In our previous journey, Beyond the Matrix, we learned how to move past the complexity of developing use cases using MITRE ATT&CK. Using the continuous detection/continuous response (CD/CR) workflow that we mentioned in the first blog allows you to have clear structure and growth in maturity over time using Mitre ATT&CK. It’s time to once again push past the barriers that can hold teams back from fully making use of MITRE ATT&CK. Just like Neo had to choose the red pill to see the truth about the Matrix, I recently got to explore the challenges associated with MITRE ATT&CK further and how to overcome them by contributing to a white paper that offers a clear vision for how to leverage ATT&CK effectively;  Beyond Checking Boxes: Unlocking the Full Potential of MITRE ATT&CK with Google. Let’s dive in together on a few of the lessons that this white paper covers.

Core Challenges

As we previously discussed, implementing the MITRE ATT&CK framework can present several challenges. It's common to experience initial confusion regarding appropriate starting points and achievable goals. The extensive volume of techniques and sub-techniques can feel overwhelming. Furthermore, structuring effective use cases remains a significant hurdle, often resulting in disjointed ATT&CK adoption. Another significant challenge exists when the critical assets and operating infrastructure are not well understood. This leads to difficulty applying knowledge gained by threat intelligence and analyzing how adversaries might achieve their goals. 

Understanding which assets are critical is important for developing effective security measures, including applying the MITRE ATT&CK framework. The process of asset evaluation is a key part of establishing data visibility, which is the first phase of the Continuous Detection/Continuous Response (CD/CR) workflow. When organizations understand their most valuable assets, they are able to focus threat modeling efforts and determine what data sources to prioritize for monitoring. Knowing where key assets are located, how users connect to them, and how security responsibilities are divided within the organization is also necessary. One of the largest challenges when analyzing assets is understanding what those assets are actually being used for. For instance if you have both VMs and GKE assets, what workloads are they undertaking? Another question that is always important is what segmentation does your network architecture use? These are critical questions to answer if ATT&CK is going to be helpful. 

The next challenge that is contemplated in the white paper is how do you apply all of this information.  What is the next step now that you have a threat profile, asset analysis, and MITRE ATT&CK in a practical setting? This is where a lot of teams get stuck. It is one thing to know how an individual technique can be detected, but much more difficult to correlate the information gained from a threat profile with asset analysis. This is where understanding attack chains is very important. An attack chain is the combined techniques used by an adversary when attempting to achieve their goal. For instance, if they are trying to achieve lateral movement in your environment the actual attack chain would have the lateral movement techniques and those that proceed and come after in order to provide a much more refined detection capability. The Technique Inference Engine is a great tool to use when attempting to create possible attack chains when provided with a group of starting techniques. 

Moving forward with Google's vision

The challenges mentioned in the previous section are a mere layer of the matrix being peeled away. There are several key methods that Google Cloud Security tools provide that can turn these layers of complexity into actionable achievements. In this white paper, we focused on the need to really understand the details of assets, what they are actually being used for, and the need to consider attack chains. But these are just a few pieces of the puzzle to how to move, “beyond the matrix." Our paper explores additional challenges that come with leveraging ATT&CK and the vision Google Cloud has to meet them, including:

• Practical strategies for mapping ATT&CK techniques to your own environment.


• Guidance on prioritizing threats based on risk and potential impact.


• Methods for developing proactive detection and response mechanisms.


• Insights into optimizing operational efficiency via automation and streamlined workflows.


• Best practices for fostering collaboration and information sharing.

The intent behind this white paper is to provide actionable recommendations for SOC teams and turn ATT&CK knowledge into concrete security practices. With that in mind, we're excited to launch a step by step guide on how to implement these ideas, read the full white paper here.