Determine, Prioritize, and Compare the Most Observed MITRE ATT&CK® Techniques

Written by Kellyn Wagner Ramsdell and Jon Baker

Determining the Most Observed MITRE ATT&CK® Techniques

When we see lists of Top MITRE ATT&CK® Techniques, it is tempting to combine these lists to begin prioritizing defenses. However, combining multiple lists can result in flawed prioritization. Many factors impact which ATT&CK techniques end up on a vendor’s top ATT&CK list. Figure 1 is a start at understanding these many factors.

Figure 1 Considerations for Determining Top ATT&CK Techniques

Combining ATT&ACK technique observations on the data side versus the results side can lead to more accurate prioritization. Bringing data from diverse sources together allows accurate tallying of technique prevalence, data normalization, and a reduced visibility bias. In the first Sightings Ecosystem report, the Center for Threat-Informed Defense (Center) generated a list of the most observed techniques from the data side by using data from ConnectWise Cyber Research Unit, FirstEnergy Corp, Red Canary, and others. The combined top 15 ATT&CK techniques list (shown in Figure 2) differed significantly from each company’s individual top techniques list, reflecting their different visibility and different mapping processes.

Figure 2 Top ATT&CK Techniques from the Sightings Ecosystem

Join Us! The Center is recruiting additional companies for the next round of the Sightings Ecosystem. If you are interested in helping create a community-wide list of the most observed techniques, email the Center at ctid@mitre-engenuity.org. The community needs a unified list of the most observed ATT&CK techniques, and we look forward to working with you to build it.

Need Help Prioritizing Right Now?

The future of the Sightings Ecosystem does not help organizations that need help prioritizing defenses now. For these organizations, there are several options depending on the amount of information and time available to implement.

• Build prioritization buckets rather than a list. Vendors all use different methodologies to detect and label ATT&CK techniques, but everything they report is based on what they see. Combining multiple lists to understand the most broadly reported techniques is therefore still a useful starting point. While vendors often rank the techniques, organizations can build buckets of techniques that are highly ranked on lists or appear in multiple lists. After building a bucket of techniques, organizations can start understanding what each technique will look like in their organization in order to build effective defenses.
• Do not have time to search across vendors? Consider using the Sightings Ecosystem list. It is built from multiple organizations’ data, so it overcomes some visibility biases. Using the Top ATT&CK Techniques calculator, you can even customize the technique list to identify which techniques will be most impactful to your organization. The calculator allows organizations to consider choke points and actionability alongside prevalence. The formula used by the calculator is displayed in Figure 2.
• Build your own list. Organizations who already map adversarial behaviors in their environment can simply prioritize defenses based on their own list. For these organizations, though, it may still be helpful to compare observed techniques to lists of top techniques. This comparison may reveal gaps in detections.

How do the various lists really compare?

Top ATT&CK technique lists can vary greatly. From the number of techniques provided to whether sub-techniques are included, companies make a lot of decisions when compiling their lists. More importantly for choosing lists to inform defense prioritization, each vendor has a vastly different perspective. These distinct perspectives are clear when comparing across lists as below. Looking at six different technique lists spanning 44 techniques and sub-techniques, only one technique, Obfuscated Files or Information [T1027] appears in every list.

The major differences between each company are clear when looking at the numbers side by side. However, each list is then further based on a different number of customers and observations of each technique. Some companies producing ATT&CK technique lists are even building their lists using more data than the first version of the Sightings Ecosystem. Their data only contains insights for the company’s customers. Combining lists on the data side can resolve many of these issues by providing an accurate count of technique observations across all the companies and their customers. While the Center works to build a unified list of technique sightings on the data side, organizations can start by looking at those techniques which appear in multiple lists. Understand what those techniques look like and leverage tools like the Center’s National Institute of Standards and Technology (NIST) Special Publication 800–53 mappings to ATT&CK or MITRE’s Cyber Analytics Repository (CAR) to build detections and controls for a threat-informed defense.

Figure 3 Comparing Six Lists of Top ATT&CK Techniques

*Mandiant reported a tie for the tenth most frequently seen technique.

**Recorded Future and PwC only stated the most common techniques. They did not provide the techniques in a numbered list.

Center projects mentioned in this blog: Sightings Ecosystem, Top ATT&CK Techniques, and NIST SP 800–53 to ATT&CK mappings.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2022 MITRE Engenuity. Approved for Public Release. Document number CT0050.

Sources:

[1] https://f.hubspotusercontent20.net/hubfs/7754670/Center%20for%20Threat%20Informed%20Defense/CTID-Sightings-Ecosystem-Report.pdf?utm_referrer=https%3A%2F%2Fctid.mitre-engenuity.org%2F

[2] https://redcanary.com/threat-detection-report/

[3] https://www.mandiant.com/m-trends

[4] https://www.recordedfuture.com/2021-malware-and-ttp-threat-landscape

[5] https://cloud.email.pwc.com/yir-cyber-threats-annex

[6] https://www.picussecurity.com/resource/blog/red-report-2021-top-ten-attack-techniques