Understanding MITRE’s 2020 ATT&CK Evaluation

If you want to protect a cybersecurity asset, you need to understand how someone is likely to attack it. One person or organization, however, can only learn so much on its own. Yet when organizations join forces and share threat intelligence at a global level, the job of asset protection becomes much easier.
That is the animating principle behind MITRE ATT&CK, a global knowledge base of adversary behavior created by MITRE Cyber Security. The job of tracking the tactics and techniques used by attackers is massive in scope. The MITRE ATT&CK model makes this process far simpler by providing a common framework and language for cataloguing and describing the tactics, techniques and objectives of adversaries.

By studying MITRE ATT&CK techniques, organizations can learn more about the current threat landscape — and manage risk far more effectively.

Understanding How MITRE ATT&CK Works

MITRE ATT&CK is visualized through a periodic table-style matrix, with tactics, techniques and procedures listed in columns. By following the matrix, defenders can identify common adversary objectives and the means and methods typically used to realize those objectives. MITRE ATT&CK allows defenders to create their own models for deterring these threats. One of the key benefits of this approach is that it allows defenders to adopt the mindset of attackers.

The MITRE ATT&CK model is also used to test products offered by security vendors. In such cases, MITRE will emulate attacks catalogued from actual advanced persistent threats (APTs). This attack emulation works by employing the same techniques that have been used by those APTs. While the techniques are grounded in real-world activity, they may be combined by MITRE in novel ways that have not been previously recorded.

MITRE ATT&CK emulations are then staged on virtual machines protected by the products under evaluation. Products are then analyzed for performance within a variety of categories.

MITRE ATT&CK Evaluations in 2020

Each year, MITRE ATT&CK evaluations change. In 2020, MITRE emulated attacks from APT29, a Russian state-sponsored entity with a history of targeting governments across a variety of continents. APT29 has recently been following two core strategies: Initiating phishing attacks designed to steal vast amounts of data quickly, and developing smaller, stealthier campaigns designed to remain hidden for long periods.

This year, MITRE emulated both approaches, allowing products to be tested under something close to real-world conditions. In this way, a MITRE ATT&CK assessment mirrors another form of cyber-attack simulation: Breach and attack simulation (BAS) platforms.

The Benefit of Automated BAS Technology

Much like a MITRE attack simulation, BAS platforms evaluate security postures by launching continuous attacks within a controlled environment. Vulnerabilities that are subsequently uncovered can then be addressed through prioritized, guided remediation.

XM Cyber’s industry-leading BAS solution incorporates MITRE ATT&CK within its catalog of simulations. This ensures that simulated attacks are based on the most current knowledge. XM Cyber then extends things even further by providing links to the MITRE ATT&CK library within its remediation reports. Remediation is based on criticality and relation to an organization’s “crown jewel” assets.

By identifying the most critical assets and using MITRE ATT&CK to help identify all attack possibilities, XM Cyber’s BAS technology offers organizations a powerful tool for managing risk, validating controls and optimizing security postures.

In Conclusion

The MITRE ATT&CK framework is an invaluable compendium of threat intelligence — one that allows defenders across the globe to track threats, share information and create strategies in a common language.

MITRE ATT&CK emulations also provide a powerful demonstration of the utility of the framework, and an excellent yardstick of measurement.

By incorporating MITRE ATT&CK into its BAS technology, XM Cyber helps clients fully leverage the power of this critically important cybersecurity tool.

Yohanan Berros is Customer Operations Manager, XM Cyber

Related Topics


Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.