Updated: Jul 1
Part 1 of a 2 part blog
Author Elaine Harrison-Neukirch
I recently left the Security Analyst world and now work in the Adversary Emulation world. With this move, I have been learning about Threat Intelligence and the MITRE ATT&CK Matrices. I wish I had more knowledge about MITRE ATT&CK when I was an analyst. It would have been very useful to me as a Blue team member.
Go Blue Team!
A Blue team is a team of security professionals who work to assure that their organization’s network, information systems, data and assets are safe from threats and attackers. They are the defenders. They must mitigate any gaps in the organization’s defense and continuously assess for new gaps.
While researching MITRE ATT&CK, I came across the ATT&CK Navigator and the NIST ATT&CK Navigator.
MITRE ATT&CK is a knowledge base of built on different adversary groups, their tactics and techniques. It’s goal is to enable cybersecurity professionals to gather information and understand the actions behind different attacks. This will also provide resources when planning mitigation strategies against specific attacks.
MITRE AT&CK has interactive matrices that focus on Enterprise, Mobile and ICS. Each matrice contains TTPs (Tactics, Techniques & Procedures) used by different adversary groups. By selecting a group or tactic, the user can drill down into the many techniques used for a specific threat or by a specific group. Each technique and sub technique is correlated with a mitigation.
For example, if I search Brute Force in MITRE ATT&CK, a summary shows with the Technique ID (T1110) and the Mitigation ID (M1018). I can then drill down into those for more details.
In December 2020, The Center for Threat-Informed Defense (Center) released a set of mappings between MITRE ATT&CK and NIST SP 800-53. The goal of this mapping is to enable people to easily map threats that are specific to their organization, to NIST controls. This ability to visualize threats and the NIST controls associated with them, will contribute to more efficient planning of closing security gaps.
NIST Special Publication 800-53
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, is a detailed document that describes multiple security and privacy controls. These are controls that should be in place to protect both the Federal Government and Critical Infrastructure Information Systems. Many other sectors also use these guidelines in an effort to protect their systems from threats. Risk Assessments incorporate the NIST SP 800-53 because it is so detailed and covers many of the security domains. The most current version is NIST SP 800-53 Revision 5. These guidelines are used by Blue Teams and those who perform risk assessments.