Go to listing page

Deciphering the ATT&CK Navigator: Part 2 - ATT&CK Use Cases

Deciphering the ATT&CK Navigator: Part 2 - ATT&CK Use Cases

Share Blog Post

Intro


In the first part of this series, we presented an overview of the ATT&CK framework, its components, and the origins of the project. Continuing on, in this second part, we take a look at some of the major use cases of the framework which make it an important part of enterprise security operations.

Adversary Emulation or Red Teaming


In the domain of security technology, adversary emulation (or Red Teaming) is a key activity which focuses on an organization’s ability to detect and mitigate against adversarial activity at various points in the attack lifecycle.

ATT&CK helps red teams plan and conduct their operations in ways to overcome the existing defensive measures while learning from real-world adversary behavior. ATT&CK facilitates the process of adversary emulation by allowing enterprises to create and test adversarial scenarios based on attack techniques enlisted in the framework. For this purpose, security teams can leverage various open-source adversary emulation tools that are modeled after the ATT&CK framework such as CALDERA,  Atomic Red Team, RTA, ThreatHunter-Playbook or AutoTTP.

The insights gained from these activities allow the blue teams to further improve the readiness of their security operations. Apart from this, specific threat actors can be mitigated against by creating profiles based on their documented behavior in ATT&CK. Threat hunting teams can leverage this to improve their organization’s cyber defense readiness.

Threat Hunting


The process of threat hunting is aimed at finding anomalies in network activity and the different systems in it to detect any signs of compromise, intrusion, or data exfiltration. The ATT&CK Navigator helps the Threat hunters in formulating and validating their hunt hypothesis, and defining log sources for hunts, using known adversary tactics and techniques.

Behavioral Analytics Development


In certain scenarios, the enterprise security teams face the challenge of operating with limited knowledge about adversary tools and behaviors.

In such cases, they can leverage the power of behavioral analytics by studying how an adversary interacts with their network to link it with other observed suspicious activity without relying on the knowledge of any specific tools used by the adversary.

For this purpose, ATT&CK can be used to build and test behavioral analytics models for detecting adversarial behavior in an enterprise environment.

Defensive Gap Assessment


Even the most robust cyber defense can sometimes become a victim to a cyber attack due to a minor blind spot. To fix the defensive gaps, it is essential to test the effectiveness of the existing security tools against the various tactics and techniques an adversary may use.

This is where ATT&CK plays a critical role both for defensive gap assessment and security product evaluation by providing a reliable knowledge base to test the coverage of the security tools in use.

SOC Maturity Assessment


The Security Operations Center (SOC) is the prime security arm of any medium to large enterprise network. The effectiveness of the SOC directly determines the security of the network.

Thus, it is necessary to establish the right processes in the SOC to detect, understand, and respond to various kinds of threats to the network. ATT&CK can be used to evaluate the detection capabilities of the SOC, set a benchmark for the maturity of SOC processes and plan further necessary improvements.

Incident Response


When a cyber attack occurs, it is essential for an enterprise to be ready with its Incident Response (IR) process to mitigate its impact. The Incident Response Lifecycle, which is the model approach in wide use, consists of five phases - Detection & Analysis, Containment, Forensic investigation, Eradication & Recovery, and Learnings.

Across the various phases of the IR Lifecycle, the ATT&CK Navigator can be used to find correlations between Indicators of Compromise(IOC), TTPs, and Threat actors, thereby giving an understanding of the impact of an incident as well.

Cyber Threat Intelligence Enrichment


The field of Cyber Threat Intelligence (CTI) is a game changer for enterprise security as it allows organizations to proactively build defenses against threats that have not yet manifested as attacks on their networks. In the long run, it is necessary for an organization to go up the ladder in the Pyramid of Pain for threat intelligence and start harnessing the TTP intel for taking strategic actions or building countermeasures.

The knowledge about adversary tools, TTPs, behavior, and IOCs, is necessary for security analysts to be able to map the defenses required for different adversary behaviors. ATT&CK provides a structured understanding of adversary TTPs which is agnostic of the tools used by the adversary. It helps the security teams narrow down the attribution for an attack to a set of known APTs or build defenses against specific APTs.

Conclusion


Thus, ATT&CK serves as a diverse tool for various kinds of use cases pertaining to adversary detection, behavioral analysis, threat intelligence, and overall security operations assessment.

 Tags

red teaming
threat intelligence
attck
incident response
security operations centre
behavioral analytics
threat hunting

Posted on: June 18, 2019

Related Guides

Future-Proofing Security: A Guide to SOC Transformation
Explained: The Role of AI in Cyber Threat Intelligence
What is a TAXII Server? How is it Different from a TAXII Client?
Everything You Need to Know About MITRE ATT&CK Framework
What is Cyber Threat Intelligence Sharing? And Why Should You Care?
Threat Intelligence Processing: The Key to Leveraging Unstructured Data
Why is Correlation the Most Important Phase in Cyber Threat Intelligence Lifecycle?
What is Confidence Scoring in Threat Intelligence?
How to Choose the Best Threat Intelligence Platform for Your Security Team?
How to Build Your Own Cyber Information Sharing Community?
STIX Cybersecurity: A Guide to STIX 2.1
How Can You Tell if Your Cyber Threat Intelligence Program is Working Well?
What is Threat Intelligence Analysis?
What is Threat Intelligence Normalization?
What is Threat Intel Ingestion?
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
What is a Threat Intelligence Platform (TIP)?
Significance of Threat Intelligence Platform (TIP) for Growing Teams
What is the Role of Threat Intelligence Platform (TIP) in a Security Operations Center (SOC)?
What is the Hub and Spoke Information Sharing Model?
Explaining the Pyramid of Pain
What are the Different Use Cases of a TIP?
Why Do MSSPs Need Automation?
What is the Diamond Model of Intrusion Analysis?
The Evolution of Threat Intelligence
Don’t Wait! Leverage Threat Intelligence
Why do Organizations Need to Leverage Actionable Threat Intelligence?
What is Technical Threat Intelligence?
Operational Threat Intelligence: What Is It and Why Is It Important?
What is Tactical Threat Intelligence and Why is it Important?
What is the Threat Intelligence Lifecycle?
Everything You Need to Know About a Threat Intelligence Platform (TIP)
5 Steps to Effective Cyber Threat Intelligence Program
Things to Consider When Choosing the Right Threat Intelligence Platform
Open Source or Commercial Threat Intelligence Platform - Which one is better?
Strategic Threat Intelligence: Why Sharing Is Crucial?
What is Threat Intelligence Management?
Strategic Threat Intelligence vs. Tactical Intelligence
Role of SOAR and TIP in Cyber Fusion
Information Sharing in Cyber Fusion
Role of Threat Intelligence in Cyber Fusion
What is MISP
What is Signals Intelligence (SIGINT)?
What are Indicators of Compromise (IOCs)?
What is Open Indicators of Compromise (OpenIOC) Framework?
What is the Cyber Information Sharing and Collaboration Program (CISCP)?
What is Malware Attribute Enumeration and Characterization (MAEC)?
What is CybOX? How do you use a CybOX object?
How is Surface Web Intelligence different from Dark Web Intelligence?
What is Open Source Intelligence (OSINT)?

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite

Explore Solutions

Capabilities

Resource Library

Use Cases