Security fragmentation is one of the biggest issues facing cybersecurity leaders today. The threat landscape is growing rapidly – there are now more than 130 targeted, large-scale data breaches in America each year – yet no rules addressing threats and their operations exist. There isn’t even a common language in place, which makes discussing cyber-attacks almost as hard as stopping them. There’s no doubt that experts can communicate among themselves, but security teams alone don’t prevent cyber-attacks. It takes companywide awareness and cohesion, as businesses are only as secure as their weakest link.
So, what happens when an attack does hit? Today more than half of all breaches incorporate hacking, which means the bad guys are as sophisticated as they are numerous. To discuss, prepare for, and ultimately respond to these advanced attacks, organisations are moving towards cybersecurity frameworks – documents that outline the policies, procedures and processes to follow in the case of a breach.
MITRE ATT&CK™, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, seems to be cementing its place as the leading cybersecurity framework in 2020. Using Att&ck, it’s possible to identify security weaknesses before you find out the hard way.
How MITRE ATT&CK™ differs from other frameworks
When it comes to guidance on building detection and response programs, MITRE ATT&CK™ trumps traditional frameworks such as the Diamond Model, which lacks technical depth, and Lockheed Martin’s Cyber Kill Chain, which offers little from the attacker’s perspective. At Immersive Labs, we believe to keep pace you need to learn like hackers – and this is where Att&ck, which has a strong adversarial focus, can help.
Unlike defenders who must secure their entire surface of attack, hackers need to find just one weakness to penetrate a network. This first-mover advantage means that, historically, attackers have had control. However, Att&ck is levelling the playing field with its numerous tactics, techniques and procedures based on real-world observation.
Thanks to this basis in real life, Att&ck provides unrivalled detail regarding the ways threat actors can run an attack, starting with the initial access phase. It organises the building blocks of an attack so that organisations can visualise exactly what adversaries could achieve on their network, making it easier to put relevant defences in place. So, when a business identifies an attacker on its network, it has a ready-made list of responses for mitigation – meaning less time wasted filling in the gaps.
MITRE ATT&CK™ big wins
One of MITRE ATT&CK™’s biggest wins is that it can evaluate the capabilities of security technology. This means organisations can identify which tech covers the risks most relevant to them before splashing out. Alternatively, if their existing tech doesn’t cover a certain area, they can do something about patching that weakness – like upskilling staff.
ATT&CK™ can integrate with threat intelligence to drive security, too. When a new threat is discovered, for example, the categories in the framework enable security teams to respond or confirm current levels of protection.
Measuring and developing skills with MITRE ATT&CK™
While MITRE ATT&CK™ is primarily used to reduce cyber risk, it is also an excellent resource for cyber workforce development. At present many training programs and certifications teach skills that are not useful in the real world. Or perhaps the skills being taught are useful, but not to the organisation paying the course graduate’s wages.
Immersive Labs maps its cyber skills content against the Att&ck framework, which enables organisations to see where their staff are proficient and where they are lacking. This means managers can take a proactive approach to developing the skills of their security teams, as they can visualise their business’s risk profile.
A healthcare organisation, for example, might be at high risk from a certain APT group. The organisation’s security team would do their research into the tactics that said group was using and begin ticking off skills against the Att&ck framework. Any key missing skills could then be developed through Immersive Labs. This is a focused way of learning that boosts the effectiveness of your cyber security.
Want to start using MITRE ATT&CK™ to measure, validate and visualise the human capabilities in your organisation? This short eBook explains the framework and how it can be used to map tactics and techniques to skills. If you’d rather see ATT&CK™ in action, Immersive Labs Lite has an example heatmap you can explore for yourself.