Blog

In 2024, the key to quality cybersecurity is to find a pentesting provider that uses the MITRE ATT&CK framework.

Why? Our ethical hackers dive into all you need to know:

Firstly, What is the MITRE ATT&CK Framework?

MITRE(Massachusetts Institute of Technology Research And Engineering) is a security organization whose MITRE ATT&CK framework (short for Adversarial Tactics, Techniques & Common Knowledge) delivers a modern approach to witnessing and tackling cyber threats. It is a global knowledge base (KB) for identifying adversary tactics and techniques. This MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and strategies based on real-world observations. It provides a common language for describing attacks and can be used to improve detection, analysis, and response capabilities.

In addition, the framework drives the mission to solve cybersecurity problems and make the technology world safer. This framework has become the centrepiece of cybersecurity threat monitoring across industries since 2013. The MITRE ATT&CK framework and its various matrices have evolved to handle threats related to emerging technology. Its various matrices cover different tactics, such as:

• Initial Access

• Resource Development

• Reconnaissance

• Collection

• Execution

• Credential Access

• Privilege Escalation

• Persistence

• Lateral Movement

• Exfiltration

• Command & Control

• Defense Evasion

The MITRE ATT&CK framework is an increasing popular measure among penetration testing teams. MITRE Engenuity published the first-ever ATT&CK evaluations for ICS (Industrial Control Systems), which focused on techniques related to notorious threat groups, particularly Carbanak and FIN7. 

Understanding MITRE ATT&CK Framework and Matrices

The ATT&CK framework, which stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge, was introduced by MITRE in 2013. It helps organizations describe and categorize adversarial behaviours as per real-world observations. It is a structured list of known attacker behaviours compiled into multiple tactics and techniques expressed in the form of matrices. 

The MITRE ATT&CK framework is a comprehensive representation of behaviours attackers often employ to compromise networks, making it very useful for various offensive and defensive representations and measurements.

The question it aims to address is

"How well are we detecting documented adversary behaviour?"

The MITRE ATT&CK Has Three Versions:

• ATT&CK for Enterprise: Focuses on adversarial behaviour in Windows, Mac, Linux, and Cloud environments

• ATT&CK for Mobile: Focuses on adversarial behaviour on iOS and Android operating systems

• ATT&CK for ICS Focuses on describing an adversary's actions while operating within an ICS network

Why Find a Pentesting Provider That Uses the MITRE ATT&CK Framework?

ATT&CK offers a lot of value in everyday settings. For instance, any defensive activity referencing attackers and their behaviours can benefit from ATT&CK’s taxonomy. It provides a common lexicon for cyber defenders and helps you lay a strong foundation for penetration testing and red teaming. It brings defenders and red teamers on the same page with a common language when referring to adversarial behaviours.

Organizations can use ATT&CK’s taxonomy for: 

• Mapping Defensive Controls and Threat Hunting: When referenced against the ATT&CK tactics and techniques, defensive controls may have well-understood meaning for them. Mapping defences to ATT&CK also help you create a roadmap of defensive gaps and provides threat hunters, i.e., the perfect places to identify missed attacker activities.

• Sharing: MITRE ATT&CK framework helps the defenders ensure common understanding when sharing information about defensive controls or an attack, actor, or group.

• Detections and Investigations: Your Security Operations Center (SOC) and incident response team can use detected or uncovered ATT&CK techniques and tactics to understand where defensive strengths and weaknesses exist. You can also use it to validate mitigation and detection controls while uncovering misconfigurations and other operational issues.

• Tool Integrations and Referencing Actors: You can use ATT&CK tactics and techniques to standardize disparate tools and services, lending cohesiveness to an often-lacking defence. It also helps reference actors, especially those associated with specific, definable behaviours.

Finding a Penetration Tester Provider That Uses the MITRE ATT&CK Framework

Penetration testing services play an important role in securing your enterprise network since they help you evaluate the security of your IT systems by simulating actual cyberattacks. The provider deliberately tries to break into your systems, devices and data when conducting penetration testing. When choosing a penetration testing partner, we recommend selecting one that uses the MITRE ATT&CK framework.

Penetration testing is not one-size-fits-all.

At Packetlabs, our flexible offerings encapsulate:

• DevSecOps: DevSecOps is integrated early in your development cycle and acts as an extension of your development team to flag vulnerabilities within your existing detected management systems

• Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization

• Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with your internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts

• Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of your cybersecurity strategy. As the first step in strengthening your security posture, this assessment generates the roadmap to strengthen your overall security program

• Compromise Assessments: A Compromise Assessment uncovers past or present threats like zero-day malware, trojans, ransomware, and other anomalies that may go unnoticed in standard automated vulnerability scans

• OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing

• Ransomware Penetration Testing: A ransomware penetration test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack

• Cloud Penetration Testing: Multiple perspectives help with strengthening your security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle

• Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that you can discover gaps and vulnerabilities unique to your organization and test your ability to detect and respond to threat actor

• Application Security Testing: More targeted in scope than a regular pentest, application security testing uncovers vulnerabilities residing in your web and mobile apps. Application Security Testing actively explores your application from an attacker’s perspective

• Infrastructure Penetration Testing: An infrastructure penetration testing assessment uncovers vulnerabilities in your IT and network systems and provides a tailored approach to each environment

These are in addition to the Packetlabs Portal, which enables you to quickly view findings, prioritize efforts, request retests after remediation, and monitor progress.

How Penetration Testing Shortens the Average Cyberattack Lifecycle

No organization is immune from cyber threats. When it comes to how long the average cyberattack lasts in 2023, the average across North America, as of 2024, is an estimated 24 days.

However, this is dependent on an organization's cybersecurity efforts. Other stats surrounding the length of cyberattacks include, but are not limited to:

• On average, companies take about 197 days to identify and 69 days to contain a breach according to IBM

• Ahead of the year's close, there have already been 5 billion cyberattacks in 2023 around the globe

• The average cost of a cyberattack has risen by 15% over the past three years, now sitting at a staggering USD $4.45 million

However, ensuring that an organization's cybersecurity is up to regulatory standards can help diminish both the risk of an attack and the financial and reputational losses that may be faced in the wake of a successful one.

Conclusion

By considering the unique needs of their systems and infrastructure, certified ethical hackers in Canada can help you and your team select the most suitable type of security testing.

If you're reading this, you are already in the market for a pentest. Contact our team today for your free, zero-obligation quote or download our Buyer's Guide below to take the next step.