Intelligent CISO Issue 10 - Page 69

decrypting myths intelligence. While there are several other ways to do this, ATT&CK provides a common language that’s standardised and globally accessible, making it a particularly powerful tool. As Katie Nickels, ATT&CK Threat Intelligence Lead for MITRE, points out, analysts and defenders can work together with data to compare and contrast threat groups. Nickels gives a good example, comparing and contrasting techniques used by the APT3 and APT29 groups, on MITRE’s blog. By identifying the highest priority techniques an organisation can better determine how to mitigate and detect them. The fact that the knowledge base is community-driven and widely accepted for sharing structured information has afforded it a great deal of momentum as well. Who does the ATT&CK framework benefit? From a security testing perspective, ATT&CK can aid red teams and blue teams alike. useful for understanding exactly how the technique could be used again. Keeping the WMI example in mind – by looking at the WMI technique examples listing, www.intelligentciso.com | Issue 10 users can see that the popular Russian hacker group APT29 uses WMI to steal credentials and execute backdoors at a future time. Conversely, BlackEnergy, an APT group linked to attacks on Ukrainian energy companies in 2015, uses WMI to gather victim host details. From a security testing perspective, ATT&CK can aid red teams and blue teams alike. Red teams can follow MITRE’s adversarial emulation plans to test their networks and defences by modelling off adversary behaviour classified by ATT&CK. Blue teams can leverage the ATT&CK framework to get a better grip on what adversaries are doing, prioritise threats and to ensure the right mitigations are in place. How does ATT&CK help the global cybersecurity community? As the volume and variety of cyberthreat actors continues to grow at an alarming rate, the need to share accurate threat intelligence on a global level is more important than ever. The ATT&CK framework has been around for years but it’s grown in popularity recently as a way to help organisations, end users and the government share accurate threat MITRE’s ATT&CK framework has established itself as one of the foremost ways of doing this in recent years, helping to keep the global security informed and alert to emerging cyberthreats. u 69