The MITRE Center for Threat-Informed Defense, Microsoft, and other industry partners collaborated on a project that created a repeatable methodology for developing a top MITRE ATT&CK® techniques list. The method aims to facilitate navigation of the ATT&CK framework, which could help new defenders focus on critical techniques relevant to their organization’s environment, and aid experienced defenders in prioritizing ATT&CK techniques according to their organization’s needs.
The ATT&CK framework provides an extensive list of specific techniques that may be challenging to navigate in certain situations. This project aims to help defenders who use the framework focus on noteworthy techniques regardless of the attack scenario or environment. For example, using research on 22 ransomware attacks, the repeatable methodology led to the identification of the top 10 ransomware techniques list.
The project also included the development of a customizable, web-based calculator that seeks to prioritize techniques based on a defender’s input, making the methodology even easier to apply to different environments and scenarios. As an example of the insights that can be gained from using this calculator, the project found that the following techniques are present in most attacks and environments:
This methodology considers the continuing evolution of threats, so it supports the creation of criteria that are tailored to an organization’s unique environment. This enables defenders to continuously identify threat trends and decide where to focus resources for detection coverage.
Establishing the top ATT&CK techniques
The methodology for identifying the top ATT&CK techniques factored in three attributes to determine the