decrypting myths
intelligence. While
there are several
other ways to do
this, ATT&CK provides
a common language
that’s standardised and
globally accessible, making it a
particularly powerful tool.
As Katie Nickels, ATT&CK Threat
Intelligence Lead for MITRE, points
out, analysts and defenders can
work together with data to compare
and contrast threat groups.
Nickels gives a good example,
comparing and contrasting
techniques used by the APT3 and
APT29 groups, on MITRE’s blog.
By identifying the highest priority
techniques an organisation can
better determine how to mitigate
and detect them. The fact that the
knowledge base is community-driven
and widely accepted for sharing
structured information has afforded it
a great deal of momentum as well.
Who does the ATT&CK
framework benefit?
From a security
testing perspective,
ATT&CK can aid
red teams and blue
teams alike.
useful for understanding exactly how the
technique could be used again. Keeping
the WMI example in mind – by looking
at the WMI technique examples listing,
www.intelligentciso.com
|
Issue 10
users can see that the popular Russian
hacker group APT29 uses WMI to steal
credentials and execute backdoors at a
future time. Conversely, BlackEnergy, an
APT group linked to attacks on Ukrainian
energy companies in 2015, uses WMI to
gather victim host details.
From a security testing perspective,
ATT&CK can aid red teams and blue
teams alike. Red teams can follow
MITRE’s adversarial emulation plans
to test their networks and defences
by modelling off adversary behaviour
classified by ATT&CK. Blue teams
can leverage the ATT&CK framework to
get a better grip on what adversaries are
doing, prioritise threats and to ensure
the right mitigations are in place.
How does ATT&CK help the
global cybersecurity community? As the volume and variety of cyberthreat
actors continues to grow at an alarming
rate, the need to share accurate threat
intelligence on a global level is more
important than ever.
The ATT&CK framework has been
around for years but it’s grown in
popularity recently as a way to help
organisations, end users and the
government share accurate threat MITRE’s ATT&CK framework has
established itself as one of the foremost
ways of doing this in recent years, helping
to keep the global security informed and
alert to emerging cyberthreats. u
69