Why MITRE ATT&CK?

- [Instructor] Now you must be wondering what exactly is the utility of ATT&CK framework. The need for ATT&CK could be best told by anyone who will task with protection of assets pre 2013. Cybersecurity is a domain which has historically evolved in a decentralized fashion. There are several terminologies that sound similar but are very different from each other such as threat hunting and threat management. On the other hand, we also have a different host of terms that sound different, but mean the same. Example - asymmetric key cryptography and public key cryptography essentially mean the same thing. ATT&CK helps the industry to speak a common language from red to blue to purple teams, from organizations to vendors, all can leverage attack to speak a common language and avoid miscommunication. It forms a global repository for cybersecurity professionals to identify latest tools and techniques used by hackers to compromise an organization. The defenders can then use and leverage this information to plan their organization's defenses and security measures. The framework also catalogs techniques used by specific hacker groups that are specific to a given industry, active malware or cyber attack campaigns. It also contains a list of tools used by various different hacker groups. Imagine being a SOC leader for a FinTech firm as against a manufacturing firm. As a SOC leader, I can focus on threats that are most common to my industry or focus on groups that target my country rather than going in blind and protecting every single asset from every single conceivable threat out there. The creators and contributors of ATT&CK are industry leading threat hunting teams, SOC analysts and cybersecurity research and obviously a multitude of vendors. As an open source repository, it is available for all industry-wide defenders. It helps different cybersecurity teams coordinate and collaborate in the interest of the organization. ATT&CK framework also changes the traditional mindset of SOC teams. Traditionally, SOC teams and the defenders essentially are more focused on identifying indicators of compromise. Essentially, ATT&CK framework also changes the traditional mindset of SOC teams. It shifts the indicator of compromise based threat hunting to technique and tactic based mindset. We will discuss about that in the next slide. Elaborating a bit more on the forward-thinking mindset. The pyramid here demonstrates the relative ease of changing ATT&CK signatures by various hackers. The traditional mindset of SOC monitoring focuses on searching for indicators of compromise or IOCs. These IOCs usually include hash values of known malware or ATT&CK tools. In some cases, it may include IP addresses of the ATT&CK source, domain name of compromise, command and control centers, so on and so forth. However, the challenge with this approach is that modifying these IOCs are child's play for attackers. Over time, attackers have grown interestingly sophisticated and modifying these IOCs comes naturally to these attackers. As we move on to the higher rungs changing specific signatures such as network footprints, protocols, packet details, et cetera becomes relatively difficult. Next, we have the tools used by these attackers. These tools include malware exploits (indistinct) and other similar frameworks used by attackers to compromise target networks. At the highest level, we have the TTPs, the tactics, techniques, and procedures used by attackers. Changing these TTPs is as difficult for attackers as Monday mornings are for cybersecurity professionals or for any professional for that matter. ATT&CK framework advocates tracking the TTPs used by attackers as a means of keeping the organization safe. The intent is quite simple. TTPs are difficult for another attacker to shift, modify, or mutate. Hence are more reliable in tracking potential attacks on the organization network.