All Articles

A Primer on MITRE ATT&CK as an Incident Response Framework

Brandon Min
An Overview of MITRE ATT&CK as an IR Framework

An organization with robust incident response (IR) plans is in a position to mitigate overall security risk across the attack surface. According to IBM and Ponemon’s 2021 Cost of a Data Breach Report, the average total cost gap of companies breached with Incident Response (IR) capabilities vs. those without was $2.46 million in 2021 — a difference of 54.9%. In order for incident responders to be effective, they must rely on a robust framework, which can play a massive role in the speed and efficacy of the remediation process. 

This article will focus on how security teams can leverage the MITRE ATT&CK framework in Panther to bolster incident response. 

What is MITRE? 

The MITRE ATT&CK framework is a guide for incident responders that outlines the various stages of an attack, from reconnaissance to post-exploitation. It provides guidance on detecting and defending against the respective stages of an attack. The framework also includes a catalog of technologies that attackers may use, as well as exploitation techniques and toolsets.

What makes the framework so crucial for security teams is how it enables threat researchers to stay up-to-date with common attack techniques. 

MITRE ATT&CK provides a set of tactics used by attackers against their targets. These are often referred to as “attack vectors” or “tactics” because they represent specific ways in which attackers attempt to gain access to systems as part of a kill chain. The framework is organized into three categories: Targets, Techniques, and Tactics. Each category contains sub-categories that describe different aspects of an attack vector. 

Depending on what you are trying to protect, there are several separate MITRE Attack Matrices available

The Feedback Loop

Here’s how the framework operates: It starts with a vast army of industry researchers and experts, whose mission is to discover new threats, vulnerabilities, and attack methods. The data and insight uncovered from their research are leveraged to establish enough significant intelligence data to bolster the MITRE ATT&CK framework. This real-time intelligence is relayed to the security community (and vendors) to maintain and grow the knowledge base. When used to its potential, the framework provides organizations with more robust and near-real-time security solutions. 

Essentially, MITRE takes adversary tactics and techniques from real-world attacks and turns them into learning tools that organizations can incorporate into their security strategy.

Why MITRE is a popular framework

The MITRE framework is well-respected and utilized heavily within the industry due to the fact it’s simple to adopt and truly helps organizations connect the dots of a cyber incident. With a 100% publicly-sourced knowledge base and its easy-to-follow attack techniques, Mitre is easily adoptable by any organization giving security teams immediate context and visibility into common cyber incidents. All attacks are seamlessly ranked by their level of harm, and provide guidance for Red and Blue team strategy throughout the kill chain. 

Organizations leveraging the framework gain an understanding of what happened during an incident, why it occurred, how much damage was done, who did it, and where they came from — all while providing actionable recommendations on how to prevent future incidents.   

Panther and MITRE for Incident Response 

Modern cloud-based solutions like Panther integrate the MITRE ATT&CK framework into their platform by mapping detections directly to the kill chain. 

With Panther, you can rapidly deploy threat detection capabilities with built-in rules and policies based on the framework. Plus, you can expedite incident response by adding dynamic context to alerts to power more efficient routing, triage, and automation.

At the time of this writing, Panther ships with 39 specific detections already mapped to MITRE components. We make it easy within our console, or the Python code, to add mapping to any custom detections you create.

MITRE ATT&CK mapping in Panther: A brief overview 

Below is the MITRE ATT&CK Heat Map as it appears in Panther’s Detections menu. 

The heat map gives you full visibility into any detections you have that cover the tactics and techniques as defined by MITRE. 

In the screenshot above, we are looking at the various tactics and techniques that apply to the Enterprise ATT&CK matrix. 

To view tactics and techniques for another Matrix, simply click on the Matrix dropdown to the top right. In the screenshot below, we’ve chosen the Enterprise ATT&CK / SaaS matrix. 

The MITRE ATT&CK heat map lets you know whether the MITRE  tactics and techniques are covered, partially covered, not relevant, or not covered by any of your current detections. 

With Panther, you can easily map a detection to a MITRE technique that isn’t covered. Simply click on one of the techniques and Panther will display the corresponding MITRE T ID and description. 

In the screenshot below, we’re looking at T1189, Drive-by Compromise

To map a detection to that technique, you can either click on the Create New button to create a new detection or the Map Existing button to map the technique to an existing detection. 

For more detailed instructions on how to map detections to MITRE ATT&CK matrices in Panther, click here

Book a demo today to find out how Panther can leverage the frameworks and security tools that are important to your organization.