Here at Cyderes we think about the ATT&CK framework a lot. It’s an intrinsic part of our strategy for helping clients understand their security posture and preparation for the attacks they are most likely to face, and we have invested a lot of engineering resources to develop custom tools to provide on-demand access to ATT&CK analysis for clients.
We pair these tools with expert guidance on how to interpret the results, which are often counterintuitive. The Angles of ATT&CK blog series will explore common questions, challenges, and missteps we and our clients have faced when applying the ATT&CK framework to their SecOps strategy.
The most common questions I get from CISOs are related to what has been lovingly dubbed “MITRE Bingo.” The question is usually something like “how can I get from x% to y% ATT&CK coverage this year?” or “what is the right level of coverage I need to be secure?” These are good questions. KPIs and goals are a fundamental part of the SecOps world and striving to get better is important. However, these questions reveal a fundamental misunderstanding of ATT&CK techniques and sub-techniques; they imply ATT&CK techniques are all more or less equivalent in value for both attackers and defenders. Unlike squares on a Bingo card, that is not true with the MITRE ATT&CK framework. Here’s why:
Lack of Infrastructure Visibility - Most enterprises won’t ever have coverage for Reconnaissance and Resource Development techniques. Many of these involve things like finding victim information on social media sites, establishing email accounts for phishing campaigns, or acquiring virtual machines in cloud or bullet-proof hosting sites. Unless you are operating that infrastructure, you likely won’t be able to see what threat actors are doing there.
Dual-Use Techniques – A significant percentage of ATT&CK techniques are as likely or more likely to be used by a legitimate user with legitimate access than they are to be used by an attacker. While it is great to have telemetry or detections in place for them, it may just create more noise than signal, potentially overwhelming your SecOps team unless you have a very good alert correlation strategy.
Prevalence and Diminishing Returns – Threat actors are results-driven and creatures of habit. They are much more likely to stick to a small set of behaviors that are proven to work, and much less likely to do something new unless their current methods fail. This means it is important to have very good coverage of ATT&CK techniques that are being used by threat actors right now, but potentially a waste of resources to try to cover techniques nobody is using. Investing beyond coverage of the most prevalent techniques will yield diminishing returns in your security posture.
Variance in Prevalent Techniques – There is a ton of variance in most ATT&CK techniques. A single rule or telemetry event is unlikely to give you sufficient coverage of any given behavior. There is a hidden aspect of depth of coverage with many ATT&CK techniques that is often overlooked as SecOps leaders strive for breadth of coverage, which can be a less effective strategy.
If you don’t account for the above factors, playing MITRE Bingo can provide you with a false sense of security and potentially waste valuable resources that could be better spent protecting your enterprise. On the other hand, most CISOs need clear KPIs and OKRs that can be understood by executives and board members who aren’t going to understand all the nuances of the SecOps world. So, let’s talk about some better ways to frame this in the context of risk management.
Prevalence is Key
I’ve yet to meet a SecOps team who isn’t constrained by resources. It’s fair to say it would be asking too much for most SecOps teams to build visibility or detection coverage for every ATT&CK technique, and as mentioned above that would lead to diminishing returns and a false sense of security. It’s much more approachable to maintain coverage for the most prevalent techniques. Spending some time up front to understand the threat landscape, so you can focus your efforts will pay off in more effective resource utilization in the future.
Figure 1: Cyderes ATT&CK Insights map of rules to prevalent techniques
So how do you get a handle on prevalence mapping? Cyderes MS clients get it for free as a feature of the Cyderes Portal. Figure 1 is a snapshot of what this looks like with sample data. It took an exceptionally experienced team of threat intelligence analysts, data analysts, and engineers to make it happen as an at-scale and on-demand solution. If you aren’t lucky enough to have those kinds of resources, you can still get an idea of which techniques are the most prevalent with open source intelligence (OSINT) and some manual analysis. There are tons of threat intel resources out there that map ATT&CK techniques to the threat actors who use them. The easiest to consume is the CTI > Groups page on the MITRE ATT&CK site. MITRE has documented the technique and sub-technique coverage of dozens of threat actor groups and mapped those to the ATT&CK framework. They are easy to visualize via the ATT&CK Navigator, which is well documented on the project’s GitHub repository. Using the ATT&CK Navigator to visualize and explore the techniques used by threat actor groups will give you a good idea of which ones are most popular among attackers and give you a set of detection use cases to prioritize.
Cover the Attacker Lifecycle
If you look at the ATT&CK Enterprise Matrix, notice as you look at the Tactics (columns) from left to right, they loosely resemble the attacker lifecycle. A threat actor will need to successfully execute techniques on the left before they can move on to execute techniques on the right. This isn’t strictly true (the Tactics in the middle can often be leveraged in any order), but it’s a good guide for strategic planning. I often see SecOps shops be really strong on Reconnaissance through Execution, and then Command & Control through Impact, because those are the strengths of endpoint security and perimeter network security technologies. While this has changed somewhat with the rise of Software-as-a-Service (SaaS) cloud solutions, it is still true in a very large number of enterprises. This leaves the soft center of the matrix vulnerable.
No security technology is perfect. Even the best-in-class tools will miss some attacks. We always advise a technology and detection strategy that gives broad coverage of as many tactics as possible, so you have the best chance of detecting an attack at some point. Obviously, it is ideal to detect and mitigate threats as far left as possible, but in the case that EDR misses Execution of malware, you still want to be able to catch Credential Access or Lateral Movement so you can stop the threat before the attack gets to the Exfiltration or Impact phase. Having some probability of detecting an attack pattern at each tactic phase gives you the best total probability of detecting the threat overall. Therefore, it is wise to ensure you have broad coverage of the most prevalent techniques at the tactic level.
Double Down on High-Variance Techniques
If you dive into the details of any given technique or sub-technique, it becomes pretty clear there’s no one EDR rule or SIEM use case you can write that will cover it completely. There’s a lot of implied variance in how a threat actor can successfully execute the technique. Therefore, it stands to reason there is a lot of variance in the technologies and detection use cases you need to put in place to detect all of those various options. When planning your detection strategy around the ATT&CK framework, keep an eye on the depth of coverage you have for high-variance techniques, especially if they are also high in prevalence. This will give you the best security posture relative to current threats to your organization.
Tip of the Iceberg
This is just the beginning of understanding how to effectively use the ATT&CK framework to strategically manage your security posture. We plan on publishing more content on this topic going forward, as we find it to be a crucial component in managing organizational risk and communicating progress to leadership in an easily digestible manner. Navigating the threat landscape and managing improvement in coverage of the ATT&CK framework can be a complex endeavor. However, we know from experience if you can avoid Bingo Night and instead focus on high-prevalent techniques, cover the breadth of the attacker lifecycle, and double down on high-prevalence/high-variance techniques, you have a much better chance of getting ahead of threat actors and effectively communicating your security posture to leadership.
Ready to strengthen your organization's security posture?
For more cybersecurity insights, follow Cyderes on LinkedIn and X.
