MITRE is evaluating a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) for APT detection. MITRE is going to offer a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

“MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.” reads the MITRE’s official page. “ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.”

The MITRE ATT&CK evaluation service will evaluate endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE will adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

In my opinion, sharing information about attackers’ TTPs is essential and such kind of initiative is very important for cyber security community.

Jessica Payne from Microsoft Windows Defender praised the MITRE ATT&CK service.

The @MITREattack database lists the TTPs of various attacks and attackers. You should monitor these on your network: https://t.co/NDMitTKda2 — Jessica Payne (@jepayneMSFT) July 21, 2017

If you have ever wondered 'how does an APT do ___?' or wanted to emulate an actual adversary in a Red Team, this database is a great start. — Jessica Payne (@jepayneMSFT) July 21, 2017

The knowledge base was initially collected as a tool to allow red team members to communicate more easily with blue team members and corporate executives, it comes from publicly available sources.

“ATT&CK provides a common framework for evaluating post-breach capabilities,” said Duff. “We believe that objective and open testing based on ATT&CK will advance capabilities and help drive the entire endpoint detection and response market forward.”

According to Duff, internal MITRE information doesn’t contaminate the knowledge base.

In this phase, MITRE intends to evaluate its service and its efficiency, the first case study will be based on APT3/Gothic Panda and will evaluate the ability of products in detecting this threat.

“As part of their participation in MITRE’s impartial cyber evaluation, cybersecurity vendors will be provided clear articulation of their capabilities, as well as access to MITRE’s cyber experts’ feedback for improving their products.” reads the statement published by MITRE. “Details captured will include the ATT&CK technique tested, specific actions the assessors took to execute, and details on the product’s ability to detect the emulated adversary behavior.”

MITRE, for this first round, call for vendors to contribute until April 13, 2018.

Pierluigi Paganini

(Security Affairs – ATT&CK technique, MITRE)

Share this...

Linkedin Reddit Pinterest

Share On