Understanding the MITRE ATT&CK framework and threat intelligence

There are two ways to use this data for threat intelligence – as consumers and as producers, says Firas Ghanem, Regional Director for Middle East & Pakistan at ThreatQuotient.

Firas Ghanem, ThreatQuotient

The MITRE ATT&CK framework is being used in more and more areas of cybersecurity, including the identification of threat actors, their techniques and behaviour. Companies need a knowledge base to identify who they are dealing with at an early stage. Information about the actions of future attackers, based on observations of security incidents in other companies, is ultimately of interest and relevance to all organisations. The mapping of this data, summarised as threat information, is ultimately one of the main activities that IT security departments should undertake. There are two ways to use this data for threat intelligence; as consumers and as producers. Being a consumer of the data means using the data already created to improve threat intelligence decision-making. The second method is to use this information and build on it as a producer of additional information. Security departments that have the appropriate skills and capacities should also engage internationally in this way.

Being a consumer begins with narrowing the threat landscape to specific groups of cybercriminals or other threat actors. Because then a company can assume that they have an interest in its data, assets or resources. To reduce the threat landscape, previous attacks on similar organisations should be investigated and the groups suspected of being involved in these attacks identified. Once the threat groups that are of interest have been identified, the security department can use a data set to view the tactics, techniques and procedures (TTPs) for those groups. While some techniques may not overlap, it is very likely that others do. Once the responsible parties have looked at the TTPs common to the identified groups, they can begin to establish a prioritised list of detection and prevention capabilities that the Security Operations team must have. This is a basic use of data already created by other MITRE teams, and is highly recommended for small teams.

Augment data

In addition, it is recommended that further threat information be created over and above the existing threat information. This mainly refers to own data that can be added to a complete data set. For this activity, organisations must give analysts the time and training they need to analyse available incident response reports (both closed and open source, internal and external) to extract data and match it with ATT&CK metrics. In practice, this means reading these reports line by line, highlighting tools, techniques, tactics, and group names, and extracting the data to further feed the information the team has about the suspected attackers. To do this, the makers of MITRE are developing the new Threat Report Attacks Mapper (TRAM) tool, which helps analysts to partially automate this process. The additional information should improve decision making once the analysis of the attackers’ TTPs has been passed through the organisation’s “context filter”.

While the use of the ATT&CK matrix for Cyber Threat Intelligence mapping focuses on external threats, the next common step is inward. First, all techniques are listed with information on how security departments identify, detect and contain them. Extracting this information is an excellent way for security departments to better understand their own ability to defend and prioritise. The first step in this process is the programmatic extraction of data source information. There are several ways to do this using the APIs provided by MITRE or other open source tools on GitHub. Once completed, comparing the data sources that the security experts have had access to and the groups of users and systems that have access to those data sources can reveal important gaps in coverage and visibility. For example, if the threat information they have collected indicates hacking techniques that target scheduled tasks, a particular group may be behind them. The security experts are then able to determine whether or not they can detect this technology. The data sources listed in the technique-File and process monitoring, process command line parameters, and Windows event logs-provide this answer.

Close knowledge gaps

If none of these data sources are available to the security department, or if they are only available on a subset of the IT systems, the next logical step should be to fix this problem. It doesn’t matter whether they capture these new sources of information through built-in operating system logging or by adding new security tools (network monitoring, network discovery and response [NDR], host-based IDS/IPS, endpoint discovery and response [EDR], etc.). It is important that identification of the most important missing data has taken place. If this information can be clearly communicated, this can help justify the additional effort and potential costs associated with implementing the new data collection.

While the collection of the required data sources is already an important milestone, it is only the first step in the process. Once the data has been collected and sent to a central memory of threat, the next step is to find a suitable analysis tool. Finally, it must be emphasised when an attacker actually uses this technique. MITRE facilitates this step for many hacker techniques with its prebuilt Cyber Analytics Repository (CAR) and even provides open source analysis options such as the BZAR-project, which includes a set of Zeek/Bro scripts for detecting some ATT&CK techniques.


With this collected information, security departments can identify priorities for attack groups and techniques that can be used against their own organisation. They can also supplement this information with their own internal data. This provides the security department with the best possible knowledge of what techniques and tactics the attackers have and are likely to use against the organisation. After assessing the threat level, the security experts can then use the integrated data source information to get an idea of the potential defense capabilities. Where key information is missing, they must work together to collect the data and implement analysis for these techniques. Tools such as ATT&CK Navigator can facilitate the visualisation of requirements. Open source and other vendors of security appliances and software can help accelerate the process of matching the required data against the data they actually collect and run against the analyses. The final step is to test and continuously review the MITRE ATT&CK framework, which is enriched with the threat intelligence information.

Previous ArticleNext Article


The free newsletter covering the top industry headlines