Mitigating security vulnerabilities is difficult. Attackers must use only one vulnerability to break your network, but defenders must protect everything. That's why & # 39; s security programs have moved resources to detection and response: detect when the bad guys are in your network and then respond efficiently to their actions to collect evidence and mitigate risk.
How can you build a program around detection and response? The ATT & CK framework from MITER is one answer. ATT & CK can serve as a unifying taxonomy for different groups within an organization to share information, collaborate and set up the necessary detection and response procedures.
The ATT & CK framework from MITER is steadily taken over by the security community because it organizes the steps that attackers take to infiltrate your network, capture hosts, allow privileges to escalate, move laterally without detecting and filtering data. Using a common taxonomy of MITER ATT & CK attackers behavior helps security teams – cyber incident response teams (CIRT), security operations centers (SOC), red and blue teams, threat fighters, IT – better test, develop and prioritize their detection and response mechanisms to be relevant to the business, industry and intellectual property of their company.
The taxonomy of MITER ATT & CK is daunting and somewhat overwhelming. There is so much information that you can easily get caught in analysis paralysis. These tips and guidelines will help you set up your ATT & CK program quickly.
How to understand the MITER ATT & CK content
The tactics, techniques and procedures are documented in a table format such as the MITER ATT & CK Enterprise Matrix. The ATT & CK Navigator on GitHub offers more options for exploring the matrix.
- "Tactics" are the column header names and are general categories for the reason why attackers use specific techniques.
- "Techniques" appear in each box under the column headings with tactics columns and show what attackers do to accomplish a tactic. The ATT & CK matrix assigns a number to each technique such as T1500 or T1191.
- "Procedures" are accessible through links in the Techniques courses. They show how attackers implement a technique. Procedures provide more detailed instructions on how a specific technique is implemented in the wild by attackers (even by attack groups).
What makes MITER ATT & CK great is that all tactics, techniques and procedures (TTP) are based on what has been observed by real attacking groups in the real world. Many of these groups use the same techniques. It almost seems as if the hacking groups have their own playbook when they attack systems and they use this playbook to quickly make new members productive.