John Wunder, Principal Cybersecurity Engineer at MITRE Corporation suggested in a recent webinar that the ATT&CK framework is the ‘obligatory pyramid of pain’. It is the first framework that looks at the behaviours of cyber attackers and their increasing sophistication.

Wunder says ATT&CK originated from David Bianco who ‘reached a realisation in cybersecurity that what we were doing wasn’t really working any more.’ We needed to walk in the shoes of our adversaries in order to defend against them.

The ATT&CK framework gives threat hunters a united vocabulary to describe what attackers are doing so that we can communicate and work as a community on how to fight against it.

MITRE uses the ATT&CK framework to advise organisations on how to improve their detection and move up the pyramid making it much tougher for attackers to hide. This framework is open source and supported by the threat hunting community at large. Information may be accessed at

Here’s how threat hunters can use ATT&CK for their mature threat hunting programs:

MITRE’s ATT&CK framework has evolved to include best practices for:

  • Detection and Threat Hunting
  • Assessments and Engineering
  • Threat Intelligence
  • Adversary Emulation

One of the best uses of the ATT&CK framework is to use it to understand how durable an organisation’s defences are for each attack behaviour. Phil Hagen, Senior SANS Instructor and DFIR Strategist for Red Canary, says that testing against the ATT&CK framework ‘provides you a shopping list of where you need to focus your attention and resources.’

If an organisation’s Security Operations Centre (SOC) already uses a kill chain model, the ATT&CK framework aligns well and can be used in coordination with it. ATT&CK looks at the ways that an attacker would execute on a cyber kill chain. The ATT&CK framework makes it more granular and allows threat hunters to test and act on this information.

Really, it’s all about testing defences. The ATT&CK framework just gives an organisation a way to categorise results so IT can identify where to focus for optimising cyber security.

Need for ATT&CK best practices

Everyone is familiar with the typical reactive SOC workflow:

  1. A system generated alert,
  2. Triggers analyst triage,
  3. Which is escalated for investigation or close.

This tiered system is widely prevalent in IT. But as tools and the threat landscape evolve, so must the SOC workflow. Here’s how the SOC workflow has evolved to become more proactive:

  1. Continuous monitoring (now a background process);
  2. Triggers operational processes that focus on executing the triage, escalation and investigation procedures;
  3. Which triggers a new layer of threat hunting. This starts as a reactive process to look at past threat intelligence data. But with this data, comes the ability to use it proactively.

A recent webinar on ATT&CK provides an excellent example of using this new proactive workflow in a triage of lateral movement using PowerShell. Fundamentally, the goal of the evolved SOC workflow is to get to good findings fast.

Key actions to maturing a threat hunting program

  1. Focus on data early – Maturing a threat hunting program requires a focus on data collection early in the process. Then later filtering and optimising that data to find the interesting behaviours. The key is to hone in on what is important to your organisation. Never cast too wide a net.
  2. Be smart about suppression –  As Red Canary’s Phil Hagen admits: ‘We’ve all accidentally suppressed true evil.’ A process is needed to take notes on why things were suppressed so that as your team changes, suppression logic is not lost.
  3. Use an ATT&CK Scorecard – Everyone inherently understands the red/yellow/green format so a scorecard is a great way to both demonstrate improvement as well as communicate gaps to upper management.

SANS Institute threat hunting maturity model uses ATT&CK

Understanding where you are on the threat hunting maturity model is important, but what is much more important to understand is where you can get to with what investment. The ATT&CK framework provides a model to help you better understand that and take action on next steps to mature your threat hunting program.

But keep in mind that developing your threat hunting team and process is iterative. There is no endpoint. Stay focused on steps to help you improve speed, accuracy and clarity. This will bring your defences to a higher level of protection against the evolving behaviours of cyber attackers.

Article by Chris Prall, Carbon Black