The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released a new guide for cyber threat intelligence experts on the use of the MITRE ATT&CK framework.
In 2018, MITRE announced the MITRE ATT&CK, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used by cyber threat analysts for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
The MITRE ATT&CK evaluation service evaluates endpoint detection and response products for their ability to detect advanced threats.
Despite its efficiency, many cybersecurity experts do not fully utilize the potential of the framework, for this reason, CISA decided to share some guidance on the use of ATT&CK for threat intelligence.
“A large percentage of enterprises do not correlate events from the cloud, networks, and endpoints to investigate threats: Only 39% of enterprises incorporate events from all three environments (cloud, network, and endpoints) when investigating threats. ” reads one of the studies.
CISA created the guide titled “Best Practices for MITRE ATT&CK Mapping” with the Homeland Security Systems Engineering and Development Institute R&D center.”
The guide aims at helping cyber threat analysts to map the TTPs of attackers to the relevant ATT&CK techniques.
The Best Practices for MITRE ATT&CK Mapping guide provides step-by-step instructions to optimize the use of the MITRE ATT&CK while analyzing cybersecurity threats. The guide also aims at improving defenders’ ability to proactively detect adversary behavior and shared intelligence on their behavior.
“CISA is providing this guidance to help analysts accurately and consistently map adversary behaviors to the relevant ATT&CK techniques as part of cyber threat intelligence (CTI)—whether the analyst wishes to incorporate ATT&CK into a cybersecurity publication or an analysis of raw data.” states the guide. “Successful applications of ATT&CK should produce an accurate and consistent set of mappings which can be used to develop adversary profiles, conduct activity trend analyses, and be incorporated into reporting for detection, response, and mitigation purposes.”
(SecurityAffairs – hacking, cyber threat intelligence)