The MITRE ATT&CK Defender Framework: Intelligence-Driven Threat Modeling
Published: November 23, 2022
What is Threat Modeling?
Threat modeling is the process of identifying, communicating, and understanding threats and mitigations within the context of protecting something of value. A threat model is a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through the lens of security. Threat modeling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes.
There is no “right” way to evaluate the search space for possible threats; many methods can be used. But structured, planned models exist to help make the process more efficient.
Attempting to evaluate all the possible combinations of threat agent, attack, vulnerability, and impact is often a waste of time and effort. It is more helpful to refine the search space to determine which possible threats we should focus on.
The MITRE ATT&CK Defender™ framework is a knowledge base of adversary behaviors based on real-world observations that allows for mapping adversary behavior to groups or other malicious actors based on their tactics, techniques, and procedures. Its focus is on what is likely based on threat intelligence, rather than what might be possible, which could be almost anything.
MITRE is a not-for-profit IT and engineering firm that works exclusively with government agencies as a technology matchmaker. MITRE’s staff of 7,000—65 percent of whom hold advanced degrees—is currently helping the Department of Veterans Affairs create electronic medical record standards and working with the Department of Homeland Security to create rapid fingerprinting technology. MITRE has a 50-plus-year history of developing standards and tools used by the broad cybersecurity community. One of these tools is the MITRE ATT&CK Framework.
MITRE ATT&CK Framework
Advanced-threat cyber adversaries are shapeshifters: notoriously intelligent, adaptive, and persistent. They learn from every attack, whether it succeeds or fails. They can steal personal data, damage business operations, and disrupt critical infrastructure. But there is a lot we can learn from cyber adversaries. And that’s where MITRE ATT&CK® comes in. The framework is a globally accessible knowledge base of adversary behavior.
ATT&CK is freely available to everyone—including the private sector, government, and the cybersecurity product and service community—to help develop specific threat models and methodologies. The ATT&CK knowledge base outlines common tactics, techniques, and procedures used by cyber adversaries. In doing so, ATT&CK provides a common language for defenders to have conversations about emerging threats and develop effective defensive strategies.
Benefits of Using MITRE ATT&CK
The ability to observe and adapt to threats is necessary for the most effective and efficient allocation of defensive cybersecurity resources. Threat-informed defense is the systematic application of a deep understanding of adversary tradecraft and technology and using that to improve an organization’s ability to protect against, detect, or mitigate adversary behavior and attacks.
MITRE ATT&CK Defender ™ (MAD)
MITRE ATT&CK Defender (MAD) is a dynamic training and certification ecosystem where practitioners can get trained, tested, and certified on their threat-informed defense aptitude. MAD skills are tested with modern experiential examinations requiring the demonstration of real-world skills blended with just-in-time recertification.
There are five roadmaps for MAD certification:
1. Cyber Threat Intelligence – The ATT&CK Cyber Threat Intelligence Certification is an intermediate-level program that affirms your ability to identify, develop, analyze, and apply ATT&CK-mapped intelligence.
2. Security Operations Center Assessment – The ATT&CK SOC Assessments Certification affirms your ability to conduct Security Operations Center (SOC) assessments that are rapid, have low overhead, and are broad enough to help the SOC get on their feet with ATT&CK. The certification affirms your mastery at analyzing SOC technologies, such as tools and data sources, savviness at interviewing and discussing ATT&CK with SOC personnel, and recommend improvements based on the results of the assessments.
3. Adversary Emulation Methodology – The ATT&CK Adversary Emulation Methodology Certification validates a practitioner’s ability to conduct adversary emulation activities based on real-world threats. The certification affirms mastery at researching, implementing, and ethically executing adversary TTPs to help organizations assess and improve cybersecurity.
4. Threat Hunting Detection Engineering – After completing the ATT&CK Threat Hunting Instructional Training Program you should be able to demonstrate foundational knowledge that supports the execution of a six-step TTP-based hunting methodology centered on use of the ATT&CK Framework. This program is designed for practitioners who can apply a solid understanding of the ATT&CK Framework and adversarial behaviors of interest. They should also possess the ability to articulate hunt-directing hypotheses that inform the development of the written analytics that drive information needs and data collection. The ability to apply the TTP-based hunting methodology, as demonstrated by successful completion of this program, supports your dedication to securing critical networks and systems against attacks from advanced cyber adversaries.
5. Purple Teaming Methodology – This certification verifies that the holder knows the fundamentals of how to leverage purple teaming to emulate adversarial behavior, and deliver actionable, robust defensive recommendations, such as new data collection requirements, mitigations, system reconfigurations, and analytics.
How MITRE ATT&CK Can Help You
In conclusion, ATT&CK is a knowledge base of adversary behaviors based on real-world observations that allows for mapping adversary behavior to groups or other malicious actors based on their tactics, techniques, and procedures. Its focus is on what is possible based on threat intelligence, rather than what is possible, which, as we mentioned, could be almost anything.
As such, it allows defenders to apply defensive controls to prevent or neutralize tactics, techniques, and procedures employed by an adversary. It is also used by penetration testers and red teams to emulate adversary behavior in realistic attack scenarios to assist defenders in fine-tuning their tools for the effective detection, mitigation, and eradication of real-life threats. The MAD Certification Program offers the opportunity to acquire the necessary skills to apply ATT&CK in the most important defensive and offensive roles.
For more information on MITRE ATT&CK and your current cyber security needs, please contact us today.
MITRE ATT&CK® and MITRE ATT&CK Defender™ are registered to and trademarked by MITRE.