{"id":46598,"date":"2022-05-11T16:00:00","date_gmt":"2022-05-11T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=113817"},"modified":"2022-05-11T16:00:00","modified_gmt":"2022-05-11T16:00:00","slug":"center-for-threat-informed-defense-microsoft-and-industry-partners-streamline-mitre-attck-matrix-evaluation-for-defenders","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/center-for-threat-informed-defense-microsoft-and-industry-partners-streamline-mitre-attck-matrix-evaluation-for-defenders\/","title":{"rendered":"Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&CK\u00ae matrix evaluation for defenders"},"content":{"rendered":"

The MITRE Center for Threat-Informed Defense<\/a>, Microsoft, and other industry partners collaborated on a project<\/a> that created a repeatable methodology for developing a top MITRE ATT&CK\u00ae techniques list. The method aims to facilitate navigation of the ATT&CK framework<\/a>, which could help new defenders focus on critical techniques relevant to their organization\u2019s environment, and aid experienced defenders in prioritizing ATT&CK techniques according to their organization\u2019s needs.<\/p>\n

The ATT&CK framework provides an extensive list of specific techniques that may be challenging to navigate in certain situations. This project aims to help defenders who use the framework focus on noteworthy techniques regardless of the attack scenario or environment. For example, using research on 22 ransomware attacks, the repeatable methodology led to the identification of the top 10 ransomware techniques list.<\/p>\n

The project also included the development of a customizable, web-based calculator<\/a> that seeks to prioritize techniques based on a defender\u2019s input, making the methodology even easier to apply to different environments and scenarios. As an example of the insights that can be gained from using this calculator, the project found that the following techniques are present in most attacks and environments:<\/p>\n

This methodology considers the continuing evolution of threats, so it supports the creation of criteria that are tailored to an organization\u2019s unique environment. This enables defenders to continuously identify threat trends and decide where to focus resources for detection coverage.<\/p>\n

Establishing the top ATT&CK techniques<\/h2>\n

The methodology for identifying the top ATT&CK techniques factored in three attributes to determine the significance of a technique: prevalence, choke point, and actionability.<\/p>\n

Prevalence<\/strong> is the frequency of specific ATT&CK techniques used by attackers over time. A higher frequency of a technique indicates a higher likelihood of it being used in multiple attack scenarios. Therefore, there\u2019s a higher chance of encountering an attack with a high prevalence ranking. Prevalence was determined using the Center\u2019s Sightings Ecosystem<\/a> project from April 2019 to July 2021, which registered 1.1 million encounters of attacks across the 184 unique ATT&CK techniques. Including prevalence as a criterion aims to cover more attacks with fewer techniques.<\/p>\n

\"A
Figure 1. Attacks over time (MITRE Sightings Ecosystem Project)<\/figcaption><\/figure>\n

Choke points<\/strong> are techniques that disrupt an attacker due to them being a point of convergence or divergence. In real-world incidents, choke points manifest as one-to-many or many-to-one behaviors or steps in the attack. The inclusion of this criterion aims to identify the critical techniques that can help link activity throughout attack chains.<\/p>\n

\"A
Figure 2. MITRE ATT&CK Technique Process Injection (T1055) is an example of a possible choke point<\/figcaption><\/figure>\n

Actionability<\/strong> is the opportunity for a defender to detect or mitigate a technique. This is based on publicly available security controls (such as CIS Critical Security Controls<\/a> and NIST 800-53 Security Controls<\/a>) and analytics (Splunk detections, Elastic, and Sigma).<\/p>\n

 Figure 3. Detection to mitigation mapping (MITRE Top ATT&CK Techniques Methodologies)<\/figcaption><\/figure>\n

Top 10 techniques in ransomware attacks<\/h2>\n

Following the creation of the methodology, the top 10 ransomware techniques list was generated to test this new approach in practice. To create this list, Microsoft and the other partners involved in this collaborative effort analyzed prevalent ransomware attacks from the past three years. A total of 22 specific ransomware attacks were studied specifically for their use of ATT&CK techniques. Based on this research, the top 10 techniques in ransomware attacks are:<\/p>\n

Organization-specific top techniques list via web calculator<\/h2>\n

This collaborative project also included the creation of a dynamic, user-friendly calculator<\/a> for a more customizable, tailored top techniques list. This customizability allows organizations to have unique prioritization based on each organization\u2019s size and maturity.<\/p>\n

The calculator takes into consideration various inputs, including:<\/p>\n