MITRE: To test and gain confidence in MSSPs, use ATT&CK framework

Companies have greater confidence in their own security teams than in MSSPs, according to a new survey. To better evaluate service provider capabilities, companies can apply techniques used by the ATT&CK (adversarial tactics, techniques, and common knowledge) assessment framework to MSSPs, MITRE says.

cloud security / data protection / encryption / security transition

Enterprises have a substantially lower level of confidence in their MSSP (managed security services provider) support than they do in their in-house capabilities, according to a recent survey commissioned by R&D foundation MITRE Engenuity.

To address these concerns, the organization — part of MITRE, a not-for-profit corporation that operates federally funded research facilities focusing on safety and security — has a recommendation. To better evaluate and gain a sense of confidence in service providers' capabilities, MITRE says, companies should apply the ATT&CK (adversarial tactics, techniques, and common knowledge) security evaluation framework, often used for endpoint vendor assessment, to MSSPs.

To that end, MITRE has come out with an open-source threat intel platform, MITRE ATT&CK Evaluation for Managed Security Services, an extension to the existing MITRE ATT&CK evaluations program, intended to zoom in on what it calls the "people responsible for keeping us secure."

To understand how companies use managed security services, MITRE Engenuity commissioned a survey conducted by Cybersecurity Insiders — a global online community of cybersecurity professionals. The survey polled 311 IT security professionals in industries including technology, healthcare, retail, government, and finance,

While 68% of the respondents used MSSP/MDR (managed detection and response), almost half (47%) expressed low confidence in managed services technology and people, according to the survey. Moreover, 44% confirmed lack of confidence in managed services security processes.

Companies trust in-house staff more than MSSPs

“Based on the results of this survey, it is clear that the participants’ level of confidence in their managed services is much lower compared to their in-house security people and technology, in which 78% reported feeling confident,” said Holger Schulze, CEO of Cybersecurity Insiders, in a press release.

Sixty-five percent of the respondents confirmed they use a "threat-informed" defense approach to their security efforts, tapping knowledge databases of adversary techniques and technology to protect against cyberattacks, and about two-thirds of those use ATT&CK evaluations to assess their endpoint vendor decisions, according to the report.

A major chunk of the participants have adopted offensive testing approaches while onboarding security technology. Among these, 39% use breach and attack simulation tools, 34% turn to external red teaming services, and 30% stick with in-house red teaming. Red teaming refers to the process of simulating the entire life cycle of a real-world cyberattack.

While 59% of respondents used offensive testing on the selection process for products, only 53% used this type of testing on services.

A more "alarming" finding, according to the survey report, is that 28% of respondents follow a “no news is good news” kind of approach when it comes to validating their security performance, rather than engage in offensive testing.

Though survey respondents expressed more confidence in their own security teams than in third-party service providers, they also conveyed doubts about in-house teams as well. Forty-two percent of those polled blamed lack of training as one of the key reasons for their lack of confidence in the security capabilities of their own organizations. Thirty-eight percent and 35% pin their doubts on inefficient hiring and lack of technology, respectively.

MITRE offers ATT&CK evaluation for MSSPs

Noting the lack of confidence in managed service providers, issues with in-house security teams, and the high percentage of organizations that do not do offensive testing of either security products or MSSPs, the report suggests that organizations need to adopt informed evaluation processes for managed services.

“The ATT&CK Evaluations for Managed Services will be trying to showcase how any given participant addresses the threat,” says Frank Duff, MITRE Engenuity's general manager of ATT&CK Evaluations.

The evaluation framework comprises multiple test scenarios that can be applied to managed services, assessing how they respond. According to Duff, the data obtained through the new ATT&CK capability will provide users with information to review and decide whether the service in question is right for them in terms of context, form, scale and efficiency.

"In the results, we will describe what threat we emulated, what techniques we executed and how, and what context the vendor did or did not provide around that behavior. We will show their results that they provided to us as if we were one of their customers," Duff says.

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022