Managed Security Services, MSP, MSSP

MITRE ATT&CK in 2023: Focus on Mobile, Linux and ICS

Cyberattacks are a constant fact of life today. The increasing volume and sophistication of cybercrime means that managed security services providers (MSSPs) should strongly consider taking advantage of resources such as MITRE’s Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) framework.

MITRE ATT&CK is a volunteer-driven, open-source knowledge base of cyberattack behaviors based on real world observations. ATT&CK categorizes threat behaviors by the threat group that produced them, and the specific tactics, techniques and procedures associated with them.

Tactics are the purpose of a behavior. Techniques represent “how” the tactical goal is accomplished. Procedures are specific implementations of techniques. ATT&CK also provides a common taxonomy for different cybersecurity teams in an organization to collaborate in developing security policies and processes.   

ATT&CK has gained widespread acceptance as a key resource for learning about threat actors and their techniques, tactics, and behaviors. The ATT&CK matrix can be used for adversarial emulation/red teaming, threat intelligence, and identifying gaps in defenses. MSSPs and managed services providers (MSPs) can leverage ATT&CK to better detect potential threats to their systems, conduct behavioral based threat hunting, and identify security vulnerabilities and gaps in customer environments.

Here's a brief overview of how a security operations center can employ ATT&CK, plus a great article on getting started with ATT&CK.

In addition, MSPs can take part in the MITRE Engenuity ATT&CK Evaluations: Managed Services. The evaluations pit an MSP against an emulated attacker, and results provide feedback to the service provider on ways to improve their cybersecurity services. (BlackBerry excelled in the 2020 MITRE ATT&CK evaluation against APT29, a threat group reportedly tied to the Russian government.) Round 2 of the 2023 managed services evaluations will take place in late 2023. You can see the results from the 2022 Engenuity evaluations here.

ATT&CK Plan for 2023

ATT&CK has versions specific to mobile environments, enterprises, and industrial control systems (ICS). The focus in 2023 is on expanding the knowledge base of threat information for the Mobile and ICS versions of the framework and incorporating more information about Linux and cloud threats.

Here’s a quick look at the latest changes in version 13, announced in April (and to be expanded on in the October version 14 release).

  • Focus on mobile and embedded threats. The Data Sources list now has mobile-specific sources. Data sources (such as Active Directory, database logs, and probes) help hunters by providing them with the visibility to detect a possible adversarial behavior indicative of a threat. Embedded devices are also getting more attention. The ICS matrix is being expanded with new techniques. MITRE plans to continue expanding the ICS matrix and incorporate industry-specific and device-specific information and mapping.  
  • More cloud and Linux support. MITRE also beefing up data about threats to Linux and cloud services, such as techniques and tactics on abuse of cloud management services and theft of credentials via unprotected chat services–both of which were added to the matrix in April.

According to the 2023 ATT&CK Roadmap, the October release version 14 will include more updates to support Linux systems, including on-premises Linux servers, expanded knowledge of criminal group operations and hybrid, cross-domain campaigns. The Campaigns category, added in October 2022, will be updated with more entries for ransomware threats and criminal groups.

The recent expansion of ATT&CK to include threats against mobile devices and industrial control systems makes it more useful to MSPs catering to manufacturers, telecoms, utilities, and other businesses that rely on embedded and mobile devices.

If you’d like more information on the most current ATT&CK Tactics and Techniques, download the BlackBerry Global Threat Intelligence Report–August 2023 Edition. The full list of MITRE techniques is available in the Threat Research and Intelligence public GitHub. You can also reference the “MITRE ATT&CK Framework” article on the BlackBerry website.

Guest blog courtesy of BlackBerry Cybersecurity. Read more BlackBerry Cybersecurity blogs and news. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.

To learn how to become a BlackBerry MSSP partner, visit the BlackBerry MSSP Partners portal.