Compliance

Compliance Teams: How to Use The MITRE ATT&CK Framework to Your Advantage

Kerwyn Velasco
March 28, 2024
Explore how to use the MITRE ATT&CK framework for Compliance, with anecdotes

It’s enterprise organizations vs. the Big Bad Hackers, and the news is not good. During Q3 2022, approximately 15 million data breaches were reported worldwide. Ouch. IBM reports that it takes an average of 287 days for an enterprise to uncover a data breach and then another 80 days to contain it. The damage done in these extended timelines results in the average data breach costing an enterprise $4.35 million (and 2x that number if your business happens to be based in the US). Double ouch.

It's not that enterprises aren’t investing in cybersecurity. They are. To the tune of $460 billion by 2025, according to the global cybersecurity company Kaspersky. But despite this spending, organizations lack the practical guidance to accurately assess whether their current security controls can mitigate against cyber threats. And that’s where MITRE ATT&CK Framework comes in. 

Discover how to use the MITRE ATT&CK framework to truly benefit Compliance with anecdotes, the leaders in Compliance OS.

What is The MITRE ATT&CK Framework, and Why is it Relevant to Security Compliance Teams?

MITRE ATT&CK® is a globally-accessible knowledge base of tactics, techniques, and procedures used by hackers to carry out their malicious activities. The MITRE ATT&CK framework was created in 2013 using real-world observations with the goal of helping enterprise networks improve post-breach detection. Today, ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is offered free of charge and used to help classify the purpose and type of cyberattacks, and assess an organization's risk. Security Compliance teams use the framework to uncover security gaps and determine which mitigations are necessary.

What Are The Components of the ATT&CK Framework?

The MITRE ATT&CK framework contains a matrix of techniques used by hackers to accomplish a specific cyber-objective, referred to as a tactic. For example, to achieve the tactic of Exfiltration (stealing data), the hacker may use one of several listed techniques, such as using an Alternate Protocol, Bluetooth, or an existing C2 Channel. To gain Initial Access, the threat actors may choose to achieve this using the technique of Drive-By Compromise, Phishing, or Exploiting a Public-Facing Application. Other tactics included in the matrix are Reconnaissance for collecting information; Persistence for gaining a foothold in the network; Privilege Escalation for accessing higher-level permissions; Credential Access for stealing passwords and account names; and Impact for destroying, manipulating, or interrupting enterprise data. In all, the October 2022 version of MITRE ATT&CK for Enterprise contains 14 tactics, 193 techniques, and 401 sub-techniques,  and 718 pieces of software. The matrix also lists 135 known threat actor groups, and 14 of their campaigns, which are defined as “any grouping of intrusion activity conducted over a specific period of time with common targets and objectives.“ 

Examples of known cyber espionage campaigns: 

Learning how to use the MITRE ATT&CK framework will benefit Compliance teams hugely
MITRE ATT&CK for Enterprise, 2022

MITRE ATT&CK also lists Procedures, which are the technical steps hackers use to carry out the technique, as well as Mitigations, which are security technologies and activities that an enterprise can use to prevent a hacker from successfully executing a technique.  Examples of mitigations are Data Backup, Antivirus Protection, Network Segmentation, and User Account Control.

How to Use the MITRE ATT&CK Framework in the Compliance Arena

As MITRE raises awareness about attack methodologies by classifying its framework into tactics, techniques, and even sub-techniques, Compliance teams can learn how to use the MITRE ATT&CK framework to proactively evaluate and optimize their cybersecurity posture. Using this matrix, they can reactively identify the routes the attacker will go through to compromise an organization. This awareness allows them to ask tough questions like: 

  • Do we have the required capabilities? 
  • Could we be using MITRE ATT&CK in threat hunting and detection? 
  • Are there areas that need improvement to secure against threats? 
  • Can we be measuring and improving cyber defense using the MITRE ATT&CK framework?   

Organizations can gain these important insights by mapping their existing vaguely-worded processes and controls to MITRE’s clearly-defined tactical safeguards and countermeasures. Discovering how to use the MITRE ATT&CK framework effectively will ensure that GRC teams have the practical guidance they need to assess their existing security measures against the impact of an attack and to clearly demonstrate adherence to Compliance requirements.

What is MITRE ATT&CK in Cyber Security?

ISACA’s globally-recognized COBIT® framework, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the Center for Internet Security (CIS) Critical Security Controls all list detailed cyber controls which can be mapped to specific techniques within the MITRE matrix. 

For example, CIS has a control called 3.10 "Encrypt Sensitive Data in Transit." This control is designed to protect data as it moves from one user to another. This particular control maps directly to the technique Remote Email Collection, where an exchange server can be used to collect user credentials for critical systems or acquire information about the network. By showing the secure configuration of the exchange server, users can prevent attackers from compromising their organizational systems. 

Using best practices for MITRE ATT&CK mapping will effectively put the security controls into the context of a breach, and make it easier to communicate the importance of each process and control to the stakeholders who can provide the resources necessary to help mitigate the risk. A breach will cost $4.35 million? Money talks, folks.

What is the MITRE ATT&CK Framework's Next Step?

MITRE’s stated goal is to provide the community with the tools and resources they need to leverage the information within the ATT&CK framework and to tailor the collected data and resources for creating a cybersecurity Compliance program to meet their cybersecurity needs. Their roadmap includes enhancements such as the introduction of Campaigns; additions and changes to Techniques, Software, and Groups; and data source and component changes. The MITRE ATT&CK framework is updated bi-annually and serves as an ongoing resource for security Compliance professionals and the entire cybersecurity industry.

If you’re looking for Compliance masters who know how to use the MITRE ATT&CK framework inside out, anecdotes is here to help. We’re a little OCD when it comes to Compliance, but with $4.35 million at stake, we think that’s perfectly okay.

Kerwyn Velasco
Security and Compliance Nerd with 10 years GRC experience wearing all kinds of hats. He currently does marketing at anecdotes.