 100% confident as adversaries change behaviors.”

She recommended integrating teams, as “each team has something another team needs – knowledge on adversaries and tactics and what threats are, and capabilities and attack tactics.”

She also advised starting where you can, even if this is with emails, Excel or with a ticketing system. “Overlay detections and threats in your framework, what groups are known to use this technique and map different teams to an attack.”

Start by building up a library of attacks and TTPs, she said, as some people are “hesitant to build their own techniques as adversaries are doing new things, so create something that is important to you and create your own techniques.”

There are also open source techniques that you can use, such as from OWASP, Atomic Threat Coverage and Unfetter.

“ATT&CK is for everyone and we often hear from small teams if they can use it, if you are a team of one you can get started by looking at behaviors or open source tools to collect data,” she said. “Start small and iterate from there. Don’t let perfect be the enemy as you will never have perfect coverage, so iterate and improve.”

Nickels concluded by recommending collaboration and cooperation with others, and to use ATT&CK to share data on what adversaries are doing. Asked by Infosecurity what a first step is to take, Nickels recommended determining what the problem is you want to solve, and to consider what data you have and use it to create analytics.

What’s hot on Infosecurity Magazine?