I recently listened to an excellent summary about why MITRE ATT&CK has taken over the SOC world (sorry, it’s behind a paywall called “CSO Perspectives,” but this blog post is intended to summarize the key takeaways).
In this interview by The CyberWire’s Rick Howard (former CISO of Palo Alto Networks), talking to Jonathan Baker, MITRE’s Director of the Center for Threat-Informed Defense, the two discussed how MITRE ATT&CK extends the intrusion kill chain model to go beyond IOCs (like IP addresses, which attackers can change constantly) to catalog all known adversary playbooks and behaviors (TTPs).
It’s also standardized our taxonomy vocabulary for both offense and defense — as Rick says, before the framework, “We were all looking at the same activity and couldn’t talk about it collectively in any way that made sense because each vendor and government organization [and internal department] had their own language and any intelligence coming out of those organizations couldn’t be shared with anybody else without a lot of manual conversion grunt work (talk about the Tower of Babel).”
It’s also become the standard way to communicate to executive leadership about your defensive posture and how it relates to recent attacks they may have heard about in the news (like Follina or Okta PassBleed) — as well as how to answer the classic question “How prepared are we to detect the highest-priority threats?”
That’s the key reason why everything about the CardinalOps detection management platform revolves around MITRE ATT&CK — from automatically mapping your SIEM/EDR/XDR ruleset (including custom detections) with a visual heatmap and metrics you can track over time — to identifying and automatically remediating gaps in your MITRE ATT&CK coverage from missing detection rules, broken rules, misconfigured log sources, and new log sources that could be onboarded to further increase your MITRE ATT&CK coverage.
MITRE has also been busy developing new innovations like the ATT&CK Powered Suit (Chrome browser extension for quickly drilling into information inside the ATT&CK wiki as you’re reading an article or report, such as about a particular technique or APT group) and MITRE Attack Flow, which helps network defenders visualize specific attack sequences and annotate their defensive posture against each step in the campaign.
Great work by Jonathan Baker and his team — thanks for helping the entire defender community!
Screenshot below from the home screen of the CardinalOps platform.