MITRE ATT&CK (adversarial tactics, techniques & common knowledge) is a widely used framework for documenting the tactics, techniques, and procedures (TTPs) used by cybersecurity attackers.
Since becoming publicly available in 2015, its scope has expanded across different matrices and to include rich information on mitigations, detections, and the patterns of known adversary groups.
If you know how to leverage it, ATT&CK is a hugely valuable security operations resource. However, despite its massive popularity, many security leaders don’t know how to put it into practice.
ATT&CK provides MSSPs with a great opportunity to improve their services and unlock new revenue streams. In this article, we’ll explore a few ways that your MSSP can make money using MITRE ATT&CK.
TTP Trend Reporting
Providing MITRE ATT&CK-based reporting is a great way to provide additional value to your customers. The important prerequisite is that you are able to accurately track ATT&CK TTPs across their environments. Many tools will now tag alerts with the suspected TTPs involved, but you will also need to aggregate this data from different tools and systems, in order to generate accurate reports.
We have experience doing this with SOAR (security orchestration, automation, and response), but it can probably be achieved with other tools or more manual processes as well.
Once you are tracking TTPs, you can show your customers what techniques are most frequently being detected in their environment, and what adjustments might help improve their defenses. You can use ATT&CK Navigator to visualize your findings across the ATT&CK matrix and reveal patterns.
Recommended Mitigations and Detections
For a more advanced service, take advantage of MITRE’s publicly available recommendations for technique detection and mitigation. If you are tracking TTPs for your customers, you can easily package recommendations as an added service.
For example, let’s look at Schedule Task/Job (T1053), which was by far the most frequently sighted technique in MITRE Engenuity’s Sightings Ecosystem Report. For T1053, the recommended detections include monitoring newly constructed containers, files, and scheduled jobs that “may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.”
Recommended mitigations for the same technique include operating system configuration and privileged account management. MITRE provides some detail, but generally the recommendations are simple processes that your customers can implement.
If you are offering more advanced services, such as managed detection and response (MDR), managed extended detection and response (MXDR), or threat hunting, MITRE ATT&CK can enhance those as well.
Let’s take the example of threat hunting. If an ATT&CK technique is detected in a security alert, you could then run searches across the customer’s tools for more instances of the technique, as well as techniques that could represent additional links in the kill chain of the larger attack.
MITRE also models the known TTPs used by prominent cyber threat groups, so if your customers are concerned about specific adversaries, you can map their methods to the ATT&CK matrix and put those techniques under surveillance.
About D3 Smart SOAR for MSSPs
D3 Security supports MSSPs around the world and enables high-value services with our Smart SOAR platform. D3 Security supports full multi-tenancy, so you can keep client sites, data, and playbooks completely segregated. Importantly, we’re vendor-agnostic and independent, so no matter what tools your clients use, our unlimited integrations will meet their needs.
D3’s Event Pipeline can automate the alert-handling capacity of dozens of analysts, while reducing alert volume by 90% or more. Watch our case study video with Trifork Security to see how a successful MSSP uses Smart SOAR.