MITRE ATT&CK definitionThe MITRE ATT&CK framework is a living, growing document of threat tactics and techniques that have been observed from millions of attacks on enterprise networks. The funky acronym stands for Adversarial Tactics, Techniques, and Common Knowledge. It began as an internal project and morphed into this behemoth of a public knowledge base that numerous security vendors and consultants have picked up. (More on that in a moment.)The goal of the MITRE researchers is to break down and classify attacks in a consistent and clear manner that can make it easier to compare and contrast them to find how the attacker exploited your networks and endpoints and penetrated your network. To get a general idea of what ATT&CK is all about, watch the short video below that was\u00a0recorded at a recent BSides conference where one of the developers, Andy Applebaum, describes its origins and how it can be used in everyday operations. How to use MITRE ATT&CKAs adversaries get more skilled, defenders have to up their game too. By classifying attacks into discreet units, it\u2019s easier for researchers to see common patterns, figure out who authored different campaigns, and track how a piece of malware has evolved over the years as the author added new features and attack methods.While other tools can identify malware hashes and behaviors, ATT&CK is one of the more comprehensive methods that can look at the actual malware components and lay them out in detail. Most modern malware uses a combination of techniques to hide its operation, stage its exploits, evade detection, and leverage network weaknesses. Finding these various building blocks is a key part of defending against their perfidy.The CSO story \u201cHow to implement and use the MITRE ATT&CK framework\u201d goes into greater detail on using this popular template for building detection and response programs for your specific environment, including how to get started and narrowing the techniques to those that are most relevant to your organization and difficulty of exploitation.MITRE ATT&CK matrixThe first of ATT&CK\u2019s five matrices is a \u201cpre-attack\u201d collection of 17 different categories that help to prevent an attack before the adversary has a chance to get inside your network\u2014when an attacker is reconnoitering your domain, for example. The next three are collections for Windows, Mac, or Linux endpoints that cover a total of 169 different techniques. Finally, a fifth collection offers additional categories for mobile-based attacks.Each cell of these matrices contains a single tactic, such as forced authentication using Server Message Block (SMB) protocols and how a malware author can use this to gain entry to your network. The framework also contains information on recent malware that uses this technique (in this case, Dragonfly), the way you can detect it (monitor SMB traffic on the appropriate ports), and how you can mitigate its abuse (using egress filters to block SMB traffic).My short description really doesn\u2019t do the MITRE effort justice: If you dive deep enough into ATT&CK, you will find it incredibly rich and detailed, and perhaps overwhelming. It can also be used to fill in gaps of your own knowledge about exploits and malware techniques.MITRE ATT&CK improvementsA 2018 ATT&CK blog post describes some innovations made since ATT&CK was started in 2013 including:Combining the various threat matrices into a coherent single document (see graphic below)Hosting ATT&CK on a new wiki platform and making it easier to navigateDeveloping a new API that can make it easier to interact with ATT&CK using the STIX\/TAXII threat sharing schemasAdding better search capabilitiesCreating a governance committee to decide on future improvements, particularly as more private security vendors begin to offer ATT&CK-based enhancements and tools. MITREMITRE also uses the ATT&CK threat model to test various endpoint detection and prevention products. The first round of which was an adversary emulation of\u00a0APT3\/Gothic Panda. \u00a0ATT&CK integrated into VERISA recent development is a project to create a mapping and translation layer between Verizon's Vocabulary for Event Recording and Incident Sharing (VERIS) and ATT&CK. VERIS is a set of metrics that provides a common language to describe security incidents in a structured way. It is used in Verizon's Data Breach Investigations Reports to classify incidents.The goal of the integration is to allow incident analysis that combines the adversary behavior information that ATT&CK describes with the demographics and metadata from VERIS.\u00a0"The resulting mapping between VERIS and ATT&CK will allow cyber defenders to create a fuller and more detailed picture of cyber incidents, including the threat actor, technical behavior, assets targeted, and impact," wrote Jon Baker, director of research and development at MITRE Engenuity, and Richard Struse, director of the MITRE Engenuity Center for Threat-Informed Defense, in a blog post.The VERIS\/ATT&CK mapping is available on GitHub. For a more in-depth look at how the MITRE ATT&CK\/VERIS collaboration aims to create a common dictionary for communicating information about security incidents, see the CSO article \u201cMITRE ATT&CK, VERIS frameworks integrate for better incident insights.\u201dThird-party ATT&CK projectsThe real genius in ATT&CK is how others have embraced and extended its features. Here are just a few references to ongoing third-party projects:MITRE has its own testing tool based on ATT&CK called Caldera.Palo Alto Networks\u2019 Unit42 researchers have developed an adversary playbook based on the MITRE ATT&CK and STIX threat schemas.Endgame has developed a Red Team Automation tool that can create scripts for several dozen ATT&CK techniques for testing endpoint detection tools.Red Canary has its Atomic Red project, which contains a series of automated scripts to test many of the ATT&CK techniques.Uber\u2019s Metta project works with Vagrant and Virtual Box to create a series of test scripts for assembling ATT&CK-based playbooks.All the above tools are free and open source projects. Another tool that isn\u2019t free called AttackIQ FireDrill can script out more complex interactions to evaluate your network risk and vulnerabilities.Each tool has a somewhat different approach to interacting with ATT&CK, and we have done a comparative review of four open-source MITRE ATT&CK test tools that showcases their differences, how they are set up, and under what circumstances are they most useful. For example, the Palo Alto playbook is only relevant to exploring the OilRig malware, but it references more than 100 different indicators that cover 19 different ATT&CK techniques, showing exactly how complex a piece of malware it is. If you are interested in building out your red team capabilities, check out what MITRE has put together.