Going Beyond Compliance & Checklists: Using the MITRE ATT&CK Framework for Enhanced Security and Training  

For many companies, checking the boxes on compliance checklists and passing audits becomes the foundation for their cybersecurity approach. Yet, we continue to see record numbers of security breaches that do significant damage.

Companies need to go beyond compliance if they want to truly protect their assets.

Though regulatory concerns and client or partner questions mean you need to be compliant, compliance should be the beginning — not the end —of your cybersecurity program. Current approaches to compliance do not bridge the gap between compliance and preventing attacks and breaches. Checklists are only part of a comprehensive cybersecurity plan that addresses real-world threats

Why Does the Current Approach to Cybersecurity Compliance Fail?

Compliance frameworks make sure you are doing what it takes to accomplish the mission of your security program: securing your systems and data. However, traditional compliance frameworks only focus on verifying that controls are in place. They miss the practical aspect of verifying whether compliance controls actually work.

Being able to show that a control is in place is not the same as knowing the control works. For example, if you have a firewall in place, but you haven’t tested whether it is properly configured to block traffic, then you do not know if it is doing its job. You may be able to check a box for a compliance audit, but without being able to prove that the control is working, you don’t know your security posture.

Mature security programs should not focus on the mere presence of controls, but on whether they work. You will make meaningful security progress by automatically testing the effectiveness of your security controls against the actual threats to your business and continuously monitoring your performance over time. This approach lets you make educated decisions about what controls are working and what controls are not and helps you prioritize improvements to have the greatest impact.

The Importance of Continuous Monitoring

Security is not a static endeavor. You cannot implement one set of defenses and configurations and assume they will keep you secure forever, or even for a year. The threat landscape is always changing. Attackers are always evolving, and your business needs to be able to prevent, detect, and respond to those attacks now and in the future. It requires a process of continuous readiness.

You need to perform testing that mirrors current attacks against businesses like yours, make adjustments to strengthen your defenses, and then test again to see how those changes are working.

Changes can relate to more than the threat landscape as well. Actions that your infrastructure or security teams do can also lead to faults in your security posture.

Configuration changes can have unforeseen consequences. Perhaps they are typos. Perhaps there are changes made to address one security concern that leaves your organization vulnerable to other cyber threats. Either way, the only way to make sure these issues are caught and addressed is to perform ongoing live-fire testing and then continuously monitor the results.

This approach to security lets you confirm whether your security controls are working, track how changes are improving your security and compliance posture over time, and make security decisions that make the most efficient use of your limited time, personnel, and budget.

Strengthen Security By Automating Compliance

Compliance is typically labor-intensive, and identifying points of compliance takes a lot of manual work and time. With limited personnel devoted to security initiatives and compliance tracking, a tool that automates compliance tasks can help you make the most of your time.

Dependable cybersecurity automation tools help you save time and reduce costs. That helps you achieve your security goals sooner, and allocate more money towards other business goals.

Manually tracking vulnerabilities and patches is tedious and impractical nowadays, due to the personnel limits you face. Your business will be in a better place to strengthen both its security and compliance posture by adopting a platform that assists with automating compliance tasks and tracking.

Automated collection of testing data identifies hot spots, tracks your performance for each technical control over time, and gives you the empirical results you need to make better decisions about tooling, processes, and training, all while making more efficient use of your security budget and personnel.

To make the most of automation, choose a platform that works with the frameworks that matter to you, your partners, and your clients.

The MITRE ATT&CK Framework

MITRE ATT&CK maps real-world malicious cyber techniques to particular stages of an attack—from initial access to impact, creating a curated knowledge base and model for cyber-attack prevention, tracking attack behavior, lifecycles, and platforms targeted.

Using the MITRE ATT&CK framework, you can map cyber intelligence reports to your data sources. This provides a structure and common language to communicate across reports to compare and analyze threat intelligence.

99% of vulnerabilities are never exploited, so it’s crucial to narrow your focus to improving performance against the tactics adversaries do use. The MITRE ATT&CK framework also helps categorize and prioritize threats and provides appropriate actions for defense.

This provides the detailed information you need to go beyond checklists and structure your defensive and offensive approach to cybersecurity to real-world threats.

The Enterprise Matrix

The MITRE ATT&CK Enterprise Matrix tracks adversary tactics for these categories:

  • Reconnaissance: Information gathering to prepare for potential attacks
  • Resource Development: Acquiring resources and setting up a command and control infrastructure
  • Initial Access: Gaining access to networks or systems
  • Execution: Deploying malicious code on compromised systems
  • Persistence: Maintaining access
  • Privilege Escalation: Attempts to elevate higher-level privileges
  • Defense Evasion: Tactics to avoid detection
  • Credential Access: Attempts to steal credentials, such as user logins and passwords
  • Discovery: Exploring compromised networks and systems
  • Lateral Movement: Moving from system to system within networks
  • Collection: Gathering data of interest for the adversary’s goal
  • Command and Control: Gaining control of network systems and communicating with compromised systems from outside the network
  • Exfiltration: Stealing data and moving it outside the network
  • Impact: Manipulating or destroying data, such as ransomware

Within each category, there are techniques and activities undertaken by cybercriminals to thwart security defenses.

Automated Live Fire Testing

By adopting the MITRE ATT&CK framework with automated live-fire testing and results, you can align your findings with other compliance controls that matter to you, your clients, and your customers. That includes frameworks such as NIST 800-53, CMMC, ISO 27001, and for financial institutions, the FFIEC Cybersecurity Assessment Tool.

Choosing a tool with built-in capabilities to map results to these compliance frameworks makes achieving your goals as accessible as ever. Security managers and decision-makers can review the data and results, use it for risk management and decision-making, and track both the security and compliance effects of their decisions over time.

Training Cyber Defense Analysts

The MITRE ATT&CK® framework also provides a way to measure competency against National Initiative for Cybersecurity Education (NICE) principles that analysts have been trained on.

Established by the US Government in 2009, the NICE framework identifies seven separate cybersecurity career fields:

  1. Analyze
  2. Collect and Operate
  3. Investigate
  4. Operate and Maintain
  5. Oversee and Govern
  6. Protect and Defend
  7. Securely Provision

Each career field includes several work roles with its own list of knowledge, skills, abilities, and tasks (KSATs) that someone would need to succeed in that role. The KSATs also make it possible to develop and standardize training for each role.

For example, consider the Cyber Defense Analyst role, part of the Protect and Defend career field. This role uses a variety of cyber defense tools to analyze events that occur within their environment to protect critical assets from cyber attackers. These analysts sit at the epicenter of attack prevention on your people, processes, and technology. Their KSATs ensure that analysts are proficiently trained to protect and defend. Although these cybersecurity professionals are now trained, how do we know if they can successfully stop a real-world attack?

The best way to ensure proficiency is to evaluate how cyber security analysts perform against actual malicious techniques. To that end, MITRE ATT&CK provides a useful framework for training analysts against the known malicious tactics and techniques they could experience in their jobs.

For a Cyber Defense Analyst tasked with protecting an organization from cyber-attacks, the ATT&CK framework is an invaluable reference for contextualizing the types of malicious activity they need to identify and stop.

The ability to train analysts to protect against attack vectors the company faces has proven to greatly enhance a company’s ability to detect, protect, and respond to attacks. Unfortunately, there is a disconnect between Cyber Defense Analyst certifications, job training frameworks like NICE, and the ATT&CK framework used to categorize threats. As a result, organizations have not been able to accurately gauge the competency and proficiency of their Cyber Defense Analysts and teams. This often leads to one of two results:

  1. Overconfidence in analyst performance and underestimation of cyber risk.
  2. Uncertainty about analyst performance, leading to overspending on extra security tools and training.

Neither result is optimal.

Using MITRE ATT&CK to Measure NICE Competency

MITRE ATT&CK provides a useful framework for developing, testing and improving the knowledge, skills, and abilities of Cyber Defense Analysts. By mapping relevant parts of the Cyber Defense Analyst job role to MITRE ATT&CK techniques, analysts can demonstrate competency for many NICE framework requirements by practicing against real-world threats throughout the MITRE ATT&CK matrix.

Using ATT&CK techniques to validate the performance of cybersecurity analysts as part of a broader, structured professional development curriculum like NICE is a great step towards ensuring the workforce is capable of meeting the dynamic threats they face.

By synthesizing training standards with threat techniques to test their personnel, organizations can know with certainty that their analysts are competent and ready to perform.

Ensuring Cyber Defense Analysts are ready to prevent, detect, and respond to the latest threats is a national imperative. Training standards, frameworks, and certifications are important, but they mean little if analysts are not proficient against real-world threats they might experience on the job. To fully understand and address cyber risk, CISOs, CROs, and other cyber leaders need to understand how their analysts perform against these specific threats.

Moving from Checklists to the Benefits of Cybersecurity Automation

Compliance matters to every organization, but you need to think about it the right way. There should be more than a list of controls. It should be a continuous process of validating those controls, reviewing your security posture, training your analysts, and making well-informed plans to improve your readiness to defend your systems and data.Learn more about the SightGain Threat Exposure Management Platform and see for yourself how it can help you move from manual compliance checklists to automated compliance focused on building your readiness to resist threats.