Introduction
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The ATT&CK framework provides a common taxonomy for security practitioners to classify attacks and assess an organization’s risk posture. In this article, we will explore how ATT&CK can be used to improve security programs through purple teaming, a collaborative approach between red teams (offensive security) and blue teams (defensive security). We will also provide an example of how the framework can be applied in a purple team scenario.
Understanding the MITRE ATT&CK Framework
The framework is divided into two main categories: tactics and techniques. Tactics are the high-level goals of an adversary, such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command and control. Techniques are the specific actions that an adversary may take to achieve these tactics.
The framework includes a wide range of techniques, organized by tactic, that can be used to describe various types of attacks. Each technique is described in detail, including a definition, examples of real-world use, and detection methods. The framework also includes information on the platforms (Windows, Linux, Mac) and software (Office, Adobe, etc.) that each technique may target.
Using MITRE ATT&CK for Purple Teaming
Purple teaming is the process of combining the efforts of red teams and blue teams to improve an organization’s security posture. Red teams are responsible for simulating attacks against an organization’s systems and networks, while blue teams are responsible for detecting and responding to those attacks. By working together, these two teams can identify gaps in the organization’s defenses and develop a plan to address them.
The ATT&CK framework gives red and blue teams a common taxonomy to classify attacks and assess risk. Both teams speak the same language and stay focused on the threats that matter most to the organization. The framework also hands red teams a deep library of tactics and techniques to use during simulations, while giving blue teams a detailed picture of how those attacks work and what they look like in their own environments.
Example of MITRE ATT&CK in Use for Purple Teaming
An organization has identified that they are at risk of being targeted by a sophisticated threat actor who is known to use living off the land (LotL) techniques. The red team decides to simulate this type of attack using the ATT&CK framework as a guide. They begin by identifying the tactics and techniques that are most relevant to LotL attacks, as shown below.
MITRE ATT&CK applied to a living of the land (LOL) scenario
Once the relevant tactics and techniques have been identified, the red team creates a plan to simulate an attack using these methods. They begin by sending a spearphishing attachment to a targeted user, which when opened, executes a PowerShell script that downloads and installs a malicious DLL. The DLL is then loaded into a legitimate process using process injection, allowing it to evade detection.
The blue team, on the other hand, uses the MITRE ATT&CK framework to identify gaps in their defenses and develop a plan to address them. They begin by reviewing the tactics and techniques that the red team is planning to use and identifying areas where their current security controls may be lacking. For example, they may notice that their endpoint detection and response (EDR) solution does not have good visibility into PowerShell activity or that their network segmentation strategy is not as strong as it could be.
During the purple team exercise, both teams work together to identify areas of concern and develop a plan to address them. For example, they may decide to implement additional logging for PowerShell activity, improve their network segmentation strategy, or implement new security controls such as application whitelisting. They also use the ATT&CK framework to track progress and measure success by providing a common taxonomy for classifying attacks and assessing risk.
Benefits of Using MITRE ATT&CK for Purple Teaming
There are several benefits to using ATT&CK for purple teaming:
- Common Taxonomy: By using a common taxonomy, red and blue teams can speak the same language and ensure that they are focusing on the most relevant threats to the organization.
- Comprehensive Library of Tactics and Techniques: The MITRE ATT&CK framework includes a wide range of tactics and techniques that can be used to describe various types of attacks. This provides red teams with a comprehensive library of tactics and techniques to use during simulations, while also providing blue teams with a detailed understanding of how these attacks work and what they look like in their environments.
- Improved Communication: By working together using the MITRE ATT&CK framework as a foundation, red and blue teams can improve communication and collaboration, leading to more effective security programs.
- Measurable Results: The MITRE ATT&CK framework allows organizations to track progress and measure success by providing a common taxonomy for classifying attacks and assessing risk. This helps organizations understand the effectiveness of their security controls and make data-driven decisions about where to invest in security.
Conclusion
ATT&CK is more than a technical tool. Used as the foundation for purple teaming, it keeps red and blue teams aligned on identifying and mitigating threats, and that alignment puts resources where they count: on the threats most relevant to the organization.
The framework’s library of tactics and techniques also lets red teams simulate real-world attacks, giving blue teams a clear view of how those attacks work and what they look like on the ground. That understanding sharpens detection and response strategies and cuts the risk of a successful attack.
For the business, ATT&CK provides a structure to assess security posture, prioritize resources, and improve collaboration between red and blue teams. A more secure environment follows.