MSPs use MITRE ATT&CK to Thwart Ransomware Faster

Ransomware has made a resurgence and is impacting both IT service providers and the businesses they serve. What if you had insights into cyber criminal tactics and techniques happening in your environment? What if you knew more about the adversaries you face in this cyber battle? Can you help your customers prioritize potential threats to stop a ransomware attack before it’s too late? The MITRE ATT&CK framework enables service providers and defenders to optimize protection beyond legacy tools like anti-virus.


Author: Paula Rhea, CISSP, product marketing manager, Netsurion

As a summary, MITRE launched ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) to document and globally share adversary behavior in a practical way. Benefits of the ATT&CK framework include:

  • Developing consistent threat taxonomy for threat sharing across the industry
  • Reducing false positives
  • Enhancing cybersecurity maturity and capabilities
  • Minimizing adversary dwell time

Adversaries often re-use the same techniques that they understand and have found successful, enabling defenders like you to help predict, prevent, detect, and rapidly respond to advanced threats.

“ Offense is the best driver for cybersecurity defense.”

                                                 – The MITRE Corporation

Today, many organizations are using ATT&CK to better plan and prepare against advanced threats like ransomware.

Prepare for Ransomware Analysis and Detection

The ATT&CK framework provides a common language for threat analysts to use when describing analyst behavior. This common threat terminology helps with consistent and clear communication within your MSP organization as well as across world-wide threat-sharing entities. Cybersecurity decision making also improves when ATT&CK is integrated with Security Information and Event Management (SIEM) such as Netsurion’s threat protection platform. The TTPs in ATT&CK have their foundation in network, application, and infrastructure systems and logs, making SIEM correlation and threat analytics even more useful.

Understand Your Current Defenses to Close Ransomware Gaps

ATT&CK is based on actual tactics, techniques, and procedures (TTPs) used in real-world threat campaigns like ransomware. ATT&CK also provides details on 100+ threat actor groups across the adversary lifecycle, from Reconnaissance to Action on Objectives as Diagram 1 shows. Defenders are often challenged to find that many ATT&CK techniques include legitimate system functions used for malicious purposes, making quick detection of cyber criminals even more crucial. While implementing ATT&CK on your own can be resource intensive and time-consuming, solutions such as Netsurion’s Managed Threat Protection integrates the ATT&CK framework so that you don’t have to. You now have the same cyber criminal TTPs and threat context as organizations with much larger security teams.

Diagram 1: Comprehensive cybersecurity protection across the threat lifecycle is enhanced significantly when MITRE ATT&CK is properly integrated.

Continue to Evolve your Security Posture

The ATT&CK framework is immediately usable in IT environments for MSPs and their end customers. As adversaries morph their nefarious techniques, so too does MITRE as it adapts and updates the ATT&CK cyber threat intelligence and TTPs. The framework has expanded over time to address cloud and mobile technologies. Your valued customers trust you with their data and reputation; adopting the MITRE ATT&CK framework ensures that you don’t fall behind when it comes to protecting business-critical data and maintaining customer uptime.

Optimize your Protection with MITRE ATT&CK Integration

Organizations of all sizes use ATT&CK to better address the evolving threat landscape. In fact, MSPs are now ransomware targets due to their pervasive supply chain connectivity and penchant for ransom payments to avoid negative publicity. Faster response minimizes dwell time, the dangerous time hackers spend in an organization’s infrastructure performing reconnaissance and doing damage. Integration of ATT&CK with SIEM log correlation and data analytics provides single-pane-of-glass visibility and improved decision making.

Conclusion: Leverage a Layered Defense

MITRE’s ATT&CK framework outlines what known attackers do when they enter your network. We seamlessly integrate ATT&CK with a managed service that predicts, prevents, detects, and rapidly responds to ransomware and other cybersecurity incidents. This defense-in-depth approach strengthens cybersecurity at all stages of the attack lifecycle, from pre-breach to post-breach. Learn more about Netsurion’s Managed Threat Protection and ATT&CK integration to create a proactive defense for MSPs and their end customers when every minute matters.

Author Paula Rhea, CISSP, is product marketing manager, Netsurion. which develops the EventTracker Managed Threat Protection platform for MSSP and MSP partners. Read more Netsurion guest blogs here.

Return Home



    Valerian E Agbaw-Ebai:

    Consider a scenario where the website for student to register for their semester courses is reporting slow registration transactions on the website front end, impacting the end-user. The Apache web server hosting the front end of the
    registration application isn’t having any problems, but overall performance is slower than normal; and the SQL server is reporting high response time.

    Initial trouble-shooting found no issues with the Windows server operating systems or the Windows guest hosts operating systems. At the physical and virtualization layer, the AWS virtual machines are also not reporting any issues. However, the Windows physical server is experiencing latency and reporting a large query from a web application connected to a webserver from a hostile country. There are no reported issues with the AWS S3 storage array, but the router logs show a large flow of data that deviates from normal patterns from the database server to the internet.

    Question: How will the EventTracker Managed Threat Protection platform predict the root cause of the poor performance, let alone prevent, detect, or rapidly respond to the performance and capacity issues if my system was under a zero-day attack?

    Q: Secondly, that attackers later dropped a ransomware to mask what apparently was a massive data theft operation. How will the EventTracker Managed Threat Protection platform identify what is going on in real time?

    Aaron Branson:

    Thanks for your question. Let me preface my answer by saying that there are still many caveats in the scenario that impact the actual results. But, given the scenario provided at face value, if, as you say, the Windows physical server is experiencing latency and reporting a large query from a web application connected to a webserver from a hostile country AND the router logs show a large flow of data that deviates from normal patterns from the database server to the internet, both the communication with a known bad-reputation IP and anomalous network activity would have triggered P-1 alerts to our SOC to investigate, while the hostile country communication could have been automatically denied by application control settings allowing the SOC to investigate and correlate while the attacker has been interrupted. In your follow-up scenario, the attackers later dropped a ransomware to mask what apparently was a massive data theft operation, Netsurion’s deep learning-based EventTracker Endpoint Security, would have most likely prevented the ransomware from executing. A secondary line of defense would have been application control within EventTracker EDR that alerts to any unsigned, suspicious, or first-time seen executables.

    Of course, results may vary. But based on the information provided in this hypothetical situation, Netsurion® Managed Threat Protection’ combination of a defense-in-depth platform widely deployed across an enterprise and monitored by our SOC could have predicted and prevented the attack described or rendered it toothless while detection and response capabilities hunted down the root cause. Thank you for your question. I hope this answer was helpful. If you need more in-depth information about how Netsurion Managed Threat Protection, powered by the EventTracker platform, can protect your organization, please consider scheduling a demo at

Leave a Reply

Your email address will not be published.