The Mitre ATT&CK framework, with its 14 adversarial tactics and numerous techniques and subtechniques, can be a daunting resource for security operations center (SOC) teams. Recognizing the challenges faced by SOC teams in utilizing the framework, Rebecca Blair, author and SOC manager at software company Toast Inc, has written a book called “Aligning Security Operations with the MITRE ATT&CK Framework” to help teams understand and effectively use the framework to enhance their organization’s security posture.
One of the reasons why the Mitre ATT&CK framework is important to learn is because it serves as a common foundation for threat modeling, which is a crucial component of any modern cybersecurity program. Threat modeling involves identifying and understanding the potential security risks that a specific organization may face. Mitre provides an extensive knowledge center of tactics and techniques that SOC teams can use to model malicious attackers against. This includes techniques such as privilege escalation, evasion, and lateral movement.
In an interview, Blair explains the framework’s role in threat modeling and provides insights on how SOC teams can successfully implement it. She acknowledges that while the framework is heavily referenced and widely used, it can still be overwhelming for teams to implement, especially if they try to incorporate every aspect of it from the start. Blair advises teams to focus on optimizing their use of the framework to get the most benefit.
To begin implementing the Mitre ATT&CK framework, Blair suggests starting with a risk registry. This involves identifying the organization’s vulnerabilities and mapping them to the framework’s techniques. By understanding the level of risk, SOC teams can then refer to the Mitre ATT&CK framework as a reference guide for recommended risk mitigations.
Blair emphasizes that the Mitre ATT&CK framework is beneficial for SOC teams of all maturity levels. It helps with the vulnerability identification process and provides clarity on risks and contextual information. For SOC teams that are just starting up, the framework can serve as a guiding light to ensure that the SOC is established in the right way from the beginning, avoiding the need to restart and correct processes later on.
When it comes to threat modeling, Blair suggests that SOC teams use the Mitre ATT&CK framework alongside their existing tools and processes. For example, if a team is using Splunk, they can integrate the framework into Splunk Security Essentials. The framework can be used to capture technique types and overall tactics in ticketing systems, allowing teams to gather related metrics and identify higher-level threats. Blair also mentions the option of utilizing additional threat models like PASTA or STRIDE alongside the Mitre ATT&CK framework depending on the specific environment and available resources.
In conclusion, the Mitre ATT&CK framework offers a wealth of information and resources for SOC teams to enhance their organization’s security posture. Through proper implementation and optimization, SOC teams can effectively use the framework for threat modeling, vulnerability identification, and risk mitigation. By leveraging the framework’s comprehensive tactics and techniques, SOC teams can better defend against malicious attacks and strengthen their cybersecurity defenses.