Role of MITRE ATT&CK Framework in Incident Response

Incident Response

Posted on: October 11, 2021

As attackers are always upgrading their techniques and tricks to avoid detection, security operations center (SOC) teams are also required to change their approach to incident response. The MITRE ATT&CK framework is a widely-used framework that empowers SOC teams to keep pace with the adversaries and allows them to outline their new techniques.

In 2013, MITRE first introduced the ATT&CK framework as a means to delineate and categorize adversarial behaviors arising from real-world observations. The MITRE ATT&CK framework plays a significant role in assisting security teams in tracking threat actor footprints. Across the cybersecurity industry, it is a widely adopted framework and it comprises a knowledge base of tactics and techniques that threat actors employ to achieve their goals.

Significance of ATT&CK Framework

The open-source and globally accessible ATT&CK framework is a knowledge base that has been designed based on real-world observations of attacks. Through the ATT&CK Navigator, the framework provides a systematic list of known threat actor behaviors collated into techniques and tactics, and presented in different matrices and STIX/TAXII formats. Due to this comprehensive representation of the techniques leveraged by attackers when compromising networks, the framework is useful for a broad range of defensive mechanisms, and one of them is incident response.

This framework allows incident response teams to divert their focus from low-level IOCs to threat actors’ tactics, techniques, and procedures (TTPs) to understand their behavior. The incident response teams can leverage the ATT&CK Navigator as a reference to understand the nature of threats and the methods needed to eliminate those threats. By employing the ATT&CK Navigator as a reference for new threats, incident response teams can plan ahead, evaluate their overall security strategy, and fill the gaps they come across.

How does the Framework Help in Incident Response?

Detection and Analysis

SOC and incident response teams can seek information from the ATT&CK tactics and techniques that have been detected or are undiscovered. This aids in learning the defensive weaknesses and strengths, corroborating detection and mitigation controls as well as discovering misconfigurations and other operational issues.

Containment

This phase is an attempt to prevent threats from spreading further. It is an actionable stage where the SOC teams execute steps to minimize the adversary entrenchment. ATT&CK helps SOC teams with IOC identification, upgraded malicious signatures, and contextual analysis of SIEM logs. Overall, it provides tactical information about moving exploited hosts to a more controlled environment for further tracking and monitoring.

Eradication and Recovery

In this phase, SOC teams mitigate the impacts of an attack by mapping it to the ATT&CK framework to ascertain several defensive countermeasures for each attack phase. Usually, these countermeasures involve resolving a misconfiguration, upgrading appropriate detection signatures, ingesting corresponding logs into a SIEM tool for correlation, mitigating any compromised systems, or handling an internal workflow to ensure an alert is quickly addressed.

Learnings

This is a crucial phase but is often overlooked. By leveraging the ATT&CK Navigator, SOC teams can easily abridge the incident and learn whether the countermeasures taken will be effective for a longer period of time.

Conclusion

Any individual or organization can easily access the MITRE ATT&CK framework. The objective of this framework is to allow organizations and security experts to develop and collaborate on a shared understanding of threat actor behavior to develop a strategic security model. SOC teams can refer to the ATT&CK Framework to evaluate their defensive measures, detected techniques, red and blue team planning, threat intelligence analysis, and comprehensive incident response process.