All Articles

An Overview on MITRE ATT&CK as an IR Framework

Mark Stone

Security incidents are skyrocketing in both volume and type. Detecting and responding to these advanced threats is becoming increasingly critical for any organization. 

Defending yourself against cybersecurity threats is now essential to doing business. The costs of not doing so are drastic: brand reputation, customer trust, intellectual property, and company time and resources are all at risk. 

But organizations with robust incident response (IR) plans are in a position to mitigate that risk. According to IBM and Ponemon’s 2021 Cost of a Data Breach Report, the average total cost gap of companies breached with IR capabilities vs. those without IR capabilities was $2.46 million in 2021 — a difference of 54.9%. 

Incident response is crucial. And for incident responders, a robust framework can play a massive role in the speed and efficacy of the remediation process. 

This article will focus on the MITRE ATT&CK framework and also explore other common IR frameworks. 

What is the MITRE ATT&CK Framework? 

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a guide for incident responders. It outlines the various stages of an attack, from reconnaissance to post-exploitation, and provides guidance on detecting and defending against these stages. The framework also includes a catalog of technologies that attackers may use, as well as exploitation techniques and toolsets.

What makes the framework so crucial for security teams is how it enables threat researchers to keep up to speed with cybercriminals and attackers. 

Another bonus: the MITRE ATT&CK knowledge base is one hundred percent publicly-sourced. 

An overview on MITRE ATT&CK and tactics techniques and procedures (TTP)

MITRE ATT&CK provides a set of tactics used by attackers against their targets. These are often referred to as “attack vectors” or “tactics” because they represent specific ways in which attackers attempt to gain access to systems on behalf of themselves or others. The framework is organized into three categories: Targets, Techniques and Tactics. Each category contains sub-categories that describe different aspects of an attack vector. 

Depending on what you are trying to protect, there are several separate MITRE Attack Matrices available. 

The feedback loop

Here’s how the framework operates: It starts with a vast army of industry researchers and experts, whose mission is to discover new threats, vulnerabilities, and attack methods. The data and insight uncovered from their research is leveraged to establish enough significant intelligence data to bolster the MITRE ATT&CK framework. This real-time intelligence is relayed to the security community (and vendors) to maintain and grow the knowledge base. When used to its potential, the framework provides organizations with more robust and near-real-time security solutions. 

Essentially, MITRE takes adversary tactics and techniques from real-world attacks and turns them into learning tools that organizations can incorporate into their security strategy.

Why is MITRE such a popular framework for incident response?

Incident response is not a simple process by any means. Anything that helps simplify IR procedures will always be a significant benefit to the cybersecurity community; the MITRE framework is well-respected within the industry.

The framework is not at all what one would consider basic, but what makes it simple to adopt is its prioritized list of techniques that an adversary may use in the context of a cyber incident, including attack phases and individual attack techniques. All attacks are ranked by their level of harm, from least harmful to most harmful.

Organizations leveraging the framework gain an understanding of what happened during an incident, why it occurred, how much damage was done, who did it, where they came from — all while providing actionable recommendations on how to prevent future incidents.   

Put another way: it helps you connect the dots. 

Other common incident response frameworks

While the MITRE framework has been gaining popularity recently, the two most prominent and well-respected incident response frameworks were developed by NIST (National Institute of Standards and Technology) and SANS (Systems, Audit, Network and Security). Both were developed to provide a foundation on which security teams could build their incident response plans. 

The NIST Cybersecurity Framework is probably the most popular standard for managing and  understanding cybersecurity risk. The NIST Incident Framework is still one of the most widely-used IR standards globally, and is broken down into four steps:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication and Recovery
  4. Post-Incident Activity

It’s important to note that the current NIST framework was published in 2012. Since the volume of cybersecurity threats has mushroomed in the last decade, organizations can benefit from more rigorous methods outlined by NIST. Still, NIST’s framework is as relevant today as it was upon publication.  

The SANS Incident Response 101 was created by SANS, a private organization with a mission of education, research, and certification in the four key cyber disciplines. The SANS framework is more focused on security compared to the more wider-reaching NIST framework.

The SANS framework consists of six steps:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

The value of incident response tools built to support MITRE

Incident response tools, like today’s cloud SIEM platforms, need reliable data to operate effectively. For incident response, it’s critical that the tool or solution categorizes the threats, correlates any activity related to the same threat, and provides relevant alert data. The most effective solutions identify an attack pattern, establish its objective, and offer remediation steps so responders can take action.

But this level of detailed data isn’t possible without a living, breathing, thorough, and up-to-date knowledge base to highlight the tools, techniques, and tactics used. 

Perhaps the most significant benefit of incorporating the MITRE ATT&CK framework into a cloud-based SIEM is that there are no disadvantages. The framework enriches an organization’s IR strategy with the relevant threat data that might just be the deciding factor in remediating an incident. The data from MITRE’s framework with modern SIEM’s next-gen threat hunting capabilities is a potent combination for faster, more efficient remediation.

Why Panther for MITRE structured Incident Response 

Modern cloud-based solutions like Panther integrate the MITRE ATT&CK framework into their platform by mapping detections to the framework. 

With Panther, you can rapidly deploy threat detection capabilities with built-in rules and policies based on the framework. Plus, you can expedite incident response by adding dynamic context to alerts to power more efficient routing, triage and automation.

At the time of this writing, Panther ships with 39 specific detections already mapped to MITRE components. We make it easy in our user interface (UI) or the detection code to add mapping to any custom detections you create.

Book a demo today to find out how Panther can leverage the frameworks and security tools that are important to your organization.