As a common topic in Gartner inquiry, I thought it would be worth addressing some of the issues we are seeing crop up with MITRE, especially in Security Operations Tooling and Services. Now for those of you who don’t know MITRE, lets start with a quick explanation:
What is MITRE?
in essence its a really detailed view of what Lockheed Martin published in 2011 with their kill chain concept. Which sensibly organized the patterns of cyber attacks into a logical flow. Only emerging a few years later in 2013, the MITRE ATT&CK framework took longer to catch on, but is now a mainstay of most security monitoring tool classification.
MITRE provides 14 stages and an ever growing list of techniques and sub techniques. Providing an excellent way to categorize in a granular way, the attacks that are live and those that may occur.
These categorizations also provide detailed descriptions of techniques so that security professionals have a lexicon of ideas to develop upon. With a wealth of examples, a wiki of remedial advice it would be forgivable to think that this mirrored the secret diary of an attacker and that it was the only way to measure coverage and completeness of security capability.
How are we using MITRE? and why is that wrong?
Many providers and technology vendors have begun scoring maturity or displaying completeness of solution via MITRE. Often, this can provide an opportunity to interpret what is being displayed to end users in the wrong way. Traffic light driven systems that color the framework green to indicate coverage are the worst offenders, telling end users “this is complete, move onto the next thing”. This technique encourages an over-confidence that is likely to be responsible for missed incidents.
It is important to understand that MITRE provides a layer of interpretation only for what you have. It can offer extra ideas for areas of capability you don’t have, but you must act.
What it doesn’t provide; is a guide of completeness or coverage:
Example; if a user develops a mechanism to see if a process has been injected (MITRE T1543) on their EDR solution, that technique is covered, despite potentially not having EDR agents in the datacenters or on mobile devices. As a result, a ‘green’ in this area doesn’t focus on the question of data coverage. MITRE compliance doesn’t measure completeness.
What should we be doing?
Effective use of a framework like MITRE is simple. Ask business questions first: “What processes do I care about?”, “Are their any actions in MITRE that might impact these processes?”. Subsequently the driver for the use case is to reduce risk or protect the business process, not to cover the technique.
Another key way to use MITRE is to measure your current capability. “What MITRE stages do we have the most success in identifying issues”, “how could we improve when looking at upstream techniques?”. This, of course, requires a consistent way of recording security issues, perhaps in an ITSM or case management system. It also requires regular assessment and adjustment of processes and detection content.
MITRE is a really good method of categorizing, measuring and enhancing security operations, but its not magic . Those that are most successful, use MITRE to communicate with others in their businesses, use it to measure processes and success. Don’t fall into the trap of believing because its green in a MITRE dashboard its not worthy of attention anymore.
We have some good research in this area : How to Use MITRE ATT&CK to Improve Threat Detection Capabilities (GTP subscription required) and there will be more to follow… please stay tuned