Experts advocate for ‘ATT&CK’ as go-to framework to share threat intel

Different cybersecurity companies have their own unique ways of talking about the threats they track. That can be frustrating when they need to share critical information about APT28, Fancy Bear, Sofacy or STRONTIUM — all of which are names used by different companies for one prominent Russian hacking group.

Experts say that the “ATT&CK” framework — a model for organizing detailed information about how a threat group behaves — has been gaining in popularity and helping organizations share threat intelligence.

MITRE Corp., a federally funded nonprofit organization that manages public-private technology partnerships, started developing ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) in 2013. The group says the framework has ballooned into a popular way for people performing different roles in cybersecurity to speak the same language. MITRE held its first ever ATT&CKcon on Tuesday in McLean, Virginia, where various vendors convened to discuss how the framework has streamlined their practice of threat intelligence sharing.

ATT&CK provides defenders with spreadsheet-style matrices that structure the way one can talk about an attacker’s tactics, techniques and procedures (TTP). The tables include different observable methods of persistence, exfiltration, lateral movement and other granular pieces of information. 

This gives researchers a common way to talk about how to defend against, for example, APT28, explained Katie Nickels, lead cybersecurity engineer at MITRE, regardless of what they call the Russian group.

“It was built as a common language to allow the red team and blue to communicate,” Nickels told CyberScoop. “It’s really been a grassroots kind of thing where people found it to be useful, and they tell their friends and then others find it.”

ATT&CK advocates say that prior to the development of the framework, the process of sharing information about threat actors was disorganized and inefficient.

“You would look at one report and it was a really good digest on one particular group, but it was hard to look at what the common behavior is,” said Blake Strom, principal cybersecurity engineer at MITRE and co-creator of ATT&CK. “Different companies would have different ways of describing things and it was often at various different levels.”

Speaking at the conference, Jason Sinchak, a principal at Level Nine Group, said that ATT&CK provided a way to standardize the threat intel sharing process that wasn’t there before.

“I think it’s worth mentioning that someone was brave enough to go out there and put a stake in the ground and say ‘this is what we’re going to focus on now,’” Sinchak said. “I’ve been in places where we try to develop our own framework, and it’s a hotly contested area of ‘this shouldn’t be there’ and ‘that shouldn’t be there.’”

Nickels explained that are other efforts to standardize threat intel sharing, but that ATT&CK allows practitioners to share information on a more granular level. The Cyber Kill Chain, a framework developed by Lockheed Martin, is another widely used model for organizations to talk about how threat actors get in, stay in and what harm they can do.

“That’s describing it a high level,” Nickels said of the Cyber Kill Chain. “How can we describe at a more detailed level what adversaries are really doing in a way that will help defenders improve their detection?”

Whether an organization calls a threat actor APT28 or Fancy Bear, Nickels says that ATT&CK lets researchers see the same thing.

“I care a lot about what this Russian group is doing on my networks, and here are the 20 or 30 techniques we know they use. Let’s look at each of those and figure out how we can detect that,” Nickels said, using APT28 as a hypothetical.

Experts also said that ATT&CK has helped them explain a threat to nontechnical people within their own organization and even market their defense services.

“Having a framework like ATT&CK, where it’s standardized and you can map it across the kill chain, that’s what you need for defenders to be able to share. It’s also a much easier story that you can tell at higher levels such as the C-level,” said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42 research team. “When people are asking what your products do, they want to know what you can defend against.”

ATT&CK is currently enterprise-focused. While that encompasses a lot, Nickels said that MITRE is looking expand into other “technology domains” in the future, like cloud services and the internet of things.