How Compliance Teams can use MITRE ATT&CK Framework to Their Advantage

Kerwyn Velasco
January 15, 2023

How Compliance Teams can use MITRE ATT&CK Framework to Their Advantage

It’s enterprise organizations vs. the Big Bad Hackers, and the news is not good. During Q3 2022, approximately 15 million data breaches were reported worldwide. Ouch. IBM reports that it takes an average of 287 days for an enterprise to uncover a data breach and then another 80 days to contain it. The damage done in these extended timelines results in the average data breach costing an enterprise $4.35 million (and 2x that number if your business happens to be based in the US). Double ouch.

It's not that enterprises aren’t investing in cybersecurity. They are. To the tune of $460 billion by 2025, according to the global cybersecurity company Kaspersky. But despite this spending, organizations lack the practical guidance to accurately assess whether their current security controls can mitigate against cyber threats. And that’s where MITRE ATT&CK Framework comes in.

What is the MITRE ATT&CK Framework, and why is it relevant to security Compliance teams?

MITRE ATT&CK® is a globally-accessible knowledge base of tactics, techniques, and procedures used by hackers to carry out their malicious activities. The framework was created in 2013 using real-world observations with the goal of helping enterprise networks improve post-breach detection. Today, ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is offered free of charge and used to help classify the purpose and type of cyberattacks, and assess an organization's risk. Security compliance teams use the framework to uncover security gaps and determine which mitigations are necessary.

What are the components of the ATT&CK framework?

The MITRE ATT&CK framework contains a matrix of techniques used by hackers to accomplish a specific cyber-objective, referred to as a tactic. For example, to achieve the tactic of Exfiltration (stealing data), the hacker may use one of several listed techniques, such as using an Alternate Protocol, Bluetooth, or an existing C2 Channel. To gain Initial Access, the threat actors may choose to achieve this using the technique of Drive-By Compromise, Phishing, or Exploiting a Public-Facing Application. Other tactics included in the matrix are Reconnaissance for collecting information; Persistence for gaining a foothold in the network; Privilege Escalation for accessing higher-level permissions; Credential Access for stealing passwords and account names; and Impact for destroying, manipulating, or interrupting enterprise data. In all, the October 2022 version of MITRE ATT&CK for Enterprise contains 14 tactics, 193 techniques, and 401 sub-techniques,  and 718 pieces of software. The matrix also lists 135 known threat actor groups, and 14 of their campaigns, which are defined as “any grouping of intrusion activity conducted over a specific period of time with common targets and objectives.“ Examples of known campaigns are the C0010FunnyDream, and Operation Dust Storm cyber espionage campaigns. 

MITRE ATT&CK for Enterprise, 2022

MITRE ATT&CK also lists Procedures, which are the technical steps hackers use to carry out the technique, as well as Mitigations, which are security technologies and activities that an enterprise can use to prevent a hacker from successfully executing a technique.  Examples of mitigations are Data Backup, Antivirus Protection, Network Segmentation, and User Account Control.

How can Compliance Teams use the framework?

As MITRE raises awareness about attack methodologies by classifying its framework into tactics, techniques, and even sub-techniques, Compliance teams can use this matrix to proactively evaluate and optimize their cybersecurity posture, and reactively to identify the routes the attacker will go through to compromise an organization. This awareness allows them to ask tough questions like: Do we have the required capabilities? Are there areas that need improvement to secure against threats? Organizations can gain these important insights by mapping their existing vaguely-worded processes and controls to MITRE’s clearly-defined tactical safeguards and countermeasures. This activity will ensure that GRC teams have the practical guidance they need to assess their existing security measures against the impact of an attack and to clearly demonstrate adherence to Compliance requirements.

ISACA’s globally-recognized COBIT® framework, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the Center for Internet Security (CIS) Critical Security Controls all list detailed cyber controls which can be mapped to specific techniques within the MITRE matrix. 

For example, CIS has a control called 3.10 "Encrypt Sensitive Data in Transit." This control is designed to protect data as it moves from one user to another. This particular control maps directly to the technique Remote Email Collection, where an exchange server can be used to collect user credentials for critical systems or acquire information about the network. By showing the secure configuration of the exchange server, users can prevent attackers from compromising their organizational systems. 

As the mapping effectively puts the security controls into the context of a breach, it becomes easier to communicate the importance of each process and control to the stakeholders who can provide the resources necessary to help mitigate the risk. A breach will cost $4.35 million? Money talks, folks.

What is next for ATT&CK?

MITRE’s stated goal is to provide the community with the tools and resources they need to leverage the information within the ATT&CK framework and to tailor the collected data to meet their cybersecurity needs. Their roadmap includes enhancements such as the introduction of Campaigns; additions and changes to Techniques, Software, and Groups; and data source and component changes. The MITRE ATT&CK framework is updated bi-annually and serves as an ongoing resource for security Compliance professions and the entire cybersecurity industry.

Kerwyn Velasco
Security and Compliance Nerd with 10 years GRC experience wearing all kinds of hats. He currently does marketing at anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.