What is MITRE ATT&CK and How Do I Implement It?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that is used to describe the actions and behaviors of cyber adversaries. It provides a comprehensive and detailed mapping of the various tactics, techniques, and procedures (TTPs) that adversaries may employ during different stages of the cyber attack lifecycle.
ATT&CK is organized into matrices, with each matrix focusing on a specific platform or environment, such as enterprise, mobile, and cloud. The matrices are further divided into columns representing tactics and rows representing techniques. Tactics describe the high-level objectives of an attacker, while techniques provide more granular details about how those objectives are achieved.
Security professionals and organizations use MITRE ATT&CK to enhance their understanding of potential threats and to improve their detection, defense, and response capabilities. By aligning security measures with the tactics and techniques outlined in ATT&CK, defenders can better prepare for and respond to cyber threats. It serves as a valuable resource for developing and testing security tools, as well as for sharing threat intelligence across the cybersecurity community.
How to Use the MITRE ATT&CK Framework?
Made up of 11 Tactics and over 80 different techniques used within those tactics, the MITRE ATT&CK for ICS Framework looks to normalize the discussion and allow concerted efforts to protect our ICS networks.
Visit our dedicated post about MITRE ATT&CK techniques for ICS to look closer at the actual tactics and procedures (TPP).
Here you will see a detailed listing of the various vectors and methods used to infiltrate our ICS networks. What is particularly of interest within the MITRE ATT&CK for ICS framework is the breadth of the techniques. Spanning from supply chain attacks outside the ICS enterprise to man-in-the-middle attacks to control parameter changes in PLCs, the Framework is a comprehensive approach that should be top of mind when speaking with ICS stakeholders.
So How Do We Implement Such a Framework?
Outside of asking security platform vendors if they have incorporated the MITRE ATT&CK for ICS Framework into their solution, there are actions that your team can take within our ICS organization to ensure the most detrimental of threats is accounted for.
These include some of the following activities:
- Adversary Emulation
- Behavioral Analytics
- Cyber Threat Intelligence Enrichment
- Defensive Gap Assessment
- Red Teaming
- SOC Maturity Assessment
- Failure Scenario Development
- Cross-Domain Adversary Tracking
- Educational Resource
Who Should Be Involved?
Such a framework is best addressed with cross-functional teams from IT, OT, Security, and Network as securing ICS is not a job to be done in a silo. Identifying scenarios and their pending outcomes based on severity is a great place to start. Gap analysis to identify all the ‘what-ifs’ based upon worst-case scenarios will certainly be eye-opening, but that is the intent of the framework – to begin a conversation with cross-functional stakeholders, with the common goal of protecting the jewels of the organization.