CSO Online discusses Mitre’s five-year old ATT&CK and how it is an effective tool for organizations desiring to build red teams to perform penetration testing and vulnerability assessments:
As adversaries get more skilled, defenders have to up their game too. By classifying attacks into discreet units, it’s easier for researchers to see common patterns, figure out who authored different campaigns, and track how a piece of malware has evolved over the years as the author added new features and attack methods.
While other tools can identify malware hashes and behaviors, ATT&CK is one of the more comprehensive methods that can look at the actual malware components and lay them out in detail. Most modern malware uses a combination of techniques to hide its operation, stage its exploits, evade detection, and leverage network weaknesses. Finding these various building blocks is a key part of defending against their perfidy.
The first matrix is a “pre-attack” collection of 17 different categories that help to prevent an attack before the adversary has a chance to get inside your network — when an attacker is reconnoitering your domain, for example. Three matrices, each with a collection for Windows, Mac or Linux endpoints that cover a total of 169 different techniques. Finally, a fifth collection offers additional categories for mobile-based attacks.
Each cell of these matrices contains a single tactic, such as forced authentication using Server Message Block (SMB) protocols and how a malware author can use this to gain entry to your network. The framework also contains information on recent malware that uses this technique (in this case, Dragonfly), the way you can detect it (monitor SMB traffic on the appropriate ports), and how you can mitigate its abuse (using egress filters to block SMB traffic).
I am heretofore completely unfamiliar with ATT&CK but it sounds like a unique and highly useful tool for organizations with the right amount of expertise. This is not something to be used by a small organization with little to no resources or capabilities, but mature ones with credentialed cyber professionals.
The basic goal of ATT&CK is quite solid, but what makes it genius is its ability to be extended. There are a number of free and open source projects to add functionality to ATT&CK, such as creating scripts for several dozen ATT&CK techniques for testing endpoint detection tools among others.
Just like the malware it is designed to investigate, ATT&CK is constantly being updated and modified to stay ahead of the power curve. If you are interested in the white hat side of malware, ATT&CK is a strong project worth checking out.