MITRE ATT&CK as a Framework for Cloud Threat Investigation

Executive Summary

With the rapid adoption of cloud computing, new security challenges have emerged for all enter­prises. We surveyed and interviewed leading security professionals to investigate how they assess and confront these challenges, including rapidly changing technology and business models, ambi­guity between cloud providers and purchasers of cloud services about shared responsibilities for security, and the need to manage threats in the cloud that are intertwined with on-premise and hybrid environments.

A strong majority of our research subjects believe that a unified investigation framework that includes both cloud and on-premise environments would improve their processes and outcomes by providing a single integrated solution for threat investigation. Such frameworks exist, but their overall utility is limited by several perceived shortcomings, most notably a lack of interoperability with security tools that impedes automation.

The MITRE ATT&CK® framework is the most widely adopted at present; many enterprises are moving toward more widespread adoption as this framework improves its integration and auto­mation capabilities. Further improvement in these areas would facilitate firms more confidently leveraging the efficiencies gained from cloud computing.

Key findings from the report include:

• Adversary techniques are executed against nearly all enterprises in the cloud: 81% of organizations experience adversary techniques found in the ATT&CK Matrix for Enterprise covering cloud-based techniques (Cloud Matrix); 58% of all enterprises expe­rience the “Initial Access” phase of an attack on a monthly basis.
• Enterprises use the ATT&CK framework to determine gaps in currently deployed security products and for other important tasks: Fifty-seven percent of global respondents believe the ATT&CK framework is helpful for determining gaps in currently deployed security tools. Fifty-five percent recommend the framework for security policy implementation, and 54% find the framework useful for threat modeling.
• The ATT&CK for Cloud matrix is widely adopted: Sixty-three percent of large- and medium-sized enterprises we surveyed use both the Cloud Matrix and Enterprise Matrix (Windows/Mac/Linux) in their security operations centers.
• Large- and medium-sized enterprises are not fully confident that their security products detect all techniques in the ATT&CK matrices: Only about 49% of respondents feel highly confident in the ability of their security products to detect the adversary tactics and techniques in each of the ATT&CK matrices.
• The biggest challenge with ATT&CK framework implementation is its lack of interoperability with security products: 45% of global survey respondents identify the lack of interoperability with their security products as the biggest challenge with the ATT&CK framework, and 43% cite the challenge of mapping event data to tactics and techniques.
• A large percentage of enterprises do not correlate events from the cloud, net­works, and endpoints to investigate threats: Only 39% of enterprises incorporate events from all three environments (cloud, network, and endpoints) when investigating threats.
• The ATT&CK framework can increase confidence in cloud security and adop­tion: Eighty-seven percent of survey respondents agree that adopting the ATT&CK for Cloud matrix will improve cloud security in their organizations. Seventy-nine percent say it would also make them more comfortable with cloud adoption, and 69% agree that they would be more comfortable with outsourcing their security operations center to a third-party provider that uses the ATT&CK framework.