MITRE ATT&CK (noun)
Rick Howard: The word is: MITRE ATT&CK.
Rick Howard: Spelled: MITRE, as in an American quasi-governmental non-profit that manages several U.S Government Federally Funded Research and Development Centers, or FFRDCs. And for ATT&CK A for Adversaries, T for Tactics, T for Techniques, the ampersand, C for Common, and K for Knowledge.
Rick Howard: Definition: A knowledge base of adversary tactics, techniques, and procedures established and maintained by the MITRE Corporation.
Rick Howard: Example sentence: The security operations team used the MITRE ATT&CK framework to determine the attack sequence for the adversary group, Fancy Bear
Rick Howard: Origin and context: Some say that the MITRE ATT&CK framework is just another threat model in the same vein as a Lockheed Martin Intrusion Kill Chain model or the Department of Defense's Diamond Model.
Rick Howard: The framework does extend the original Lockheed Martin model and correct for some of the limitations. It eliminates the recon phase and clarifies and extends the actions on the objective stage, but the frameworks' significant innovation is an extension of the list of things intelligence analysts collect on adversary group attack sequences. In other words, their adversary playbooks. Before the framework, cyber intelligence teams would collect indicators of compromise without any relation to known adversary behavior like IP addresses to known bad guy locations, strange DNS requests, and network traffic on unusual ports. These are not bad per se, but they are ephemeral and hackers can easily change them at the drop of a hat and did. By the time infosec teams deployed countermeasures, the bad guys had already changed their behavior.
Rick Howard: MITRE's extension to the kill chain model includes the grouping of tactics, the why, the techniques used, the how, and the specific implementation the adversary groups use to deploy the tactic. That intelligence is not ephemeral, is tied to known adversary group behavior and is conducive to designing impactful countermeasures. Where the Lockheed Martin kill chain model is conceptual, that MITRE ATT&CK framework is operational and the Diamond model is specifically designed for intelligence analysts as a way to think about both. But the real power of the MITRE ATT&CK framework is an intelligence product that I call the ATT&CK framework wiki. It's a globally-accessible knowledge base of known adversary behavior. It's derived from the real-world observations from both MITRE intelligence analysts and from the cybersecurity intelligence community at large. In other words, it's the most complete, free, open source standardized database of adversary offensive playbook intelligence.
Rick Howard: Although the wiki tracks several crime groups, that's not the focus. It primarily covers how APT groups, nation, state groups, traverse their version of the intrusion kill chain. Most importantly, the framework standardizes the taxonomy vocabulary for both offense and defense. Before the framework, each vendor and government organization had their own language. Any intelligence product coming out of those organizations, couldn't be shared with anybody else without a lot of manual conversion-grunt-work to make sense of it all. Talk about the tower of Babel. We were all looking at the same activity and couldn't talk about it collectively in any way that made sense. MITRE fixed that by releasing the first version of the framework in 2013 and has made significant improvements to the model almost every two years since. The bottom line is that the MITRE ATT&CK framework has become the industry's defacto standard for representing adversary playbook intelligence.
Rick Howard: Nerd reference: Professor Messer is a small cybersecurity training company that produces excellent YouTube educational content to prepare IT and security professionals for CompTIA A+, CompTIA Network+, and CompTIA Security+ certifications. In this clip he describes the MITRE ATT&CK framework.
Professor Messer: One place to begin gathering. This type of information is through the MITRE attack framework. This comes from the MITRE corporation. They are based in the Northeast United States and they primarily support us governmental agencies. Their entire framework is available for you to view online. You can go to attack.mitre.org and view the entire framework from that website.
Professor Messer: Using this framework, you can identify broad categories of attacks. You can find exact intrusions that could be occurring, understand how those intrusions are occurring and how attackers move around after the attack, and then identify security techniques that can help you block any future attacks.
Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik, and me, Rick Howard. The mix, sound design, and original music have all been crafted by their ridiculously talented Elliott Peltzman. Thanks for listening.