Brian Jackson – stock.adobe.com
Businesses sometimes struggle to use the MITRE ATT&CK framework effectively. Learn more about some of the challenges, and how to overcome them
The MITRE ATT&CK framework – a knowledge base of adversary tactics and techniques – is being widely adopted by enterprises. However, security researchers have discovered that most of these businesses have struggled to use the framework effectively.
As the widespread pivot to remote work continues, attacks on the cloud are likely to accelerate – making threat discovery frameworks like MITRE ATT&CK more important than ever.
These are the challenges cyber security teams are having with the framework and what experts can do to overcome them.
Several recent studies have identified challenges for security teams using the MITRE ATT&CK framework. One of the most important was published late last year as a joint project between security company McAfee and the Center for Long Term Cybersecurity at UC Berkeley.
According to the study, the MITRE ATT&CK framework fills an important security niche. ATT&CK is short for Adversarial Tactics, Techniques and Common Knowledge, and it serves to provide a common language and set of strategies for cyber security workers defending enterprise networks against adversarial attacks.
Adversary techniques are executed against almost every enterprise that uses the cloud. The MITRE ATT&CK framework is a widely adopted knowledge base that helps companies determine gaps in current security strategies. The knowledge base can also be an essential tool for implementing methods such as real-time threat detection.
For the most part, it has replaced the Cyber Kill Chain framework as the standard knowledge base for the cyber security community. However, the study’s authors also find that most security teams aren’t using the framework to its full potential. Challenges faced by security teams are mostly related to ongoing analysis and correlation, which the study describes as a “major cause of SOC burnout.”
Security events generate large amounts of data, and without automation, responding to it in a timely manner can create an unworkable labour burden for security teams. Most that have adopted the MITRE framework have not included relevant automation. While 91% of units use the framework to tag network events with cloud security products, less than half automate appropriate security policy changes.
A similar number of teams have also reported struggling with interoperability between the framework and security products.
Other challenges include difficulty mapping network events to security policy changes and failures to correlate events from the cloud, network and endpoints. There are also issues with the use of security products that may not detect all techniques present in ATT&CK matrices.
Often, these teams have very effectively implemented foundational security strategies, such as automated patch management and effective perimeter security. However, they also struggle with advanced security techniques, such as vulnerability scanning and intrusion detection.
Best practices for using the MITRE ATT&CK framework
The second report, published in June 2021, comes from the US Center for Cybersecurity and Infrastructure Security Agency (CISA). This report cites the McAfee-Berkley report and offers a list of best practices for businesses and cyber security teams struggling with using the MITRE ATT&CK framework effectively.
Like the McAfee-Berkley study, the CISA report finds that the ATT&CK framework is being adopted among major enterprises. However, less than half believe their currently implemented security systems could detect all the threats in the ATT&CK matrices.
The report’s authors offer some advice and potential best practices that teams can implement to overcome these challenges. For example, the report outlines a few different approaches that may help enterprises that have had difficulty with mapping MITRE ATT&CK into raw data.
These options include beginning with a data source to identify the attack technique, implementing specific tools before broadening the analysis of an adversary attack, and following detection rules such as Sigma or MITRE’s Cyber Analytics Repository.
Other report recommendations for best practices focus on mapping MITRE ATT&CK into finished reports. The study also includes some basic mapping guidance and information on ATT&CK terminology in its introduction.
The report concludes with an appendix containing a list of valuable MITRE-related resources that businesses can use to improve cyber security team knowledge or improve their security systems.
These resources include MITRE’s report on the design philosophy behind ATT&CK, a list of training courses and a paper demonstrating how teams can use this protocol to describe and respond to an attack.
How enterprises can overcome key MITRE ATT&CK challenges
Enterprises that are likely to face adversary attacks can benefit significantly from the MITRE ATT&CK framework. However, research shows it’s not unusual for businesses to struggle with applying the framework’s information to day-to-day security operations.
Interoperability concerns, automation challenges and ineffective security products can all make applying the framework much more challenging. Emerging best practices can help enterprises more effectively use the MITRE ATT&CK to defend against these attacks.
