Section 2: ATT&CK Use Cases
This section is not in the original Mitre documentation; however, it is beneficial to understand section 2.
- Adversary Emulation: Miter publishes profiles for specific adversary groups that can also be used in conjunction with ATT&CK to evaluate the security of a company's environment by applying cyber threat intelligence about specific adversaries and creating simulated threat simulations.
Mitre Resources - Adversary Emulation Plans
Profile Example: APT 18 (Dynamite Panda) - Red Teaming:Through the use of ATT&CK, security teams can develop and launch simulated attacks on their network, testing the abilities of their defenses to detect and defend company assets.
- Behavioral Analytics Development: ATT&CK can guide the development and testing of systems that spot unusual activities indicating a potential security breach.
Helpful Link: The the Cyber Analytics Repository - Defensive Gap Assessment: ATT&CK serves as a guide to evaluate the effectiveness of current security measures by identifying weak spots, helping security teams prioritize improvements, and make educated decisions on the best security products for their company.
- SOC Maturity Assessment ATT&CK can evaluate how well a Security Operations Center (SOC) can detect, analyze, and respond to security threat
- Cyber Threat Intelligence Enrichment: Since many groups use the same techniques listed in ATT&CK, we do not recommend attributing a specific group based solely on the observed methods. Proper attribution requires a more detailed analysis beyond the tactics and techniques used.
"Attribution to a group is a complex process involving all parts of the Diamond Model, not solely on an adversary's use of TTPs."- Mitre
Adversary Emulation vs Read Teaming
Although adversary emulation and red teaming may initially sound identical, there are key differences.Adversary Emulation is a targeted approach where the team replicates known threat actors' tactics, techniques, and procedures (TTPs). While Red Teaming involves a wider range of actions that are not limited to the TTPs of known adversaries, they can include a wide range of attack vectors. Security teams aim to simulate the unpredictability of real-world attacks.
Section 2.1: ATT&CK Coverage
Companies should not try to cover every single ATT & CK technique that isn't really practical, as not everything an attacker might do is something you need to set up an alarm for or even keep track of. For example, adversaries have been known to use ipconfig.exe as a tool to learn about target systems. However, ipconfig.exe is also a tool administrators use to troubleshoot network issues. Another example is the fact that accounts such as local, domain, or cloud accounts can be used for excitement reasons. Though they should be monitored, the fact that adversaries have been known to use these accounts does not mean every company needs to set up alerts every time they are used.
"Similarly to how it's unrealistic to expect coverage of 100% of ATT&CK techniques, it's unrealistic to expect coverage of all procedures of a given method, especially since we often cannot know all of them in advance."
Each attack technique in ATT&CK can have multiple ways for an attacker to carry it out, and these techniques are constantly evolving; because of this, it is difficult to anticipate all methods an attacker will use. So, discussions about coverage can be tricky because detection methods might rely on specific procedures that hackers use, and these procedures can vary. So, it is crucial to keep up with not only the techniques but also the sub-techniques and procedures adversaries have used and are using in order to understand how variations might affect how you determine coverage.