How to apply attack surface management to the Mitre ATT&CK framework?
May 4, 2022
One question has cropped up frequently since starting our Glasstrail beta program.
That is: How does attack surface management fit into the Mitre ATT&CK framework?
Before we launch into this, let’s take a step back and outline the Mitre ATT&CK framework and how it helps businesses select the tools that make up their organisational security framework. Afterall the security landscape is constantly changing and as attacks become more sophisticated, mitigations need to be re-evaluated to ensure they are keeping up with attacks.
However, if you’re short on time and just need the answer, scroll down a section or two.
What is the Mitre ATT&CK framework?
Mitre ATT&CK is an open framework and knowledge base of adversary tactics based on actual observations and events. Its beauty lies in how it classifies attack types and techniques to better understand their intent. With a section dedicated to every stage of the attack lifecycle, you can use it to understand security risk, identify areas for improvement, and verify that remedies work as expected.
Essentially, it’s a systematic and independent way to understand how attacks come about and see where your existing tools and processes provide protection and where there might be gaps.
It’s widely agreed that it’d be impractical to build out security defences to address every section and tactic on the ATT&CK framework. Identifying and prioritising the types of attacks and remedies most relevant to your business, technology and partner stack, makes greater sense.
Where does Attack Surface Management fit into Mitre ATT&CK?
Using the framework, Attack Surface Management fits into the Reconnaissance section. This very first phase of the framework focuses on identifying the information an adversary could gather that they could then use in future attacks. It follows that mitigation is about understanding and limiting the usefulness of information available.
An external attack surface is all the information available about your organisation on the internet - from servers to services, and IPs to user accounts. Building up this information without external support would be very difficult and time-consuming.
Platforms like attack surface management tools give you this information and identify the opportunities that adversaries may have (as well as prioritising them for remediation).
Glasstrail is a reconnaissance tool
Glasstrail identifies what adversaries can find out about an organisation when it performs reconnaissance. It stands out from other tools by:
- Intelligent scanning: Our smart scanning technology scans over 20 different sources, looking for over 40 types of security signals across your organisation. Findings are prioritised, and the action required is explained in plain language – so even if you’re not a security professional, you can still take steps to improve your security.
- Intelligent discovery: Security tools such as vulnerability scanners typically rely on you telling the tool where to look. Glasstrail uses the initial information you give it to discover internet assets you might not even have known about – and then let’s you scan those too.
- Keeping on top of a changing landscape: Glasstrail runs weekly scans and highlights what’s new and important, so you are the first to know about changes as the attack surface doesn’t stay static.
- Accessibility: Designed for mid to large organisations, Glasstrail can be used either by in-house security teams or by preferred security partners on your behalf.
If you’d like to find out more about how Glasstrail could work for you, please get in touch.