MITRE ATT&CK framework and MSSP
The MITRE ATT&CK framework is a very convenient way to cover all possible threats. This knowledge base splits all attack vectors into two levels — adversary tactics and techniques.
At the beginning, it could overwhelm you by many terms and details. ATT&CK Matrix is very formal. So, a direct mitigation all related risks in according with this Matrix can be extremely costly. But you can simplify this challenge. The easiest way to apply it, is a review the ATT&CK Matrix itself from left to right (Reconnaissance > Impact).
This direction shows the typical search and exploitation of vulnerabilities. Each step in this “workflow” has its own Tactic. The Tactic includes many different Techniques. Each Technique includes some specific way to get through protection, to gain additional privileges, to collect some information about target, etc.
Decompose the adversary step and each attack vector. Split in into small cases related to you and cover it.
At first glance it’s hard to apply this framework to typical enterprise. But in real life you don’t need to cover it all. The main idea is to get a big picture of all “bad scenarios” which could happened with you infrastructure and applications.
As soon as you review all this Tactics and Techniques, you’ll be able to start prioritization of related threats. Each CISO knows this basic formula:
Risk = Likelihood * Impact.
In the context of this topic, it can be transformed into:
Priority = Probability of Exploitation * Consequences * Asset Value
This approach reminds us that — it makes no sense to spend more on protecting resources than their cost price.
Custom Threat Modeling you can create in Attack Navigator: https://mitre-attack.github.io/attack-navigator/
This is a web based tool for annotating and exploring ATT&CK matrices. You can get it from GitHub and deploy locally. https://github.com/mitre-attack/attack-navigator. Additionally, you can apply different filters, review previous versions of matrices and combine several layers of your threat modeling approach.
For example, it would be a great tool for your Incident Response Team when they need to highlight the most painful cases. In this way, MITRE ATT&CK matrix will add transparency to L1 Analyst / Support everyday work.
OK, what we get? Low-hanging fruits:
1. Big Picture & Threat Modeling — once again, MITRE Matrix gives you an understanding of the whole scope of bad things which could happen. It helps you to define priorities and find reasonable protection solutions.
2. Security metrics — it provides metrics for management. It becomes easier to measure protection of company.
3. Common language — don’t underestimate this point. It’s extremely important to be on the same page in security team / department and business.
There are many descriptions of MITRE ATT&CK matrix on the Internet. Here I’ll show you the one and most common case of using this for MSSP / SOC.
Let’s imagine you are MSSP and you have many clients from different industries. It’s typical for Security Providers. This brings problems to cover security risks with completely different business specific. For example you have to process and alert events from government systems like a health and ecommerce at the same time. Threat agents and attack vectors could be completely different for these companies. The obvious choice is to use overlapping alert rules for both clients.
To do so, you will have to do a classification of alerts and rules in accordance with some security framework. And here come… MITRE Matrix. You start using Tactics and Techniques to sort out you triggers and get visibility of blind spots and uncovered areas. Also, you show to clients the measurable protection level which is some kind of SLA. In result you a consistent and structured approach to detection and alerting for your customers which crucial for MSSP businesses.
