

Cyber attacks are becoming more sophisticated every day. Cyber criminals are honing living off the land (LotL) techniques, exploiting off-the-shelf and pre-installed tools to invade online platforms. We’ve also seen threat actors continue to reuse classic tactics, techniques and procedures (TTPs) in their campaigns. As such, the use of emails with malicious attachments or links continue to be the most common initial infection vector, as reported in our annual threat landscape report, CiPulse 2020.
As a result of this ever-increasing volume and sophistication, SOC’s and SIEM’s using traditional, reactive measures are overwhelmed. More and more organizations are turning to detection and response solutions which combine threat intelligence and cyber expertise, to uncover and remediate threats as early as possible, and also to mitigate risk of future attacks.
MITRE ATT&CK™ (Adversarial Tactics, Techniques & Common Knowledge) is an empirically driven framework which facilitates gathering, interpreting and sharing information on cyber criminals (or “adversaries” in the ATT&CK terminology) and their tactics, techniques and procedures (TTPs), in an effort to derive taxonomies of adversaries. The information gathered, analyzed and shared by ATT&CK™ helps cyber security researchers, incident responders, red teams and others to analyze intelligence regarding adversaries’ TTP’s, and use that information to understand what tactics and techniques they should use to detect and mitigate attacks. By grouping and overlaying information from groups of adversaries, ATT&CK™ can help create a threat-centric understanding of a user’s vulnerabilities, and customize defenses.
Threat intelligence teams using ATT&CK™ can provide decision makers with actionable information facilitating prioritization of resources and planning an organization’s cyber security program.
Effective threat hunting is continual, proactive, and powered by strong intelligence, and to do it right you need to play offense. A key component to threat hunting is building testing and refining analytic detection capabilities, which can be a complex and time-consuming process. The ATT&CK™ provides a standardized, but flexible, framework which will help you streamline building, testing and validating customized detections for your organization.
ATT&CK™ contains an ever-evolving taxonomy of the behavioral TTPs adversaries use to compromise behavioral networks. With ATT&CK™ you can leverage hypothesis-driven use cases to detect signs of active or residual adversarial presence and activity across your enterprise. Artifacts found during the ATT&CK™ facilitated hunting process are used to build analytics for custom detections, which may be continuously monitored and can be triggered by future malicious, adversarial activity.
MITRE ATT&CK™ is an efficient resource for cybersecurity teams, but it can be fully leveraged only after you have the expertise necessary to understand how it works and should be used. ATT&CK™ is a complex framework, with out-of-the-box logic behind it. Here’s a brief rundown of what you’ll need to understand before trying it for the first time:
In short: First, learn to understand your online environment, with its unique tactics, techniques, and procedures. Next, view your environment from an adversarial perspective and try to understand the adversary’s TTP’s. This will help you utilize ATT&CK™ to its fullest potential, allowing you to build, test, deploy, fine-tune and periodically verify the analytics necessary to mitigate cyber attacks.
Traditional cybersecurity measures are frequently overwhelmed not only by sophistication of attackers but also by sheer volume of malicious activity. Cyberint’s cybersecurity teams harness MITRE ATT&CK™ to give you proactive, managed threat hunting services, finding signs of active or residual adversarial presence and activity across your enterprise and using the information it finds to protect your environment in the future.