OVERVIEW
The MITRE corporation’s ATT&CK and Shield matrixes are knowledge bases that organizations can use to improve defenses. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. MITRE Shield is an active defense knowledge base MITRE is developing to capture and organize what is being learned about active defense and adversary engagement.
Most security solutions cover the MITRE ATT&CK tactics in the early or later parts of the attack cycle. While the Attivo Networks ThreatDefend platform provides coverage across 11 of the 12 tactics in MITRE ATT&CK, it provides the most coverage for those that occur post-compromise – Credential Access, Discovery, Lateral Movement, Collection. These stages are where adversaries spend most of their time after they evade defenses and burrow deeper into the network, and where traditional security controls struggle to detect their activity. With the ThreatDefend platform, organizations gain visibility and detection into these tactics early in the attack cycle, displayed within the dashboard and the event views.
With the MITRE Shield knowledge base, the emphasis is on tactics the defender can implement to engage adversaries and implement an active defense. The ThreatDefend platform provides the most extensive coverage for MITRE Shield, covering 27 of the 33 techniques listed across all 8 tactics and over 120 documented use cases.
Organizations seeking to implement security based on MITRE Shield can gain immense value by implementing the ThreatDefend platform as part of an active defense.
What is MITRE ATT&CK?
The MITRE ATT&CK knowledge base provides a foundation for developing specific threat models and methodologies across any sector or industry.
The Role of Attivo Within MITRE ATT&CK
The ThreatDefend platform provides potent threat detection and derailment mechanisms that address gaps left open and exploitable by attackers when adversaries successfully penetrate a perimeter defense. By adding the Attivo Networks® ThreatDefend® Platform to the security stack, organizations gain early and accurate eyes-inside-the-network visibility to attack techniques, sub-techniques, and other activities as documented in the MITRE ATT&CK Matrix. By deploying the ThreatDefend solution, organizations gain early detection and valuable insights to malicious actors that have bypass existing controls or perpetrators that are already inside the network.
Attivo Coverage Map
The chart below shows a collapsed MITRE ATT&CK coverage map of the techniques in bold and sub-techniques in italics that the ThreatDefend platform natively detects.
Attivo Events Mapped to the ATT&CK Matrix
The Attivo dashboard provides events categorized by MITRE ATT&CK tactics to streamline analysis.
MITRE DIY Testing
To support ATT&CK, MITRE recently began evaluating vendor products as a neutral authority for testing the ability of specific solutions to detect inbound attacks based on the framework. While MITRE does not rate or recommend tools, the methodology serves as a useful benchmark for comparison. MITRE’s evaluation methodology and all evaluation results are publicly available (https://attackevals.mitre.org/). Attivo Networks used the MITRE ‘Do It Yourself’ Evaluation Tool to test its EDN solution, which Attivo designed to quickly detect an attacker’s lateral movement and reduce its ability to propagate from a compromised endpoint. The test assessed the solution’s effectiveness against APT 29 attacks in combination with leading EDR solutions.
Attivo Boosts Detection by 42 %*
*Average improvement for combined scores.
What is MITRE Shield
The MITRE Shield knowledge base captures and organizes information about active defense and adversary engagement. It lists techniques that defenders can use to implement an active defense, organized into 8 categories of tactics. The detail page for each technique provides information about which tactics it supports, what opportunities are available based on adversary TTPs, as well as use cases and procedures to prompt implementation discussions.
The Role of Attivo Within MITRE Shield
The Attivo Networks ThreatDefend® Platform offers the highest number of capabilities that cover the MITRE Shield matrix. The platform capabilities range from simple deception strategies to a layered prevention strategy. The MITRE Shield matrix provided a valuable guide for understanding adversary engagement and how adversaries attack. By deploying the Attivo ThreatDefend platform to implement these tactics, defenders will be able to map their detection coverage, gain insights to identify what tools attackers are using, understand the activities they perform after establishing a beachhead, and gather intelligence into what their adversaries are seeking. Using the ThreatDefend platform provides full-fledged coverage and a robust strategy for creating an Active Defense.
MITRE Shield
The chart below shows the MITRE Shield coverage map of techniques. Highlighted in yellow are the techniques that the Attivo Networks ThreatDefend platform supports.
SPEAK TO A SECURITY SPECIALIST
Ready to find out what the Attivo Networks solution can do for your organization? Our security experts are standing by, ready to answer your questions.
Value Add
“Doubling the amount of gain that I have from my traditional security tools” – Director of Cybersecurity at Large American University
SPOTLIGHT
Attivo Networks® ThreatDefend Platform and the MITRE ATT&CK Matrix