Cybersecurity:
“From marketing hype to effective use of MITRE ATT&CK”

By Pierre Guiho, Product Manager, Gatewatcher and Xavier Rousseau, Solution Architect Director and Cybersecurity Expert, Gatewatcher – MITRE ATT&CK contributor and expert
G09a Desktop 231010 02 1

What is MITRE ATT&CK?


MITRE ATT&CK has emerged as an essential resource for organisations striving to strengthen their cybersecurity posture. This comprehensive, open-access knowledge base has become a go-to framework for operational teams fighting an ever-evolving landscape of cyber threats. However, navigating the full potential of this tool isn’t always as simple as it seems. Revisiting how we approach MITRE ATT&CK, and considering new ways to leverage it, could offer fresh advantages for decision-makers. But before exploring new possibilities, it’s critical to first master the basics of using it effectively.

Developed by the MITRE Corporation, a renowned American non-profit, MITRE ATT&CK is defined as a “universally accessible knowledge base” detailing the “tactics and techniques” used by cyber adversaries. Built on real-world observations, this framework underpins “specific models and methodologies for countering threats” and aims to “solve problems for a safer world.” Since its introduction in 2013, it has provided cybersecurity professionals with a common language for analysing threats and devising powerful defence strategies.

As part of its continuous improvement approach, MITRE ATT&CK is updated biannually, thanks to contributions from the international community and lessons learned from malicious campaigns, to fine-tune defences to meet constantly evolving needs. Every year, numerous cybersecurity solution vendors participate in evaluations organised by MITRE ATT&CK, and when the results are positive, these are often highlighted by vendors to their clients or prospects. MITRE ATT&CK is not a stamp of approval for security products, and its application is often clouded by misconceptions

Let’s debunk a few myths:


  • MITRE ATT&CK is not a standard that provides a finalised description of all the techniques used by an adversary. It’s a framework—a dynamic, ever-evolving knowledge base that’s inherently imperfect and non-exhaustive.

 

  • MITRE ATT&CK is not a closed, rigid, or perfect framework since it consolidates documented attacks, techniques, and tactics (for instance, zero-days are not included).

 

  • MITRE ATT&CK is neither a best practice guide nor a security solution validation standard.

 

  • The techniques listed by cyber attackers are relative: it is important to differentiate between upstream and downstream techniques depending on when an attack is detected. Consequently, one must accept and choose to adjust their security posture and prioritise which adversary techniques to focus on mastering.

MITRE ATT&CK vs. MITRE ENGENUITY


To clear up another common misunderstanding: MITRE ENGENUITY is not a conformity test for MITRE ATT&CK. Created by the MITRE Corporation in 2019, MITRE ENGENUITY conducts evaluations based on the MITRE ATT&CK framework, with vendors paying for their participation. Attack scenarios are announced a year in advance, allowing vendors to prepare, and all simulated procedures are well-documented. As a result, covering MITRE ATT&CK’s techniques becomes manageable.

For instance, the 2023 evaluations focused on detection and prevention scenarios associated with Turla, a notorious cyber-espionage group active since the early 2000s.

It’s worth noting that MITRE ENGENUITY currently only evaluates endpoint solutions (EDR). They do not yet include evaluations for network solutions like NDR (Network Detection and Response). But combining these two systems—EDR for endpoint data and NDR for network traffic—offers organisations a far more comprehensive defence strategy.

A shifting perspective on techniques


Understanding MITRE ATT&CK requires a shift in thinking. The techniques listed in the framework are relative.

1.       You need to prioritise which techniques are most relevant based on when an attack is detected, and adjust your security posture accordingly.

2.       Not every company can or should attempt to cover the entire MITRE ATT&CK matrix. What’s more important is how you approach the matrix—being precise and focused in your coverage rather than attempting to detect everything.

Imagine a burglar breaking into a house. After being robbed, a homeowner’s priority shouldn’t be figuring out how the door was forced or how the window was smashed. Instead, they should focus on what could have prevented the break-in—like installing cameras to capture the burglar climbing over the roof or sneaking in through a window in time to alert the authorities.

In the same way, companies should use MITRE ATT&CK to focus on early-stage detection, rather than trying to cover every possible attack vector.

A “meteorological” approach to MITRE ATT&CK


We’ve observed two types of approaches to MITRE ATT&CK among our client.

  • On the one hand, there are clients who aim to cover 100% of the framework,
  • and on the other, there are those who use it as a pivot, enabling them to adapt their defences in response to a constantly changing attack landscape.

We call this second approach the “meteorological” method, where defences are updated in real-time based on current and emerging threats.

This approach is far more practical. MITRE ATT&CK currently lists 196 techniques and 411 sub-techniques. Yet mastering just 50 of these techniques is enough to cover 80% of advanced persistent threats (APTs). The key is using the right tools to detect the early signals of an attack, focusing on upstream techniques, and not trying to cover every single possibility.

Why NDR is key to success


For organisations adopting this adaptive approach, NDR technologies offer significant advantages. In our earlier analogy, NDR serves as the “surveillance camera“, identifying intruders before they have the chance to strike.

While not yet included in MITRE ATT&CK evaluations, NDR solutions are expected to play an increasingly vital role in the future. NDR’s ability to adapt to the evolving threat landscape makes it a critical component of modern cybersecurity strategies, especially when combined with EDR solutions, SIEMs, and firewalls.

Powered by machine learning (ML), NDR systems can identify trends, patterns, and anomalies in network traffic, detecting suspicious activities that signal potential threats. The use of AI, and more specifically ML, also enables NDR solutions to continuously learn from the network traffic they analyse and adapt to changes in the threat landscape. This combination facilitates the detection of evolving threats that traditional signature-based detection methods may overlook. AI and ML in NDR systems allow for automated real-time responses to detected threats (e.g., blocking IP addresses, isolating affected devices, applying security patches, or updating firewall rules). Automating responses helps reduce reaction times and minimise potential damage to targeted companies and organisations.

MITRE ATT&CK – real opportunities


Despite some biases, MITRE ATT&CK offers undeniable value to organisations and cybersecurity experts. It provides a shared vocabulary and framework for the cyber community, improves the quality of threat alerts, identifies potential blind spots in threat detection (upstream techniques not yet seen or downstream techniques yet to come), and helps define areas where security efforts need to be focused.

Thus, cybersecurity experts should continue to carefully observe the evolution of MITRE ATT&CK and its updates to explore the range of proposed techniques, aiming to enhance their understanding of cybersecurity attack and defence strategies—while distancing themselves from biases, refining their detection methods, and avoiding pointless debates that seek to pit “good” vendors against “bad” ones.