Enterprise Cybersecurity Threat Intelligence with MITRE ATT&CK™ and NetSecOPEN Frameworks

MITRE ATT&CKProactive cybersecurity assessment may be the best defense against ever-growing cyber threats. One of the areas that has had a significant impact on an organization’s ability to improve overall cybersecurity is tapping into emerging cyber threat intelligence information. The topic of threat intelligence is not new, but there are recent promising technology trends to solve the many challenges in that area. Gartner defines Threat Intelligence as "Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard"1. The ultimate cyber threat intelligence information would not only give enterprises the ability to proactively identify vulnerabilities in the network, but would also offer actions to prevent or hinder the attacks. There are a number of industry projects and initiatives that take a foundational approach rather than narrowly focusing on certain tools, class of vulnerabilities, or just adversarial (red team) vs. just detection (blue team) type of approaches.

Two recent influential initiatives in this arena include the MITRE ATT&CK2 and NetSecOPEN3 frameworks.

NetSecOPEN frameworks

1Gartner Definition: Threat Intelligence https://www.gartner.com/en/documents/2487216/definition-threat-intelligence

MITRE ATT&CK™ (Adversarial Tactics, Techniques & Common Knowledge) is mainly a knowledge base of adversary behavior intended to help those organizations that want to move towards a threat-informed defense. The solution addresses four key use cases: threat intelligence, detection and analytics, adversary emulation as well as assessment and engineering. MITRE released ATT&CK to the public in May of 2015 and has expanded quite significantly over the past five years. It is now in use by many different government organizations and industry sectors. ATT&CK is open and available to any person or organization at no charge, providing shared understanding of adversary tactics, techniques and procedures. It delivers insight on how to detect, prevent and mitigate attacks, as well as associated groups of malicious actors. MITRE organizes vulnerabilities using these categories:

  • Tactics: the “why” and describe goal of the attacker
  • Techniques: the “how” and describe actions taken by adversary to achieve tactical objectives
  • Mitigations: methods of addressing specific technique
  • Groups: Cluster of adversary activity and tracked by a common name in the security community.

NetSecOPEN’s intent is to have open standards for validating security products. Its open and standardized testing would reduce time in validation cycles and increase confidence in going from lab to production environment. NetSecOPEN is membership driven and would provide guidelines and best practices for validating modern network infrastructure solutions.

Approaches taken by MITRE and NetSecOPEN are important components of the toolbox for today’s security specialists. They would probably, however, need to be complemented with other solutions that are part of enterprise cyber security. In order to take the benefits of frameworks such as MITRE ATT&CK™ and NetSecOPEN to the next level, it is vital to have both solutions with linkages, as well as other elements of the enterprise network security offerings (e.g. network security, security information and event management, incident management, … platforms).

CyberFlood Data Breach Assessment Frameworks

CyberFlood Data Breach Assessment (CF DBA) is an emulation-based solution that proactively provides in-depth, continuous and automated assessment of an enterprise’s security posture. Its latest offering includes industry frameworks such as NetSecOPEN and MITRE ATT&CK™ that are integrated with CyberFlood inherent capabilities, such as threat intelligence from Spirent Testcloud, assessment validation and reporting, as well as integration with industry leading Firewall, SIEM and ITSM solutions.

MITRE ATT&CK and NetSecOPEN frameworks

Using CF DBA frameworks as the basis of security assessment and reporting brings real-world observations and standards to validation of your real network.

Please visit us at www.spirent.com/go/cyberflooddba to learn more about how Spirent CyberFlood Data Breach Assessment can help in validating enterprise network infrastructure security postures or stop by our booth at RSA 2020 (N-5579) in San Francisco to see CF DBA industry frameworks in action.


comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies. If you would like to learn more about how we use cookies