Get started: Threat modeling with the Mitre ATT&CK framework
The Mitre ATT&CK framework may seem daunting at first, but it is a key tool that helps SOC teams conduct threat modeling. Learn how to get started.
Security operations center teams can use the Mitre ATT&CK framework to help assess their organization's security posture and identify any vulnerabilities. With 14 adversarial tactics -- each tactic has between eight and 42 techniques, each with its own subtechniques -- the framework is daunting for new and experienced SOC teams alike.
"The biggest issue for SOCs is the Mitre ATT&CK framework is just so much information, which can be tough. It's a really good resource, but there is just so much info to parse," said Rebecca Blair, author and SOC manager at software company Toast Inc.
To help SOC teams of all maturity levels implement or reference the framework, Blair wrote Aligning Security Operations with the MITRE ATT&CK Framework. The book provides readers an understanding of what the Mitre ATT&CK framework offers and how to use the tactics, techniques and subtechniques to strengthen an organization's security posture.
The framework is especially important to learn because it is a common foundation for threat modeling, a key component of any modern cybersecurity program. Threat modeling involves identifying and understanding the different potential security risks a specific organization faces. Mitre provides an expansive knowledge center of tactics and techniques that SOC teams can use to model malicious attackers against, including privilege escalation, evasion and lateral movement.
Here, Blair explains more on the framework and its role in threat modeling.
More on Aligning Security Operations with the MITRE ATT&CK Framework
Check out an excerpt from Chapter 6 that provides an example SOC teams can follow to start mapping the Mitre ATT&CK framework to reduce their IT environment's attack surface.
Editor's note: The following interview has been edited for clarity and length.
Is the Mitre ATT&CK framework still difficult for SOC teams to implement?
Rebecca Blair: Yes and no. It seems like almost every single tool uses Mitre; it's something that's heavily referenced. That said, it can be overwhelming for teams to implement if they go for everything from the start. For example, I used to work as a government contractor, and compliance is very important -- you try and hit every single thing on your compliance sheet. Organizations often implement that same thinking with the Mitre ATT&CK framework, and it's just not realistic. The framework has actions and objectives, and it can be difficult to pick and choose which to use or map your security strategy against. The focus for most teams should be trying to optimize against Mitre to get the most bang for their buck.
How do you recommend SOC teams begin to implement the Mitre ATT&CK framework?
Blair: Start with doing the risk registry, which I recommend in Chapter 2 of Aligning Security Operations with the MITRE ATT&CK Framework. Understand where some of your issues are, and then begin mapping your security strategy toward the framework's techniques. With a risk registry in place, you can start determining how heavy your risk is. From there, use the Mitre ATT&CK framework as a reference guide to learn about different recommendations for risk mitigations.
How does the Mitre ATT&CK framework help SOC teams with threat modeling? Can SOCs of all maturity levels use it?
Blair: It really helps with the vulnerability identification side. You determine the vulnerabilities your organization has and map them to the framework's techniques. Mitre helps clarify the risks and provide contextual information. SOCs of all levels can use it, though your maturity level will determine where you start using the framework. Mitre is especially useful for SOCs just starting up -- ideally, you want to start your SOC the correct way from the beginning so you don't run the risk of having to start all over and do things right the second time. Use the Mitre ATT&CK framework as a guiding light. Use it to figure out the risk levels for your organization's current security measures, and then determine what mitigations need implementation.
How do you recommend SOCs use Mitre for threat modeling?
Blair: It depends on the tools your SOC has. For example, if you're a Splunk shop, you're probably already using Splunk Security Essentials, which has a framework built into it. But the Mitre ATT&CK framework has its own place to use alongside existing tools. For a lot of environments I've worked in, we've built a lot of the detection rules ourselves. From there, we'll have a case management system. Then, we'll use a ticketing system, such as ServiceNow or Jira, for alert notifications. In those tickets, we can have fields that capture the technique type or overall tactic to implement. We can then start capturing metrics based on what we're seeing and figure out what our higher-level threats are. An easy way to tie in threat modeling and the Mitre ATT&CK framework is to make SOC processes more applicable and even automate processes once set up.
How does the Mitre ATT&CK framework compare to threat models such as PASTA (Process for Attack Simulation and Threat Analysis) or STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privelege? Do you recommend using a second threat model alongside Mitre?
Blair: The Mitre ATT&CK framework is more applicable across the board for threat modeling. For example, STRIDE is primarily used within Windows environments, while Mitre can be used more widely. I use a hybrid threat model in my environments, using Mitre alongside another threat model, with VAST [Visual, Agile and Simple Threat] being a popular option. Depending on the environment, my SOC might use PASTA or STRIDE or even just use attack trees to complement Mitre. It can make sense to use more than one, but you can get away with using a single framework for threat modeling. It often comes down to budget. If you have the time and resources, it's more comprehensive to combine threat models.