The MITRE ATT&CK/VERIS collaboration aims to create a common dictionary for communicating information about security incidents.
Incident responders work much like police detectives or journalists, in search of the who, what, when, why and how of incidents before they can take steps to address problems. One tool that helps responders address incidents after they occur and position organizations for better defense in the future is the widely used Mitre ATT&CK framework (with ATT&CK standing for Adversarial Tactics, Techniques, and Common Knowledge). The ATT&CK framework is deployed as a cyber intelligence tool during or after an incident to identify the relevant adversary and reveal appropriate mitigation steps. One recent example comes from McAfee, which used ATT&CK in a case that initially started as an investigation into a suspected malware infection but ended up as a surprise discovery of a long-term cyberattack by two Chinese threat groups, APT27 and APT4.
MITRE ATT&CK relies on a detailed knowledgebase of adversary tactics and techniques based on real-world observations. In essence, the ATT&CK framework deals in a granular way with the who, what, and why of the attack.
This article appeared in CSO Online. To read the rest of the article please visit here.