It is crucial for critical infrastructure operations that their ability to detect cybersecurity-related threats and risks is in line with a threat scenario that is constantly changing. This is extremely important for reducing the risk of being exposed to a cyberattack. MITRE ATT&CK® is a knowledge base that can be used for the development of threat models and methods to detect undesired activity in IT and OT systems. What is MITRE ATT&CK® and how can the framework contribute to balanced security in the organization over time?
MITRE is a well-established knowledge database with structured information based on real observations of cyberattacks that have taken place across the world. The greatest advantage of MITRE ATT&CK® is that it is not limited to any specific organizations and that the database is open for everyone to report observations. Continuously analyzing the technology and methods that have been used in observed attacks makes it possible to keep the structure and knowledge database well updated.
After the continuously reported observations have been analyzed, the various methods that an adversary have been using to attack a network are mapped. These methods may include, for example, different ways to plant malware in a network.
The term adversary refers to anyone who has the intent to carry out harmful actions against a specific target. The target could, for example, be a specific business or a function in an organization.
When mapping the methods, the actor’s intent and ability to act in a network are analyzed. This may include its intent and ability to take over rights or assets or to exfiltrate information. With knowledge about the methods and technology that has been observed to be used in cyberattacks, a comprehensive detection capability can be created.
A monitoring service that applies the method can work proactively and identify known threats and risks. This increases the chances of detecting any potential attack against the critical operations in time. In addition, applying MITRE as an integrated part of the monitoring solution for IT and OT increases security across the entire operation.
An additional advantage is that the application of MITRE can provide the solution with good security over time. To maintain a desired security level over time, the detection capability in a monitoring solution needs to be updated continuously.
Fully integrating MITRE into the technological solution and into processes ensures that a managed detection and response (MDR) service always has the visibility and detection capability required to handle all types of attacks. MITRE is with you the entire time and makes your work extremely structured and informative.
An example of how Sectra implements the MITRE ATT&CK® framework in its data collection, is when a detection engineer uses the framework to map data concerning the operation’s critical systems to be able to detect access violations in the form of initial footholds.
Another example is true detection capability, which is also something that Sectra makes use of in its solution. As its name suggests, true detection capability is what can actually be detected, measured and visualized in a network, making it easier to see what we can actually detect and protect our customers against. True detection capability is based on what becomes visible through the logs that are sent to the monitoring system combined with the detection rules developed by Sectra’s detection engineers. To easily be able to see and communicate the actual capability with a customer, an overall view is used that shows what can be detected from a MITRE perspective. This is used as a tool to discuss the need to make any changes or additions with a customer.
With a threat scenario that is constantly changing, it is important to detect and adapt to the actual cyber threats that exist for critical infrastructure operations. Applying a tool such as MITRE ATT&CK® is necessary in order to always remain up to date on the cyberattacks that have occurred and the methods that adversary have used to access networks. Applying this approach increases a business’s ability to detect anomalies and suspicious activity in the network in time. As a result, the risk of production outages is reduced.
Different customers have different prerequisites, and it is not always possible to detect everything that is recognized by MITRE. Depending on the operations in question, it is also not financially justifiable to attempt to protect against every threat. The visualization of the overall view that is developed enables justifiable decisions to be made based on the prerequisites of the individual operations, thus establishing a reasonable level of protection, which provides balanced security in the operations over time.
