Debunking Myths of MITRE ATT&CK
Do you know every person assumes the definition of terms in their own way until they are given a reference? Ever heard of the game Chinese whisper? This is the risk of interpretation. Earlier, every organization had their own way of defining attack stages. The world required a common dictionary, and that is how the MITRE ATT&CK Framework was born.
What is ATT&CK?
ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques created by the non-profit, government-funded organization MITRE. Unlike you might think, it isn't built in a lab — it is built based on observations of real-world adversary behaviors.
The primary purpose of developing ATT&CK was for Red and Blue Teaming. Let's jump into the components (WHAT, HOW, STEPS) of the ATT&CK Matrix.
Tactics:
This is the "WHAT" — the goals that attackers want to achieve. In cybersecurity, tactics include Initial Access, Execution, Persistence, Privilege Escalation, etc.
Techniques:
This is the "HOW" — the method an attacker will use to achieve a tactic. Initial Access is a tactic, while Phishing is a technique used to achieve it.
Procedures:
These are the specific "STEPS" adversaries have used in the past to perform a particular technique. These components are commonly called TTPs (Tactics, Techniques, and Procedures).
Myths of MITRE ATT&CK Framework
1. 100% coverage of MITRE ATT&CK is ideal for Security
If you cover all techniques, even a system admin's routine actions could be flagged as an alert, flooding your system with false positives.
#MYTH BUSTED: It is recommended to prefer quality over quantity.
2. MITRE ATT&CK framework is One and Done
ATT&CK has grown from 50-60 techniques to over 201 since its public launch in 2015.
#MYTH BUSTED: The ATT&CK Framework is constantly evolving and updating.
3. MITRE ATT&CK is just one framework
ATT&CK currently has 15 different frameworks for different systems including Enterprise, Cloud, Windows, Linux, Industrial Control Systems, Mobile, etc.
#MYTH BUSTED: No one size fits all with the MITRE ATT&CK Framework.
4. 100% Technique coverage means 100% security
A technique can be executed by attackers in multiple ways. Simply marking techniques as 'covered' ignores the nuance of how attacks are executed. Focus on procedures, not just techniques.
#MYTH BUSTED: Focus on procedures, not just techniques.
5. ATT&CK is only for Threat Hunters and Red Teamers
ATT&CK can be used by Blue Teams, SOC Analysts, Executives, Penetration Testers, and tool developers. It has become invaluable for everyone in cybersecurity.
#MYTH BUSTED: ATT&CK is for everyone in cybersecurity.
Did you find this article helpful?
Let the authors know by leaving a like or comment.
No comments yet
Be the first to share your thoughts!
