Limitations of the MITRE ATT&CK Framework for Modern Defense

One thing I like about the MITRE ATT&CK Framework is how clearly it shows attackers using living off the land (LOTL) techniques. Those of us who were investigating nation-state advanced persistent threat (APT) groups in the early days watched this shift happen in real time.

As defenders got better at quickly detecting custom malware, adversaries found they could reach their goals at a lower cost and with less risk. They could do this by using tools already available in their environment, like Windows, Linux, and macOS. This change in approach led to an arms race for weaponizing operating system tools that is still underway.

The downside of the MITRE ATT&CK framework is that different techniques vary in detection efficacy. The majority fall into what I call “dual-use techniques.” These are tools or actions that both real users and attackers might use to access your system.

From the defender’s view, knowing which attack techniques are most useful in detecting bad activity is important. This helps in planning a logging and detection strategy.

I’ll explore how the attackers need to stay undetected, and the defender’s ability to spot malicious behavior mirrors the game of "Red Light, Green Light" in Squid Game. In this game, you must move and avoid detection to survive.

What Squid Game teaches us about MITRE ATT&CK techniques

In the popular Netflix series, Squid Game, contestants play deadly versions of children's games. The first game, Red Light, Green Light, uses a larger-than-life porcelain doll, with Terminator-like cameras for eyes, as the caller.

Players can move toward the goal if the doll’s head is turned away. If it sees players move when it turns back around, they are dramatically removed from the game. The doll’s eyes use vision-based motion detection to see if players are moving. Contestants must find a method to get through the challenge and move on to the next round. Sound familiar?

In the world of SecOps, defenders are the giant, menacing doll. Attackers are the players. If the defender sees the attacker moving, they get eradicated from the network (in less dramatic fashion than the TV show). The game from the attacker’s perspective is to get to the finish line without being seen.

In Squid Game, players learned to cover their mouths. This way, the doll couldn't see them talking to each other. They also learned to shield each other’s movements. A player standing still at the front of a line could hide moving players behind them. They found a way around the doll to make it to the end.

In our ongoing SecOps arms race, attackers know that using custom tools makes them easier to find. However, living off the land allows them to mask their movements in the noise of legitimate activity and stay hidden from security tools.

Evolving the MITRE ATT&CK Framework to build a better doll

When the MITRE ATT&CK Framework launched in 2015, it provided a shared way of addressing the problem defenders were facing.

Over time, it has grown beyond the original enterprise matrix. It now includes mobile, cloud, and industrial control systems (ICS) techniques, as well as adding detailed information about data sources, threat actor groups, malware, and attack campaigns. It might just be my favorite artifact of the security industry.

The rest of the industry would agree. Every security product or service now has an ATT&CK tagging or mapping feature to tie its outcomes back to the model everyone understands. A side effect of this work is that every major security tool is looking for behaviors instead of indicators of compromise (IOC).

This is important because attackers can easily change their tools or settings to avoid IOCs. However, it is much harder for them to avoid using ATT&CK behaviors if they want to succeed.

It’s the Squid Game equivalent of adding infrared, x-ray vision, and voice-isolating microphones to the doll so it can catch those sneaky players.

For the first time in security history, we had a clear way to classify attacker behavior. An entire industry supported this single model with enthusiasm. It’s a perfect storm.

What could possibly go wrong?

Missing context creates gaps 

Many of the problems with ATT&CK occur because we, as security experts, attempted to use it for problems it was not designed to solve.

The most glaring gap is that the model doesn't show how closely each technique relates to attack activity. In a perfect world, the model would label each technique with red, yellow, or green. This would show that each technique has a high, medium, or low correlation to attack activity.

Instead, the model treats them all the same. Our SecOps doll is effectively colorblind. To illustrate the problem, let’s look at a couple of examples.

Boot or Logon Initialization Scripts

Boot or Logon Initialization Scripts (T1037) is a collection of sub-techniques describing the use of methods for allowing scripts and applications to launch when the system boots or when a user logs on. Attackers use this technique all the time to survive the reboot of a system they have access to.

You should definitely pay attention to what is running on boot or login. However, system administrators use this technique for a variety of legitimate uses, including launching kiosks in the correct state on reboot, launching background processes critical to keeping the business running, and starting endpoint security tools as early as possible in the boot cycle.

NTFS File Attributes

Attackers are using alternate data streams (ADS) to hide data, scripts, and malware from defenders. It’s part of the sub-technique NTFS File Attributes (T1564.004), which is also used by Windows to ensure compatibility with Apple’s HFS and to store metadata for enterprise tools, including backup systems.

As I mentioned earlier, almost every product and service has the ability to log ATT&CK techniques, which is great. The unintended consequence is that most alerts generated for these behaviors are simply flagging legitimate activity.

The false positive rate is exceptionally high for these alert streams. The industry has effectively created a high-tech doll that can see through solid objects but can’t pick out the greenish uniforms from the reddish dirt of the play field. Too many players are making it to the next round. This is great for a serial TV drama, but bad for network defenders.

ATT&CK technique scoring

The most obvious solution is for someone to go through the entire ATT&CK taxonomy, annotating each technique and sub-technique with a score based on how highly the technique correlates to attack activity. A first pass could even be done in a reasonable amount of time. However, the threat landscape changes constantly, so this would present a maintenance nightmare for whoever takes it on.

The vendor space seems to have settled on correlation rules and risk-based analytics (RBA) as viable solutions. They do a much better job than raw alerts, but can still present a high authorship and maintenance burden for SecOps teams because they are sensitive to what normal looks like in any given enterprise.

For our Managed Detection & Response (MDR) clients, we use prevalence as a shortcut for red, yellow, and green tagging. As our threat researchers monitor the landscape, we calculate how frequently each technique is being used by current attackers in current attack campaigns.

The risk for a given technique increases or decreases based on how prevalent a technique is. While this process also presents a significant maintenance burden, it is easier than the “obvious” solution because it is a data-driven model that can be calculated through automated processes.

Agentic AI, combined with alert correlation, has provided a better solution. The current crop of models with reasoning capability are very good at using the context available in correlated cases to provide complete analysis and, in some cases, to make accurate decisions. However, the power and accuracy of agents scale proportionally with the context it is provided. As most SOCs are primarily using SIEM and EDR data, agents can be starved of the context they need.

The real advancement will be when production systems, based on the cybersecurity mesh architecture, powered by a security data fabric, become a reality. They will provide the identity- and entity-rich contextual data that is AI-ready and sub-second searchable, allowing context-starved human and AI analysts to make confident, accurate, and fast decisions on increasingly ambiguous threat signals.

Ongoing battle against threats

It’s clear that, despite significant progress, our industry still hasn’t solved the challenges with LOTL tactics.

The good news? We now have a common model in ATT&CK, backed by widespread industry support. The bad news? We still have a long way to go in using that model to reliably identify and stop attackers.

Too many players are still making it to the next round. Our doll has all the sensors it needs. Now it needs the intelligence, reasoning, and context required to make sense of what it sees, and to keep the attackers on their toes.