This industry-standard framework offers value as a strategic planning tool for CISOs

Using the MITRE ATT&CK® framework for more than compliance

This industry-standard framework offers value as a strategic planning tool for CISOs

On a blue background, a white shield floats above a hand turned palm-up, symbolizing the MITRE ATT&CK® framework.

Editor’s Note: This blog entry was originally published on July 30, 2021, and was updated on September 9, 2022.

Compliance is not security.

While frameworks such as the NIST Cybersecurity Framework and ISO 27001 prioritize and standardize security best practices to help organizations earn and maintain compliance, they lack the practical, daily guidance chief information security officers (CISOs) need to accurately identify and evaluate whether their current security controls can defend against cyber threats.

For CISOs, trying to proactively prepare for unknown cyber threats means that securing funding for future security investments is essential. Communicating these metrics to the board, however, can be complicated and difficult.

CISOs have struggled in the past to properly identify and communicate the existing cyber security risk, typically sharing only metrics such as:

  • How many events did we work last quarter?
  • How many resulted in a breach/incident? Did we have any ransomware payments this month?
  • What is the current state of our network?

While these metrics are important, they do not properly capture the ability for an organization to prevent, detect, or respond to the latest attack trends. And without any context, this won’t mean much to your leadership. Enter the MITRE ATT&CK® framework.

What is the MITRE ATT&CK® framework?

The MITRE Corporation defines the MITRE ATT&CK® framework (also often stylized as the "mitre attck" or "mitre attack" framework), as follows: "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community."

It gives your teams a step-by-step playbook on the tactics, techniques, and procedures (TTP) a future attack may apply. These playbooks are a tremendous resource that can be leveraged by security teams to validate their capabilities, or to reveal areas that require improvement in mitigating controls.

Before, when an adversary attacked, the only way to determine their objective was based on institutional knowledge and gut instinct. And contrary to what we’d like to believe, our gut is not a reliable barometer to gauge cyber threats.

Mapping out the characteristics and specific tools used in an attack across the MITRE ATT&CK® framework helps your security operations center (SOC) team assess the current effectiveness of your existing security measures and the impact of the attack.

But rather than waiting for a potential attack, CISOs should encourage their teams to use the MITRE ATT&CK® framework as a granular approach to proactively and continuously build out and test your security measures against current cyber attack trends.

By using the matrix to help measure your team’s capabilities, you can justify training and investment decisions in a very defensible manner based on the detection gaps that you uncover, and you can track the performance of your team’s defensive posture against adversaries.

But a key piece of the puzzle is still missing: Without full visibility into your threat landscape, it’s hard to detect and track behaviors early in the intrusion cycle.

The MITRE ATT&CK® framework and IronNet Collective DefenseSM platform

While it’s easy for hackers to bypass signature-based detection mechanisms, their attack behaviors, tools, tactics, and procedures are very difficult for them to change, so a detection strategy focused on these behaviors remains the best way to improve threat detection and response times.

Because ATT&CK® is a constantly evolving open-source matrix, it helps uncover and reveal other attack groups that are coming into play, changes in attack infrastructure, and changes in TTPs as adversaries adjust their approach.

But to detect threats early enough, you need not only to have full visibility into your threat landscape and current security practices but also to know what’s happening within your industry. That’s where using the IronNet Collective DefenseSM platform, in conjunction with the MITRE ATT&CK® framework, can help.

The IronNet Collective Defense platform leverages advanced AI-driven network detection and response (NDR) capabilities to detect and prioritize anomalous activity inside individual enterprise network environments. The platform analyzes threat detections across the community to identify broad attack patterns and provides anonymized intelligence back to all community members in real time, giving all members early insight into potential incoming attacks.

Being able to see attack intelligence that has been shared in a secure and anonymous environment among companies across an industry sector can give CISOs a unique level of visibility — think of it as an early warning system — into attacks that may be heading their way. They can compare threat analysis notes with other security professionals and take action before damage is done.

By using the MITRE ATT&CK® framework as a starting point and combining it with the Collective Defense platform, you can show your board the value of a well-researched and versatile cybersecurity strategy.

MITRE ATT&CK White paper

About Ironnet
IronNet is dedicated to delivering the power of collective cybersecurity to defend companies, sectors, and nations. By uniting advanced technology with a team of experienced professionals, IronNet is committed to providing peace of mind in the digital world.