5 practical ways for a CISO
to use the MITRE ATT&CK® Framework

IronNet-Vertical Separator-Red Hexagon
Aligning to frameworks such as the NIST Cybersecurity Framework and/or ISO 27001 is a sound approach for building or maturing a cybersecurity program. Yet a major gap remains: a structured way to identify current cyber threats and evaluate whether deployed controls will suffice to defend against them. The MITRE ATT&CKⓇ Framework complements the common programmatic frameworks in order to better determine the effectiveness of your security capabilities.

The MITRE ATT&CK® Framework:
Prescribed support for your cyber risk assessment activities

The MITRE ATT&CK® Framework:
A more granular approach to clearly defining corporate risk

You can look to ATT&CK® to help measure your team’s capabilities and make training and investment decisions in a very prescribed manner based on the detection gaps revealed. Begin by proactively seeking practical answers during your annual third-party risk assessment activity:
What does the attack surface look like for other companies in my sector?
What real-world observations have been made regarding these threats?
Do I have the internal and external resources (people, processes, and technology) to respond to these specific threats?
How can I best detect the specific adversarial techniques, captured in the MITRE ATT&CK® Framework?
Will my current technology stack identify these threats, which reflect behaviors on the network, or only known signatures and indicators of compromise?
How early in the intrusion cycle can the SOC team see such a threat?

Contact us to learn more about
IronNet’s advisory services for risk assessment.

USE CASE

Using the MITRE ATT&CK® Framework
to assess ability to defend against the group APT33

By utilizing the MITRE ATT&CK® Framework, the security team can assess its capability to defend against nation-state threats such as APT33.
IronNet-MITRE Att&CK Framework-Desktop Dashboard
IronNet-Vertical Dotted Separator Long@2x
By visiting the APT33 page on the ATT&CK® site, you can get a sense of the techniques and software used; however, the real power of this site can be realized by using the ATT&CK® Navigator.
IronNet-MITRE Att&CK Framework-Navigator Layers
IronNet-Vertical Dotted Separator Short@2x

From threat visualization
to capability assessment

In this format, you can get a good visualization of the attacks leveraged by this attacker and where they fit into the intrusion cycle. Then you can start to determine if you have the capability to detect these threats in your environment.
IronNet-MITRE Att&CK Framework-Threat Visualization
IronNet-Vertical Dotted Separator Short@2x
IronNet-MITRE ATT&CK Framework-Icon

See the “Using the MITRE ATT&CK® Framework”
white paper for suggested next steps.

ebook

5 practical ways for a CISO
to use the MITRE ATT&CK® Framework

Discover how to use ATT&CK® to measure your team’s defense capabilities —
at both baseline and over time in relation to threat trends.
IronNet-MITRE-ATTACK-Framework-White-paper-Cover-Image

Consulting the MITRE ATT&CK® Framework
to increase your visibility of the threat landscape

The risk assessment exercise often reveals that network detection and response (NDR) capabilities are missing from a robust cybersecurity program.
IronNet’s IronDefense NDR solution provides advanced analytics to detect sophisticated threats that have infiltrated your network. By understanding adversaries’ TTPs, you can stop them “left of boom” and better defend “right of boom” for faster response.

NDR platforms are especially effective at detecting threats on these portions of the ATT&CK® framework. For example, this is a snapshot of how IronNet's IronDefense analytics map to the matrix.

ATT&CK Tactic
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
ATT&CK Techniques/Sub-Techniques
  • Spearphishing link
  • Compromise infrastructure: domains
  • Drive by Compromise
  • Exploit Public-Facing Application
  • External Remote Services
  • Spearfishing Attachment
  • PowerShell
  • Scheduled Task
  • Command and Scripting Interpreter
  • Service Execution
  • BITS Jobs
  • Browser Extensions
  • Scheduled Task
  • BITS Jobs
  • Signed Binary Proxy Execution: Compiled HTML File
  • Brute Force
  • Forced Authentication
  • Network Service Scanning
  • Network Share Discovery
  • Remote System Discovery
  • System Information Discovery
  • Distributed Component Object Model
  • Exploitation of Remote Services
  • Pass the Hash
  • Pass the Ticket
  • Remote Desktop Protocol
  • Automated Collection
  • Data from Network Shared Drive
  • Non-Standard Port
  • Non-Application Layer Protocol
  • Encrypted Channel: Asymmetric Cryptography
  • Data Encoding
  • Data Obfuscation
  • Domain Generated Algorithms
  • Automated Exfiltration
  • Data Encrypted for Impact
  • Data Transfer Size Limits
  • Exfiltration Over Alternative Protocol
  • Endpoint Denial of Service
  • Network Denial of Service
  • Active scanning
  • Compromise infrastructure: botnet
  • Spearfishing Link
  • Spearfishing Via Service
  • Trusted Relationship
  • Valid Accounts
  • Software Development Tools
  • User Execution
  • Windows Management Instrumentation
  • Web Shell
  • Traffic Signaling: Port Knocking
  • Valid Accounts
  • Disable Security Tools
  • LLMNR / NBT-NS Poisoning and Relay
  • Kerberoasting
  • System Network Configuration Discovery
  • System Network Connections Discovery
  • System Owner / User Discovery
  • System Service Discovery
  • Windows Remote Management
  • Software Development Tools
  • Remote Services
  • Windows Admin Shares
  • Data Staged
  • Man in the Browser
  • Fallback Channels
  • Multi-Stage Channels
  • Remote File Copy
  • Application Layer Protocol
  • Connection Proxy
  • Domain Fronting
  • Exfiltration Over C2 Channel
  • Exfiltration Over Other Network Medium
  • Exfiltration Over Physical Medium
  • Scheduled Transfer
  • Resource Hijacking
  • Transmitted Data Manipulation
Contact Us

Connect with IronNet

to discover how to use IronDefense behavioral analytics to close the weak spots revealed in your MITRE ATT&CK® Framework assessment exercises.