Application Of ATT&CK Framework To Help Defenders Better Prioritize Network Defense

The ATT&CK Framework which stands for MITRE's Adversarial Strategy, Techniques, and Common Knowledge protects cyber networks systems in the same way that the body immune works. The human immune system protects itself by seeking to keep careful records of what diseases are out there and may attack the body. By understanding disease, the immune system able to protect the body when such diseases finally strike. Similarly, the ATT&CK Framework is a collection of all information about what adversaries have done and can do to attack a cyber-system (ATT&CK). It can be considered as a cyber attack database that contains details about cyber attacks, the kind of tools that cyber attackers have and what they seek in different systems. Computer network defense (CND) technologies are never foolproof, due to the vast nature of potential attacks and the rapidly evolving capabilities of cyber attackers. Instead of seeking to protect the whole system thus stretching the available resources to the furthermost, the CND can be designed to protect the most vulnerable places.

The ATT&CK Framework enables CND designers to understand which part of each system is most vulnerable, based on how previous attacks have been carried out (ATT&CK). For example, an airline has a wide array of systems under it, each of which controls different elements of its operations. One system may control communication with planes, while another controls finances, and yet another controls customer data. Understanding which of the systems is most likely to be attacked and by whom, enables the CDN designers to know which system to protect the most, at what time and in which way (ATT&CK). The ATT&CK Framework also enables an understanding of the possible chain of intrusion based on how it has been carried out. For example, CND designers can learn from the ATT&CK Framework that modern attackers have been entering systems through mobile devices such as tablets then using them to create a backdoor into servers. Having this understanding will enable the defenders to reinforce their CND based on the sequence of vulnerabilities (ATT&CK).

As per the example above, the CND may be designed to eliminate the ability of mobile devices being used to disable firewalls. The ATT&CK also provides information about what new technology adversaries have developed and how they have been using it. For example, when a new type of firewall is no longer impregnable, based on a forensic investigation on a recent attack, that information will be in the ATT&CK. Cyber users who use such a firewall will then know that it is no longer safe and either renew or replace it. Being able to prioritize on which component to replace is easier, cheaper, and faster than overhauling the entire system. Cyber networks are too vast to be defended wholesomely and effectively at the same time, ATT&CK Framework enables the improvement of the effectiveness of a CND, by providing information about which aspects of the system should be defended the most (ATT&CK).