As you saw in the previous post, ATT&CK is loaded with potential to hit a lot of use cases. Most CTI organizations are at least considering the use of ATT&CK to structure their reports and feeds. It provides analysts with a common language and structure. ATT&CK fosters better collaboration and easier consumption of the findings for all, including you and your tools.

old-school picture of an OSS spy with his radio in the mountains
I’ve gotta get my inputs back to HQ before they publish ATT&CK v15!

Using ATT&CK for CTI

As analysts observe threat actors, they build dossiers on each adversary and discover how threat actor prefers to operate. They also learn which tools they favor, how the steps in the attacking process fit together, and more.  Rather than cling to their own proprietary parlance, analysts are commonly structuring findings and reports to tag using the “T” identifiers used by techniques in ATT&CK. This not only makes their reports more readable and vendor agnostic but improves collaboration and intelligence sharing throughout. Some great research is conducted that incorporate ATT&CK super well. One of my favorite sites to follow is The DFIR Report. Their team doesn’t just use ATT&CK but also other relevant threat modeling approaches, like the Diamond Model. Their reports walk through a real attack’s impacts to all facets of the environment. I love how they help you relate the steps in the adversary’s run book to ATT&CK, while also providing indicators of compromise (IOCs) and rules that can be used for detection (things like Sigma and Yara, for instance).

Copy of table from a DFIR Report brief: https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
Mapping NetSupport RAT to MITRE ATT&CK, courtesy of The DFIR Report (https://thedfirreport.com)

Benefits of ATT&CK for CTI

So what does this do for us? Researchers sharing intel with ATT&CK consistently make it easier to learn from multiple sources. Remember, this is the field that gave us numerous APT naming schemes depending on the researchers doing the work! We still wrestle whether to call APT28 Fancy Bear, Sandworm, or any number of other names, but we can count on a reasonably accurate understanding of their playbook and which techniques they use to achieve their goals. For researchers, this means they can focus on building onto existing work rather than repeating it. This spurs collaboration, and speeds the time to actionable intel from our CTI folks. It lets our CTI tools use the same taxonomy for sharing information, whether it’s a Security Incident and Event Manager (SIEM), eXtended Detection & Response (XDR) tool, or a Threat Intelligence Platform (TIP). Seems like a no brainer!

Splunk’s Enterprise Security solution is just one SIEM that offers MITRE ATT&CK mapping in the tool

Caveats worth noting

MITRE ATT&CK is fantastic. Keep in mind, however, that it is dealing with atomic techniques. No one technique has the same impact, severity, or consequence within every environment. Watching adversaries blindly stab at a Windows server with a technique it is already patched against makes us chuckle. What if they are trying to leverage an Exchange exploit (like Exploit Public-Facing Application, T1190)? The adversary’s targeting matters. If they launch the technique at Windows Server for an organization that has already moved on to MS365, then this might be what we called in the Navy a “roll over drill.”

Likewise, no technique has the exact same connotation regardless of the threat actor. Two threat actors may employ the same technique at very different stages of their playbook. One APT may use the same technique (like Account Manipulation, T1098) for Persistence while another might for Privilege Escalation. We’re worried, but context matters! Lots of visibility and detection in place may help us notice Privilege Escalation, but maybe Persistence is our blind spot? Or maybe it all depends on the asset involved? Another target might have a very different situation to consider, which is why we should be aware of what ATT&CK is and isn’t.