The MITRE ATT&CK Framework: A Misguided Approach in Modern Cybersecurity
By: Gary DeMercurio
Okay, let's cut to the chase. We've all heard about the MITRE ATT&CK framework, right? This big, elaborate map of cyberattack tactics and techniques that's supposed to be the holy grail for attacking organizations in cybersecurity. But let's get real for a second – is this thing actually worth its salt, or are we just playing a high-stakes game of Pin the Tail on the Cyber-Donkey? I'm going to do my best to break it down for you, how I see this as a red teamer, hacker and general mischievous person that plays bad guy for a living.
The Guesswork Gala: First off, the whole process of using the MITRE framework feels like a wild goose chase. You're the organization, and instead of handing a professional team the instructions to "do your worst, act like a real attacker" you opt for threat modeling, trying to conjure up who's going to hit you next. Then you jump into this labyrinth of the MITRE ATT&CK framework to pinpoint the attack vectors someone thinks, someone else MIGHT use, based on a guess if that hack really was, or was not that organization. But let's face it, this is nothing more than sophisticated guesswork that companies charge a mint for and have sold this to organizations as a way to save money, increase security and fortify the "most likely avenue of attack". Now, this is all according to the company selling it of course, convenient ... isn't it? The truth is malicious actors aren’t sticking to a script; they’re opportunists looking for cracks, not rehashing their greatest hits. How do I know? Myself, my team, my former co-workers, anyone that I know that is a red teamer operates this way, because the underground malicious actors operate this way. A few sayings come to mind; "If You Know the Enemy and Know Yourself, You Need Not Fear the Result of a Hundred Battles", "In the Mind of a Hacker, Every Lock is a Challenge", "The Best Defense is a Good Offense". But none of these quite embody red teaming like "Think Like a Thief to Catch a Thief". We / They don't think, act, attack, or quite frankly do anything even remotely resembling threat modeling and using the MITRE framework. Red teamers live in places like dark web forums, finding places that aren't meant to be found, is what makes us tick. I promise you, the real bad guys, laugh at this method more than we do. We know, because frankly, we interact with many of them, we straddle that boundary between good and bad, wearing that gray hat knowing, not because it's our job, it's because we LOVE secrets, we LOVE knowing.
The Attacker's Guidebook: Then there's this: by laying out all the possible attack methods, aren’t we essentially handing over a playbook to the bad guys? Think about it. If you’re using MITRE to fortify your defenses, you’re also showing attackers what you’re guarding against. Not only that, but this method of choosing a threat actor, then guessing what that threat actors attack is going to be also gives other threat actors a likely attack NOT to perform. I KNOW they do this, because frankly, WE as red teamers do this. We can and do run threat modeling on an organization, but we do it to see the most likely area that they have been petesting for. So if we as red teamers do it, and we mimic the actions of malicious actors, one would think someone may want to listen. And what about the gaps? Those methods not covered in the framework? You can bet your bottom dollar that’s where these cybercrooks will pivot to, because it's where WE pivot to. It’s like installing a state-of-the-art lock on your front door but leaving the window wide open and telling the world, you only check the defense of one vector at a time.
The Blind Spot Dilemma: The MITRE framework and most threat modeling strategies are glaringly blind to the unknown unknowns. They're built on the backbone of what's been caught and cataloged. But what about the attacks that slip through the net, the ones that are never detected or much more prevalent are those that are "misdiagnosed"? MITRE and threat modeling can't and doesn't account for these, and that’s a gaping hole in its armor. It’s like trying to predict tomorrow’s weather with last year’s almanac.
So, what's the bottom line? While the MITRE ATT&CK framework might seem like a cybersecurity panacea, and to be fair, it does have its uses, it is far from a good model organizations should be basing their pentesting on by picking and choosing attack vectors. Relying on this tool is like playing darts in the dark. You might hit the bullseye, but more often than not, you're just throwing blindly. The MITRE ATT&CK framework is a great tool, it's just being used horribly wrong. In a world where cyber threats are as fluid as water, our strategies need to be just as adaptable, not stuck flipping through pages of what’s been done before, or basing an organization's yearly testing on a best guess, while leaving everything that someone didn't think about, out of the equation.
As a professional red teamer, I implore you to take a hard look at the MITRE ATT&CK framework and our reliance on it. Cybersecurity isn’t a static puzzle to be solved; it’s a dynamic battleground. Our defenses need to be proactive, not reactive, tailored to the unique contours of our organizations, and perpetually evolving. Anything less is just playing into the hands of those lurking in the shadows, waiting to exploit your next oversight. This doesn't mean that a red team is the cure, it simply means you organization should be tested as close to a real scenario as possible, coming up with one or two attack vectors based on someone else guess, which isn't even based on any active intelligence of that organization's current infrastructure, is just absolutely bananas.
As a Red Teamer and professional, my hope is others heed this advice. As a malicious actor, and someone that enjoys exploiting an organization to show them how good our team is, I would hope this trend continues, because it makes us look great when we run roughshod over an organization.
Why Caliber Security Partners?
Caliber Security is a thirteen-year-old security services firm, we hire only senior-level and experienced consultants. Our services include web and mobile application security testing, as well as network penetration testing, wireless security testing, social engineering, staff augmentation, and contract-to-hire services.
Please reach out to us if you have any questions or if we can be of any service to you. You can contact us through the web form or by email at info@calibersecurity.com.