info@technalink.net 7900 Tysons One Place, Suite 610, Mclean, VA 22102

MITRE ATT&CK Solution and Project Highlights

What is MITRE ATT&CK?

The MITRE ATT&CK Framework is an industry accepted threat analysis and reporting taxonomy for detecting adversary tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) for cybersecurity operations teams (SOCs). MITRE ATT&CK is useful to organize threat hunting campaigns and capture risk insights that can be operationalized into existing Security Information Event Management (SIEM), orchestration, and incident response systems.

Why is MITRE ATT&CK important to address?

MITRE ATT&CK is important to incorporate into SOC solutions because Executive Order (EO) 14028 has mandated that all Federal Agencies improve threat detection processes with urgent capability to implement solutions that can detect and defend systems from advanced threats, ransomware, and supply chain risks. Federal OMB mandates have given the Cybersecurity & Infrastructure Security Agency (CISA) authority to conduct future threat hunting activities within Federal agencies to determine weaknesses that need to be addressed at Federal agencies without prior authorization to do so.

How can Technalink help?

Technalink offers its Federal clients’ a holistic approach to implement MITRE ATT&CK Framework solutions to meet Federal Executive Order (EO) 14028 and organize threat and risk management to work with existing security information and event management (SIEM) and other SOC tool investments. Our security architects, engineers, and analysts follow an adaptive agile mindset to collaborate with SOC analysts, security engineers, threat hunters, and incident response teams to help operationalize MITRE ATT&CK Framework TTPs into everyday playbook processes. In our approach, we will conduct a cybersecurity maturity threat assessment and form a baseline risk analysis from existing protections. Then, we will build out a gap analysis that includes measuring configurations for robustness against cybersecurity threats as outlined in the MITRE ATT&CK Framework TTPs in comparison with the agency baseline risk posture relative to its risk appetite. This gap analysis supports a repeatable process that is tailored to each agency per its cybersecurity maturity, cybersecurity goals, and current NIST Cybersecurity Framework (CSF) risk profiles to its targeted CSF risk profile maturity goals.

As an advanced phase of SOC maturity, our Technalink SOC experts will perform threat hunting activities using methods detailed by the MITRE ATT&CK Framework to make SOC maturity improvements to meet SOC roadmap goals. The MITRE ATT&CK Framework was developed by MITRE to improve SOC Teams capability to test and evaluate security protections using a methodology based on real world adversarial attack observations. This framework combines the collective work of network researchers at MITRE, within industry, and SOC teams over many years to capture, analyze, and document TTPs for a comprehensive catalog of malicious attacks. Having this framework in place as a foundation will provide SOC capability to evaluate all known adversarial TTPs observed across the enterprise, improve TTP detection, determine the severity of risk to the threat of each TTP scenario, and build incident response playbooks to these TTPs. Modern tools and technologies are incorporating the MITRE ATT&CK Framework taxonomy in its software engines to alert SOC teams to TTPs that are observed in the organization that will improve where SOC Analysts spend time investigating events having the highest risks. Long term benefits include continual advancement of CSF maturity goals, and increased capability to realize the overall organizational benefits to be prepared for all (including CISA) threat hunting activities, finding gaps in security coverage, discovering overlapping tool coverage, and tracking faster TTP detections with playbook improvements over time.

Recent Technalink MITRE ATT&CK solution project highlights:

For the Treasury Bureau of Fiscal Services (BFS), Technalink was instrumental in providing a MITRE ATT&CK solution within their Cybersecurity Consulting, Assessment, and Data Breach Division.

Our SOC architects incorporated the MITRE ATT&CK Framework for enhanced threat hunting capabilities into their incident response playbooks and address latent risks from detected TTPs. We introduced MITRE ATTACK capability by building an application at BFS using their existing SIEM and Security Orchestration, Automation, and Response (SOAR) tools with playbooks that operationalized MITRE ATT&CK to locate security gaps in security tools coverage and detect adversary TTPs.

As a result, we have improved BFS SOC capability to mature and enhance its incident response program and mature its current SOC playbooks improving the time to detect and respond to IoCs and security events.