MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK offers a common taxonomy for offense and defense, serving as a valuable tool across cybersecurity to convey threat intelligence, conduct red teaming, and strengthen network and system defenses.
Through our Software Compliance Testing service for MITRE ATT&CK®, we assess and test vendors’ software solutions to ensure they support MITRE ATT&CK® mitigations. After a thorough evaluation, we feature these solutions on our website.
Compliance Testing for MITRE ATT&CK® relies on credible, objective testing controls based on the intent of MITRE ATT&CK® mitigations. This approach incorporates insights from consultants’ perspective, and various specialists, including affected software vendors, developers, users, and industry groups, to align with organizational needs. MITRE ATT&CK® compliance testing controls cover the following software controls categories:
Initial Access: This tactic covers techniques adversaries use to gain initial access to a system, which could be an application or DevOps tool.
Execution: This tactic involves techniques that result in the execution of adversary-controlled code, which could target applications or DevOps environments.
Persistence: Adversaries may try to persist within applications or DevOps environments using various techniques.
Privilege Escalation: Gaining higher privileges within applications or DevOps environments can give adversaries greater control and access.
Defense Evasion: Adversaries may employ techniques to evade defenses within application or DevOps environments, such as disabling security monitoring.
Credential Access: Obtaining credentials, such as API keys or access tokens, is crucial for adversaries targeting applications and DevOps environments.
Discovery: Adversaries may perform reconnaissance activities within applications and DevOps environments to gather information about their target.
Lateral Movement: Moving between different applications, systems, or environments, especially those used in DevOps, allows adversaries to expand their access.
Collection: Gathering sensitive data from applications or DevOps environments, such as source code or customer data, is often a key objective for adversaries.
Command and Control: Establishing and maintaining communication channels with compromised applications or DevOps environments allows adversaries to control them remotely.
Exfiltration: Adversaries may try to steal data from appications or DevOps environments, exfiltrating it to external systems.
Impact: Disrupting or denying access to applications and DevOps environments can significantly impact an organization’s operations and revenue.
Discovery: Adversaries may attempt to identify and enumerate assets within a target network. This information can be used to identify valuable targets and plan further attacks. Techniques such as “Network Service Scanning” (T1046) are relevant in this context.
Reconnaissance: Understanding how attackers gather information about an organization is crucial for raising awareness among employees and developing effective security training programs.
Social Engineering: Educating employees about social engineering techniques, such as phishing and pretexting, can help prevent initial access.
Phishing: This technique, often used for initial access, highlights the importance of training employees to identify and report suspicious emails and links.
Data Backup: This is a crucial mitigation technique against ransomware attacks, which often target backups to prevent recovery. Organizations should have robust backup and recovery processes to restore data in case of an attack.
Impact: The “Data Destruction” technique within the Impact tactic emphasizes the importance of backup and recovery mechanisms. Adversaries may aim to destroy data, making recovery difficult without backups.
Defense Evasion: Adversaries may try to evade audit and compliance controls. It’s essential to consider how attackers might try to cover their tracks or manipulate logs to avoid detection during audits.
Collection: This tactic focuses on gathering sensitive data, highlighting the need for strong data security controls to prevent unauthorized access and exfiltration.
Exfiltration: Adversaries may try to steal sensitive data and exfiltrate it from the network, emphasizing the need for data loss prevention measures and egress filtering.
Data Encrypted for Impact: This technique, part of the Impact tactic, highlights the importance of data security measures. Adversaries may encrypt data to disrupt operations or extort ransoms, emphasizing the need for strong encryption and access controls.
Initial Access: Protecting endpoints and devices from unauthorized access is crucial for preventing initial compromise.
Execution: Endpoint detection and response (EDR) solutions can play a significant role in detecting and preventing the execution of malicious code on endpoints.
Persistence: Adversaries may establish persistence on endpoints or devices. Strong endpoint security solutions should be able to detect and remove persistent threats.
Privilege Escalation: Preventing privilege escalation on endpoints and devices is vital for limiting the adversary’s access and control.
Defense Evasion: Endpoint security solutions should be able to detect and prevent common defense evasion techniques used by adversaries, such as disabling security software.
Credential Access: Protecting credentials is crucial for maintaining effective identity and access control. Adversaries may target various credential types, including passwords, tokens, and keys.
Lateral Movement: Strong access controls can limit the adversary’s ability to move laterally within a network. Restricting access to sensitive systems and data can contain the impact of a breach.
By understanding common adversary tactics and techniques, responders can better investigate and remediate security incidents.
Data Sources: The “Data Sources” section within each ATT&CK technique provides information on the types of logs and telemetry data that can be used to detect that technique.
Initial Access: Network security controls, such as firewalls and intrusion detection systems (IDS), are essential for preventing unauthorized access.
Command and Control: Monitoring network traffic can help detect and block communication between compromised systems and external command-and-control servers.
Vulnerability Scanning: Regularly scanning for and patching vulnerabilities is crucial for maintaining a strong security posture.
Exploitation of Remote Services: This technique highlights the importance of patching vulnerabilities, especially in internet-facing systems. Adversaries often exploit known vulnerabilities to gain initial access.
Threat-informed approach: Adversary emulation can help assess and manage security risks effectively by providing a threat-informed perspective. Understanding how adversaries operate can help prioritize security investments and improve overall risk management strategies.
Scenario-based Assessments: Security operations can be enhanced using scenario-based assessments that are threat-informed. This approach allows organizations to evaluate their security controls and incident response capabilities in simulated attack scenarios.
MITRE ATT&CK® mitigations do not mention SBOM.
Lateral Movement: Zero Trust principles align with limiting lateral movement. By enforcing strict access controls and assuming that breaches can occur, organizations can reduce the impact of an adversary gaining initial access to the network.
Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the MITRE ATT&CK® compliance testing controls. The continuous evaluation process will monitor new cybersecurity regulations and standards compliance mitigations or frameworks best practices and update testing criteria to drive software compliance effectiveness and quality over the long term.
