Know your enemy and yourself: MITRE ATT&CK and D3FEND
Sun Tzu, wrote in the Art of War:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
How can the humble CISO know themself? How can the defender truly know their organisation’s preparedness for the next battle? How can a budding CISO-general know their enemy so they can lead effectively? How can security leaders understand the tools, techniques and procedures used by their likely adversaries so they can protect their organisation from attack? Enter MITRE ATT&CK and MITRE D3FEND. In this article, we will look at how a CISO can use the MITRE ATT&CK and D3FEND frameworks to learn more about their enemies and combine that with what they know about themselves…and win every battle!
What are MITRE ATT&CK & MITRE D3FEND?
MITRE ATT&CK, to use MITRE’s own words, is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. It is currently at version 10.
The framework looks at cybersecurity through the eyes of the hackers and hacker groups rather than through the eyes of the defenders. What makes the framework particularly useful is the way these hacker tools, techniques and procedures, are presented. The TTPs are presented in the form of expandable matrices. This enables the reader to quickly drill down to a specific technique without getting lost in the weeds.
MITRE D3FEND on the other hand, again using their own words, is a knowledge base, but more specifically a knowledge graph, of cybersecurity countermeasure techniques. In the simplest sense, it is a catalogue of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardise the vocabulary used to describe defensive cybersecurity technology functionality.
In a similar way to ATT&CK, D3FEND is presented in a concise matrix. It is however worth noting the D3FEND matrix is not as mature as the ATT&CK matrix and is still in beta. But like the ATT&CK matrices, D3FEND is highly technical in nature. It’s not for the faint hearted!
How can a CISO use the MITRE ATT&CK framework?
The main use case is visibility! The MITRE ATT&CK and D3FEND frameworks can provide a CISO with a significant level of visibility of their cybersecurity defences in a very concise way. Plug in a system’s controls into D3FEND and you will get an output of the TTPs that should be mitigated by those controls.
Let’s look at a real world example. Let’s say you implement Multi-Factor Authentication (MFA) for a business application. What ATT&CK techniques will this mitigate? At a high level you can see that MFA could aid in preventing a hacker gaining initial access into your application. Should they gain some initial level of access, MFA could help prevent such access becoming persistent. Should they gain access to a non-MFA enabled account, the control could perhaps mitigate against privilege escalation. Simple!
Another use case is risk assessment. In a similar way to the visibility use case, the matrices can be used to assess the risk of a system’s controls. If an organisation is looking to purchase an application from a third party, or develop something in house, the ATT&CK matrix can be used to identify the most likely attack vectors, This D3FEND matrix could then be used to inform which defensive controls would be the most appropriate. Where there are gaps, this can form the basis for discussion between vendor and purchaser where both parties are speaking the same language! Win-Win!
A CISO can also use these matrices to assess the logging and monitoring requirements for their Security Operations Centre (SOC). Say you’re particularly concerned about someone gaining access to your cloud accounts and giving themselves Global Admin rights. You can drill down and MITRE will tell you exactly what to look for:
“Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.”
Boom! We’re cooking on gas!
The final use case I want to highlight is validating cyber security Return on Investment (ROI). I’ve spoken about ROI in previous articles as something a CISO should be continually monitoring but how could the ATT&CK and D3FEND matrices support ROI measurement? Essentially the frameworks can support ROI measurement in two ways. Firstly, by overlaying the capabilities of your current tooling onto D3FEND and then identifying how much protection each tool provides. It can be quite eye-opening to see how little some of these expensive tools protect! Secondly, when assessing the need for new capabilities. Say a sales guy comes in and tries to sell you some piece of all-singing and all-dancing kit. You can now overlay that capability against your current toolset and truly see whether it closes a gap or is just duplication of something you already have in place…or conversely, the new tool may even be a cheaper alternative or provides more coverage for the same outlay! The point is, the decision will be informed by data rather than how pretty the interface looks or how many freebies are dished out at a conference!
Victorious warriors win first and then go to war….
So there you have it, a number of ways you can use the MITRE ATT&CK and D3FEND frameworks to learn more about yourself and your adversaries. Go forth into battle already knowing how to win the war…and if you need help with your battle strategy, get in contact with the cyber warriors at Fox Red Risk!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning