MITRE ATT&CK and the case for going back to cyber-security basics
September 25, 2020
Piers Wilson at Huntsman Security explains why the MITRE ATT&CK framework is an invaluable tool but getting the basics of cyber hygiene right is just as important.
The digitisation of business is providing new capabilities, as well as increasing the cyber attack surface, for exploitation by hackers. Last year, more than half of British firms reported cyber attacks, according to research by Hiscox – a significant increase from the 45 percent in 2018. The same survey showed average losses from UK breaches went up 61 percent, soaring to £310,979 over the year.
Attackers use a broad range of strategies to increase their chances of success. Businesses can find many in MITRE ATT&CK®: a comprehensive matrix of the tactics and techniques that hackers use, which is currently making waves in the world of cyber-security. MITRE could be an invaluable tool to assess cyber risk, as well as classifying and defending against attacks – if only it weren’t quite so expansive and rich in detail.
An ever-changing risk environment
Organisations constantly find themselves in a shifting risk environment. With attackers employing a multitude of changing techniques and strategies, there are increasing demands on an organisation’s cyber security controls to meet and neutralise new threats. MITRE ATT&CK® has 245 listed techniques that can be used by hackers to achieve successful outcomes.
This can be a vital resource for expert security teams and threat researchers, providing them with an impressive repository of insight into techniques used by adversaries, helping to identify and mitigate attacks.
Do you have the “might” for MITRE?
Organisations, however, can be overwhelmed by the detail and comprehensiveness of MITRE ATT&CK®. Hiscox’s survey showed that British firms have the lowest cyber security budgets of the seven countries surveyed. They were also the least likely – along with US firms – to have a "defined role for cyber security" on their staff.
A significant number of British organisations, lacking enough resources or technical capacity, would therefore be hard-pressed to adopt the complex MITRE framework as it is, despite it being a useful tool for threat analysts and expert cyber-security professionals.
A more suitable first step for resource-poor organisations is to implement the basic elements of cyber-security. These can be defined by a standard cyber-security framework, like the UK National Cyber Security Centre’s (NCSC) 10 steps to cyber security, or the Australian Government’s Essential Eight Maturity Model.
Building a cyber resilient foundation
Both models break down the task of cybersecurity into eight or ten essential components, cutting through the complexity of cyber security more generally by focussing on the highest value control areas.
The security areas in the NCSC’s 10 steps framework include user education, network security and mobile working, advising on how to achieve the best possible security in each area. They also offer a framework against which to systematically measure cybersecurity controls and monitor them.
By comparison the Essential eight takes specialist research into the causes of attack, and then presents the eight controls that would have provided protection in 85% of cases. Compliance with Essential eight means that not only the majority of attack strategies are covered, but also that security teams have up to six times more time and resource available to deal with the remaining risks, control failure and attack vectors.
Without core security controls in place, attackers have multiple points of entry before they need to resort to the more sophisticated techniques in MITRE ATT&CK®. These are the very points of vulnerability that often remain unaddressed in many organisations, and most hackers rely on them for their success.
Basic cyber hygiene, like consistent patching across systems, application whitelisting, multi-factor authentication and controls on macros and code execution, helps mitigate against this.
Following the standards does not require a dedicated team. It involves activities as simple as implementing a policy that limits what types of technical risks users are exposed to: for instance, a user that can’t execute a macro cannot be duped into doing so. This means that protection exists whether staff awareness messages have worked or not.
Implementing these fundamental controls will allow organisations to protect themselves in today’s hostile cyber landscape. The current global situation means 1.5 billion people have been asked to stay home, and a large number are working remotely. Now, more than ever, organisations need to be getting the basics of cyber-security right.
The impact of this changed working environment was starkly revealed by the Australian Prime Minister on June 19 2020, when he advised that the Australian government and business had been experiencing intense and persistent cyber attacks from a foreign adversary.
The related ASD report provided MITRE ATT&CK® identifiers for the attacks and identified patching of internet software, operating systems and devices and the use of multi-factor authentication across all remote access services as two key elements of a broader mitigation strategy to protect the new way of working for organisations.
Piers Wilson is Head of Product Management at Huntsman Security.
How to best tackle Vulnerability Management (VM)? Here is the first in a series from Lamar Bailey, senior director of security research at Tripwire, for organisations wanting to tackle Vulnerability Management …