Biology, zoology, and related sciences have a tool to help scientists around the world communicate with one another: scientific names. These scientific names, generally rooted in Latin, provide a common set of terms for animals, plants, virii, and other living things. When it comes to cybersecurity, though, things are a bit less rigorous, and creativity can be the enemy of precision. That's where the MITRE ATT&CK framework comes in.
At its heart, ATT&CK is a database of the tools and techniques hackers use to attack, damage, and disrupt computer operations. Displayed as a grid, ATT&CK shows the various stages of an attack and the tools that can be used for each one. It does so in a language that can be understood among researchers in different departments, on different continents, and who speak different languages.
Ryan Kovar, principal security strategist at Splunk, says he has seen companies around the world use ATT&CK in their security work. "The people who are using it now are taking the taxonomy from ATT&CK, changing it to meet their needs, and then using it to describe, across multiple teams, what's going on," he says.
The common language is critical, says Katie Nickels, MITRE threat intelligence lead. "The common framework can provide a way to talk about the threats among different groups and defenders," she says. "With the common language, it can be used for red teams to decide what they're going to be doing. They all kind of work together."
One of the points both Nickels and Kovar stress is how ATT&CK can be used by organizations of many different sizes. For example, Kovar says he worked with a small company in the Midwest whose CISO was concerned about APT10 targeting his organization. Using the ATT&CK framework, "I was able to show him the names people came up with for the group, what they did, and who they went after," Kovar says. "The CISO was able to take the information back to his board of directors and explain that APT10 was unlikely to target a company in their industry."
Different types of organizations use ATT&CK in different ways, Nickels says. Vendors tend to come at the framework from a tools point of view, while most companies will look at ways in which they can base operations on the framework. For those companies, she says, "You get the most power from ATT&CK when you use it across teams. You can use it on the detection team and then pass what they learn to the red team for testing, using the same language."
At Black Hat USA, Nickels and Kovar will present a briefing, "MITRE ATT&CK: The Play at Home Edition," during which they will show attendees how to use the framework in organizations of different sizes and types. Their goal is for attendees to "hit the ground running" when they get back from the conference.