The Cybersecurity and Infrastructure Security Agency (CISA) has released a guidance brief on ‘Best Practices for MITRE ATT&CK Mapping,’ which aims to bring about parity among stakeholders and a common language in threat actor analysis. It also helps analysts map adversary behaviors to the relevant ATT&CK techniques as part of cyber threat intelligence (CTI), in case the analyst chooses to incorporate ATT&CK into a cybersecurity publication or an analysis of raw data.
MITRE introduced the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) in 2013 as a central knowledge base for adversary behavior. It is based on real observations of cybersecurity incidents and maps the tactics, techniques, and procedures (TTPs) to its knowledge base, and is used to identify and analyze hacker behavior by the CISA and other organizations in the cybersecurity landscape. Successful applications of ATT&CK should produce an accurate and consistent set of mappings that can be used to develop adversary profiles, conduct activity trend analyses, and be incorporated into reporting for detection, response, and mitigation purposes.
CISA created the guide with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS-owned federally funded research and development center (FFRDC), which worked with the MITRE ATT&CK team.
While ATT&CK is used by more than 80 percent of enterprises, a recent study indicated that many security professionals struggle to take full advantage of the knowledge base. MITRE is a not-for-profit organization that works in the public interest across federal, state and local governments, as well as industry and academia. It brings innovative ideas into existence in areas as varied as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy, and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.
The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides details on over 100 hacker groups, including techniques and software they are known to use. ATT&CK can be used to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls. CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior.
The guide identifies how to map CTI reports to ATT&CK. Analysts may choose their own starting point, such as identification of tactics versus techniques, based on the information available and their knowledge of ATT&CK. Finding the behavior, and searching for signs of adversary behavior is a paradigm shift from looking for indicators of compromise (IOCs), hashes of malware files, URLs, domain names, and other artifacts of the previous compromise. At times, additional research may be needed in order to gain the required context to understand suspicious adversary or software behaviors, ahead of identifying the tactics and the flow of the attack.
After identifying the tactics, review the technical and sub-technical details associated with how the adversary tried to achieve their goals, according to the guidance. Analysts can improve their mappings by collaborating with other analysts. Working with other analysts on mappings lends diversity of viewpoints and helps inform additional perspectives that can raise awareness of possible analyst bias.
“A formal process of peer review and consultation can be an effective means to share perspectives, promote learning, and improve results,” the guidance said. “A peer review of a report annotated with the proposed tactic, techniques, and sub-techniques can result in a more accurate mapping of TTPs missed in the initial analysis. This process can also help to improve consistency of mapping throughout the team.”
“In addition to helping agencies and organizations strengthen their cyber defenses, CISA is also focused on supporting their efforts to build appropriate resilience in the event of a compromise,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a press statement. “Our close and collaborative partnership with HSSEDI enabled us to produce a valuable resource to help entities apply ATT&CK, a framework that can build cyber defenses and resilience. We look forward to exploring more opportunities with HSSEDI and like-minded partners.”
The CISA and FBI advised network defenders in federal, state, local, tribal, territorial governments, and the private sector to consider applying several best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts.
Some of the recommendations include providing social engineering and phishing training to employees, drafting or updating a policy addressing suspicious emails that specifies users must report all suspicious emails to the security and/or IT departments, and marking external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.