![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/thumbnails\/22\/mitre-attack-framework-cloud-security.jpg\")
<\/p>\n<\/p>\n
<\/div>\nMITRE ATT&CK\u2122 is a framework consisting of several tactics to help businesses regain control of their security systems. ATT&CK\u2014short for adversarial tactics, techniques, and common knowledge\u2014is a knowledge base consisting of the different strategies adversaries use to exploit your systems based on observations of real cyber attacks.<\/p>\n
MITRE launched the framework in 2013 to \u201cdocument common TTPs that advanced persistent threats use against Windows enterprise networks.\u201d<\/a> The corporation gathered information on the various threats plaguing the internet, documenting and classified them based on several categories, called \u201cmatrices.<\/a>\u201d These include sections like Enterprises, Mobile, and Internet Connection Sharing (ICS)\u2014each with several sub-categories.<\/p>\n The framework help organizations understand the behaviors and goals behind each threat. This information is known as TTP, which is short for tactics, techniques, and procedures. Tactics refer to their goals, techniques suggest to the tools or methods used, and procedures describe to the detailed list of actions performed.<\/p>\n When incorporating this structure into your strategy, MITRE ATT&CK can help security analysts answer the following questions:<\/p>\n This data enables security analysts to identify the threat and how to mitigate or eliminate it. MITRE ATT&CK mitigations are specific procedures that security teams can use to deal with each TTP. Each mitigation can be applied to different TTPs.<\/p>\n The relevance of Linux in the cloud<\/span><\/p>\n Linux is one of the world\u2019s most popular operating systems (OS). It powers 90% of the public cloud workload<\/a> as of 2017. Considering its servers\u2019 low cost of ownership and reliability, it\u2019s not surprising that companies prefer to use this technology. Linux is open source, which means developers from across the world can contribute towards improving the system.<\/p>\n As developers gravitated toward Linux over time, the assumption was that their collective ability to mitigate security threats would be higher\u2014making it safer<\/a>. But, because of this popularity amongst those operating critical public and private systems, threat actors directed their attacks towards Linux systems.<\/p>\n Trend Micro Linux Threat Report 2021<\/a> indicated that cyber attackers targeted over 200 vulnerabilities in six months. Some of the most common malware identified were coin miners (24.56%), web shells (19.92%), ransomware (11.55%), and trojans (9.65%). This demonstrates the essentiality of implementing the proper security controls in your organization\u2014regardless of your operating system of choice.<\/p>\n What is MITRE ATT&CK for containers?<\/span><\/p>\n A common gateway to running microservice-based applications in the cloud, containers are essential for cloud infrastructure. Linux containers (LXC) are open source with one or two sets of processes separate from other system components.<\/p>\n Each container serves a specific purpose and helps run an entire application separately from the runtime environment. The fact that they\u2019re independent means that instilling security measures requires teams to protect the entire container pipeline, rather than just the container itself.<\/p>\n MITRE ATT&CK for Containers considers this and provides a single overview of attacks by orchestration and container levels. Because the framework uses real-world data<\/a> from organizations like Trend Micro, it’s considered a solid framework for what to expect and how to mitigate threats.<\/p>\n How to use MITRE ATT&CK effectively<\/span><\/p>\n Given its scalability and flexibility, the use of the public cloud is becoming common. This has led businesses to look for tailored recommendations to keep their business-critical applications secure. The MITRE ATT&CK framework for the cloud acts as a foundational tool for achieving this resiliency, as demonstrated by the following examples.<\/p>\n The ATT&CK knowledge base provides insight into potential breaches that can occur across various systems. For cloud-based systems, they collect data for five platforms: Microsoft 365, Microsoft Azure AD, Google Workspace, IaaS, and SaaS. It also has data on different OSes, networks, and containers along with insight into how to protect them. The knowledge base does the heavy lifting for enterprises, so they can focus on securing their systems.<\/p>\n Security operations center (SOC) teams can use this overview to understand each threat type in detail. SOCs can then implement this within their current frameworks and train incoming and existing team members on how to interpret it.<\/p>\n Using MITRE\u2019s comprehensive and well-classified knowledge base makes identifying threats easier based on their level of risk. Security teams can check current defenses and identify issues.<\/p>\n Once MITRE releases data about a new threat, security team can then analyze and test whether current systems have been affected. SOC teams can automate their systems for continuous threat hunting. Based on the data the team gathers, they can conduct various penetration exercises and assess the efficacy of their systems.<\/p>\n After identifying the threat or vulnerability, the SOC requires specific procedures to resolve the issue\u2014as soon as possible. These teams can access ATT&CK information for visibility on how and where the threat originated and its capability of damage. By homing in on the source and potential breach pathway, the SOC can remediate directly at the source. This significantly cuts detection and investigation time, as the team saves on the time necessary to track down background information.<\/p>\n To identify and remediate the issue, SOC teams can use tools and services like Trend Micro Cloud One\u2122<\/a> and Trend Micro Vision One\u2122<\/a>. These solutions use the framework to scan, identify, and mitigate the issue quickly\u2014enabling companies to save between 2,100 and 6,100 hours per year<\/a>.<\/p>\n Trend Micro Vision One collects security telemetry from multiple sources such as cloud workloads, networks, and email. It correlates all available data to provide context and comprehensive reports on the true nature of the breach. This enables SOC teams to focus in on the remedial measure based on the threat level.<\/p>\n ATT&CK IDs<\/a> that help the SOC scan for vulnerabilities, including:<\/p>\n The main intention of using cybersecurity intelligence is to mitigate potential threats instead of constantly dealing with losses that come from breaches. A recent example can be traced back to a vulnerability uncovered in Apache Log4j, a logging packaging for Java. Used often by enterprise cloud applications, the consequences of an attack were classified as severe.<\/p>\n Despite a patch (only compatible with Java 8) released by Apache, the vulnerability compromised many systems. This led Trend Micro to launch a Log4Shell Vulnerability Assessment Tool<\/a> to identify it.<\/p>\n The use of threat detection and mitigation tool during these types of events is crucial. Teams are enabled to join other mitigation strategies, such as virtual patching and intrusion detection and prevention systems (IDS\/IPS), to quickly detect and eliminate threats.<\/p>\n Preventive rules include:<\/p>\n The MITRE ATT&CK framework uses a threat-based defense strategy to improve an organization\u2019s security posture. Teams can identify gaps in their current security system, also known as a defensive gap assessment.<\/p>\n By testing for the potential to detect, analyze, and respond to threats, SOC teams are able to investigate how well their current systems stack up. In addition, it can be used to test new tools in the market. Tools developed based on the framework, like Trend Micro Vision One<\/a>, deliver the added benefit of enabling teams to plan and prioritize their company\u2019s investments.<\/p>\n By regularly monitoring your security infrastructure, the SOC can use the observation info to make data-driven decisions on the design and architecture your organization needs. These decisions are imperative because your entire system relies on the underlying infrastructure to mitigate and remediate threats.<\/p>\n To build more secure systems, teams must map their defensive controls based on the TTPs. MITRE ATT&CK\u2019s terminology can be used as a common reference point during red teaming, purple teaming, or penetration testing\u2014for planning, execution, or reporting. This helps determine your enterprise-wide posture and plan.<\/p>\n As regulatory compliance is a significant undertaking, SOC teams require the right tools to navigate with simplicity. MITRE ATT&CK can be used to map compliance controls and regularly test systems to ensure they are secure and compliant.<\/p>\n Trend Micro Cloud One does this automatically. Since the software is based on the framework, you receive up-to-date data from each control. This informs teams on the compliancy of their system. The Forrester Total Economic Impact survey found that companies spend 50% less time<\/a> on compliance with Trend Micro Cloud One, while increasing the pace of cloud migration projects by 10%.<\/p>\n\n
<\/span><\/li>\n
<\/span><\/li>\n
<\/span><\/li>\n\n
\n