Should I RE&CT or ATT&CK ?

Vidura Supun Ehalapitiya · June 8, 2020

ATT&CK and RE&CT !? Whats That?

Both ATT&CK and RE&CT are frameworks which help anyone in the security industry whatever the color of your hat is to understand more about securing or penetrate an infrastructure. Both frameworks provide a collective knowledge that helps someone to see the big picture of cyber kill chain from various angles in attackers view point a well as the defenders.

So basically this is an ever evolving up to date tools-techniques-procedures(TTP) database which can be utilized in myriad of ways depending on the role of the user.

The ATT&CK and RE&CT frameworks can be explained in great details for hundreds of pages, but the focus of this article is to take you from 0 to 1 and to give you a “why” for getting familiar with these frameworks.

Source https://www.exabeam.com/information-security/cyber-kill-chain/

More, Mitre ATT&CK

Mitre attack was started in 2013 and this framework is the mother of TTP collections on the internet. There are few basic features of the Mitre ATT&CK framework.

  • Tactics
  • Techniques
  • Mitigation
  • Groups
  • Software

Even though these are 5 different categories, this is a mesh that interconnects rendering the ATT&CK to be a formidable weapon even against APTs given the usage. As an example a threat hunter can use this to formulate a methodology for his/her hunt applying this to the diamond model(coming soon).

Source: https://attack.mitre.org/matrices/enterprise/

Something we cant forget about the framework is Mitre ATT&CK navigator, the interactive technique sheet that helps to focus and prioritize on certain TTPs that are applicable to a certain infrastructure rather than the whole framework. It does not end there the potential of the navigator depends on the imagination of the analyst. As an example if you are investigating a financial institution breach or trying to secure one, focusing on Fin APTs would be a whole lot easier.

Source https://mitre-attack.github.io/attack-navigator/enterprise/#

To list a few domains ATT&CK comes handy in,

  • Threat intelligence
  • Attack detection and analysis
  • Adversary emulation and Red teaming
  • Assessments and engineering

Cool stuff right? So whats this RE&CT?

RE&CT is a child of ATT&CK which is entirely focused on Incident Responding and its stages instead of generic cyber kill chain. This can be used for,

  • Gap identification
  • Better Incident response capabilities

And RE&CT also come with a navigator that can be utilize for better prioritization just like ATT&CK

Source: https://atc-project.github.io/react-navigator/

ATT&CK or RE&CT?

Well why not both..

These two frameworks are created with different role focuses using the same framework. Therefore being familiar with and using these frameworks will give you an extra edge over the adversaries, as well as will help you to be be proactive so you could prevent the incidents all together.

Mitre ATT&CK: https://attack.mitre.org/

RE&CT: https://atc-project.github.io/atc-react/

Twitter, Facebook