Disrupting Adversary Behavior with Recorded Future and MITRE ATT&CK

Posted: 27th May 2021

“The best defense is a good offense,” is one of those phrases that has been around for so long that it’s hard to properly attribute. The gist is simple: if you’re always on the defensive then you’re never gaining ground or making progress. It’s easy to apply this phrase to all sorts of fields and disciplines—sports, combat, board games, etc.—but have you ever thought about how it applies to intelligence, and specifically stopping threat actors?

Taking an offensive or proactive approach to the risks, threat actors, and vulnerabilities that pose a threat to your organization means having a deep understanding of each attack vector and detecting the opportunity to strike and mitigate a threat.

The Importance of Focusing on Adversary Behavior

If you really want to protect your organization from adversaries it’s necessary to understand their behavior and the strategies they employ. Because only by knowing by which methods they’ll attack will you be able to prepare. When you understand adversary behavior you can position your resources to detect, mitigate, and kick out a threat before something bad like data destruction or exfiltration happens.

Of course, if it were easy to detect and mitigate adversaries then there would be very few successful attacks and the security industry would be much smaller. But adversaries are constantly shifting email addresses, IPs, and the infrastructure they use to carry out their attacks. So the best way to get ahead of threats and protect your organization is to learn about relevant adversary behavior. Behavior is more inherent to how a threat operates and is harder for adversaries to change. Successfully mitigating the behavior forces threat actors back to the drawing board to develop new strategies—a good outcome because now they’ve been successfully repelled.

The big challenge that comes with identifying adversary behavior is prioritization. When a number of threats or behaviors have been identified, how do you choose which ones to prioritize and focus on?

MITRE ATT&CK and Recorded Future Provide Essential Prioritization

The MITRE ATT&CK Framework is a publicly accessible catalogue of threat actor behaviors, which are mapped to several hundred unique alphanumeric identifiers.

When used properly, ATT&CK provides immense value as a bridge between the strategic and operational levels of security intelligence. It enables organizations to clearly operationalize the work of a cyber threat intelligence team, and to discretely measure these intelligence-informed operational outcomes.

ATT&CK provides an inventory of actor behaviors, which allows the security community (researchers and practitioners) to speak in the same language and work together to understand the behavior—and ultimately devise strategies for thwarting attacks.

The best way to use ATT&CK is to incorporate the framework as a central part of your security intelligence program. The framework empowers you to proactively strengthen your network defenses.

For example, Recorded Future intelligence now maps to the latest MITRE ATT&CK framework, giving clients a precise picture of adversary tactics and techniques. When you combine the power of Recorded Future intelligence with the ATT&CK framework you unlock insights into adversary behavior—and most importantly you can more effectively prioritize which threats to defend against.

Recorded Future’s unique blend of human analyst, open source, and technical data mapped to ATT&CK is unparalleled. This approach blends automatic ingestion and analysis of source data to provide a broader understanding of adversary behavior, and constantly updating information. This practical intelligence expertise helps organizations like yours apply adversary intelligence to achieve operational outcomes.

Understanding adversary behavior is crucial for all security teams—deciphering the tactics and strategies threat actors are employing allows your teams to position your organization in the correct way for defense, and act during the critical windows of opportunity that exist to block attacks. The MITRE ATT&CK framework is an incredibly powerful tool for studying adversary behavior, but to really unlock true insight that allows you to prioritize and act swiftly, you should pair the framework with an intelligence platform that gives you the insights necessary to achieve operational success.

For a more complete overview of mitigating adversary behavior, the MITRE ATT&CK framework, and pairing ATT&CK with an intelligence platform, watch this webinar.