MITRE ATT&CK: an intensive 2-day workshop designed to thwart the techniques of cybercriminals


“Burglars have their small tricks … the police know them. They will enter through a room which has no alarm during the night; usually, it is through a bedroom. But by preventing them from taking this path, they are then forced to look for a more complicated or riskier route”, explains Freddy Dezeure, independent cybersecurity consultant and speaker at the MITRE ATT&CK workshop held at C3 (the Cybersecurity Competence Center) and organized by CIRCL and MITRE.

In the same way, the study of cyber-attack scenarios makes it possible to thwart the ploys of cybercriminals. These techniques are becoming increasingly more agile and mobile and can make conventional defence techniques inefficient. Cybercriminals are able to conduct attacks from hundreds or thousands of IP addresses … so there is no point blocking only one IP address or a domain that is considered hostile, because by the time the attack is launched, the attacker will have already moved on.

Therefore, it is usually a question of studying scenarios based on complete (and complex) attacks rather than from vectors which are isolated from each other.

It is with this in mind that MITRE has developed a taxonomy of 290 attack and pre-attack tactics. This taxonomy has several advantages:

  1. The taxonomy can be used to ease information sharing and provide contextual information
  2. The taxonomy can be used to identify a security gap
  3. Each of techniques used by attackers are well documented and can help victims to better react and defend themselves

The workshop, held over two days at C3, brought together diverse participants (administrations, suppliers, key clients…) from the four corners of the world. Their goal: to share their experiences and strengthen the taxonomy of attack scenarios so that they may speak the same language and, in doing so, improve attack prevention, detection, and incident response tools.

A deeper understanding of an opponents’ tactics allows defenders to put in place more effective technical or organizational defence systems. This being important in order to reduce the chances of a successful attack, especially during the preliminary phase.

According to Richard J. Struse, Chief Strategist for Cyber Threat Intelligence at MITRE “What is interesting about this taxonomy is that it only describes attack scenarios, not vulnerabilities or incidents that would be too sensitive to expose. We only talk about an attackers’ behavior, not the damage inflicted or the victims. This really helps us reach an excellent level of collaboration, because companies and organizations do not like to reveal their weaknesses, their incidents … “

And the results?

“The most important thing is to create relationships. This event allowed us to create new relationships with the users of the taxonomy model and also set an objective of continually improving it. This is really important for us because no organization has answers to all of the questions.

And it’s very motivating to see so many people contributing on a voluntary basis. Not only have we established new relationships, but we also see participants connecting with each other to share and collaborate in the area of threat analysis”, concludes Richard J. Struse.

According to the participants, the workshop environment promoted interactive and very fruitful discussions on how to use and implement the ATT&CK model. A future edition has already been planned for the month of October.

Better understanding of the threats

Basically ATT&CK is a framework for classifying the tactics and techniques used by threat actors. Among the “defense” tools, MISP has a different (but complementary) approach, focused on malwares and threats. And the good news is that the 2 platforms can communicate with each other, and they will do it more and more, thanks to the Workshop held at the C3.

To be more concrete: MISP, being a threat intelligence sharing platform, shares various collections of information - something that can be contextualized by Mitre ATT&CK. Assigning information about the involved TTPs (tactics, techniques and procedures) to the shared technical information allows defenders to have a better understanding of the potential methodologies used by threat actors, depending on their branch, community, location etc.

It also allows organizations to analyze the potential gaps in their protective measures, based on current relevant attacker trends an inspection of their own tooling and threat landscape.

Contextualizing the threats

The ATT&CK framework was designed to have a common understanding and
classification of the various TTPs (tactics, techniques and procedures)
employed by the various threat actors. Giving the data that is being
shared context using such a framework, allows analysts to better
understand the potential methodologies they have to face as well as
allowing them to enumerate gaps in their protective measures based on
current attacker trends and an introspection into their own tooling and
threat landscape.

MISP has been using the Mitre’s ATT&CK framework as a way to classify
threats for a while now, but as an outcome of the Workshop held at the
C3, the way forward for closer integration of ATT&CK into the core
functionalities of MISP has been paved.