Red Team Use of MITRE ATT&CK

I am not a vendor. I have no product or service to promote by checking a box to say it supports the MITRE ATT&CK framework.

I am also not a customer or benefactor of MITRE. No money has exchanged hands.

Those are important up-front disclosures so you can know that I am just a fan — that I personally find value in the framework itself. With that out of the way…

The MITRE ATT&CK Framework is one of the best things to happen to the security community, if for no other reason than it provides a common vocabulary to understand the phases of a breach (and more importantly: pre-breach). The obvious usage is for ensuring proper prevention and detection controls in all the available categories, but there are other use cases as well.

If you are new to security (or if you’ve been around awhile and maybe forgotten what you have once known), ATT&CK can serve as a guide (almost an encyclopedia or taxonomy) of past techniques used by attackers. There’s probably something in there that you don’t know as well as you maybe should.

From a Red Team perspective, there are plenty of use cases as well.

One obvious use: a red team can use ATT&CK to label activities in a debrief report. Your customer/client/org can then map their gaps back to their vendors to ensure the products in the environment can be tuned to address detection gaps.

Another use case that is probably a little less obvious: red team metrics.

I would be willing to bet that most “red teams” repeat the same TTPs (tactics, techniques, and procedures — the things ATT&CK tracks) across their different campaigns. We know real adversaries do this, so it is reasonable to assume red teams do, too. And this makes sense; adversaries (real or simulated) are human, so they tend to develop habits or avoid “reinventing the wheel” (i.e. once a feature is built, why rebuild it?). These habits result in repeated paths across ATT&CK as they walk their attack chain. Tracking these TTPs visually through ATT&CK Navigator (https://mitre.github.io/attack-navigator/enterprise/) makes your red team “watering holes” or “go-to” techniques painfully obvious. Thus it exposes your own weakness in your adversarial approach so that you can diversify in areas you probably forgot.

To counter this, create a metric where your red team tracks TTP coverage across campaigns, especially when repeating targets, and measure how many TTPs get covered during a rolling period (e.g. a year). We call this MITRE ATT&CK Bingo, where our goal is to cover the “bingo card” (the whole framework). In each campaign, our goal is to add 3–5 new TTPs we haven’t used in the last 12 months. This keeps us sharp and ensures the Blue Team sees new and varied attacks. It makes the red team better, which in turn makes the blue team better.

We also use the neat Navigator visualization feature’s multiple colors to “heat map” a campaign based on where we, as the fake adversary, perceive the TTP was used in a very unsophisticated way versus where it requires a larger amount of customization, development, or tuning (e.g. green for weak, yellow for intermediate, red for mature, or vice versa— just pick a scheme and stick with it). This helps a defending organization to understand where their resistance strength is weaker so they can bolster not just their detection, but also their response.

Another red team suggestion (hat tip: Tim McG — https://www.twitter.com/NotMedic) is to use ATT&CK before you even plan your next red team campaign. Roll the dice and randomly select 2–3 TTPs from each column and that becomes the fake adversary that you are emulating. For every honest red teamer I’ve mentioned this to, their reaction was just like my initial reaction: they were horrified. Horrified because — contrary to what the internet tells you — most red teamers are not intimately familiar with every TTP. They may be acquainted with most, but probably haven’t used (therefore they down “own”) that skill. Letting the dice pick your TTPs really forces you out of your comfort zone, and also maybe provides your blue team to be ready for an otherwise unpredictable adversary.

These are just some of the ways you may be able to use MITRE ATT&CK, but I bet you can think of others. Send me a note if you have neat application — I probably haven’t thought of it.

Also, MITRE is running their first conference on the framework this next week. If you’re like me and cannot physically attend, please note they are streaming it for FREE. Check it out:

https://www.mitre.org/attackcon