Endpoint Security: How To Use MITRE ATT&CK

Blog Author
Amber Picotte

How To Use MITRE ATT&CK For Endpoint Security


MITRE ATT&CK is a trusted tool in the arsenal of many security teams. When it comes to endpoint security, analysts need to stay proactive to ensure their organization remains resolute in the face of growing threats.


In this article, we’ll learn more about the MITRE ATT&CK framework, and find out how it can be used with osquery for endpoint security.



MITRE ATT&CK is a knowledge base of cybersecurity attacks, comprising a map of categorized tactics and techniques used to attack systems, as well as a common taxonomy for them. (Tweet this!) 


These techniques are arranged in a matrix that utilizes standardized naming and numbering. Each technique has a unique ID number and a history of its known use in previous attacks or malware.

Because the techniques in the MITRE ATT&CK framework are known and documented, your team has a good chance of detecting them should a hacker attempt to use one against your organization.


MITRE ATT&CK is constantly updated with new information on reported incidents, technique variants, and mitigations. As a result, MITRE has quickly become a favored tool for endpoint detection and response (EDR) tasks.


How does MITRE ATT&CK relate to endpoint security?

There’s a common misconception in the cybersecurity industry that security isn’t a fair fight: An attacker only needs to be right once to succeed, whereas defenders need to be right 100% of the time to prevent a breach. With thousands of endpoints to protect, moving from office to home to cafes, perfection is not possible.


Fortunately, this isn’t exactly true. Here’s why:

The MITRE ATT&CK matrix is arranged in twelve columns from left to right, listing tactics an attacker will follow from the initial point of access to a full-on breach as follows:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Command and Control
  11. Exfiltration
  12. Impact

As such, no attack is just one step—there are multiple phases involved. Therefore, security analysts have more than just one opportunity to detect and derail an attack. It’s not like a hacker only needs to get their foot through a single door to bring an entire system crashing down.


With this in mind, it is clear why endpoint security is represented in multiple columns in MITRE ATT&CK —not just at the initial access point. For example, someone may already be in control of a system—after establishing initial access and executing malware. Then, to continue attacking to reach their objective, they might need to establish persistence with scheduled tasks, or move laterally to other systems. When they do that, they generate activity that can be detected at the endpoint level with tools like osquery.


What is osquery?

According to the official osquery docs, osquery (os=operating system) is an operating system instrumentation framework that exposes an operating system as a high-performance relational database. Using SQL, you can write a single query to explore any given data, regardless of operating system. (You can learn more about osquery here.)


In a sentence, osquery enables you to collect and query endpoint telemetry. Mapping the MITRE ATT&CK framework to SQL queries provides a means to monitor endpoint activity against a trusted detection framework.


How To Use MITRE ATT&CK To Improve Endpoint Security

MITRE ATT&CK is an excellent communications tool even for small businesses and security teams to learn from, as it provides a point of reference in discussions about security issues.


With this tool, security teams of any size can stay proactive, habitually taking action to update everything in their environment and assure they are always on top of any issues. Let’s take a close look at how you can use the MITRE ATT&CK security system to bolster your endpoint security strategy, with four steps:


1. Make prevention the first step

Before conducting a full MITRE EDR evaluation, secure your environment (systems, machines, endpoints, and networks) to block as many potential security issues or threats as possible. This involves:

  • Configuring your operating system properly
  • Blocking lateral movement
  • Hardening browsers and Office suites
  • Enabling the required logging methods for future investigations
  • Limiting access
  • Tracking updates and system changes

Focusing on good security hygiene first will reduce the noise across your environment, ensuring your security team responds to events that are worth spending their time on.


2. Determine what security issues you can detect.

Next, use MITRE ATT&CK to map out the areas of your environment you know to be secure. After that, determine what issues you can detect at the endpoint level. You can detect issues with osquery, which makes it a great partner for MITRE ATT&CK. In most cases, you can detect issues with a single query. However, note that while you can use it to identify problems, you can’t use osquery to block issues.

For example, you could create a blacklist of bad browser extensions that are known to be malicious. You can then use osquery to find out what extensions are in your environment, and detect endpoints that have any of the blacklisted extensions installed.


3. Centralize osquery data and configuration.

As you continue with your MITRE EDR evaluation, try to figure out the SQL queries for each MITRE ATT&CK technique so you can centralize the configuration, and gather the output in a central location as well.

For example, consider Powershell. This pre-installed framework on Windows systems is a popular route for attacking systems, even if you change the execution policy. You can enable PowerShell Script block logging, query the data via osquery, and output a human readable version of those logs to a central location, making it easy to investigate suspicious commands or to detect those that seem abnormal, for example, by being much longer than the average.


4. Build coverage.

You can use the ATT&CK Navigator tool to create separate layers of security coverage. For example, you could have a layer for prevention tools and a layer for osquery detection. Using this tool, you can rank your coverage of each technique in the matrix, giving it a score from zero to 100.


You can then export these layers, or combine them to get a good view of what you have covered—and where you may be exposed. Over time, you should aim to build your coverage as much as possible.


Master MITRE ATT&CK With Uptycs

The MITRE security system is by no means bulletproof, as hackers can use attacks that aren’t on the matrix yet, or find ways to execute existing ones in a more subtle way. However, rebuilding tools and retraining personnel is an expensive endeavor for hacking teams. If security professionals can cover the bases using MITRE ATT&CK, they will be protected against most threats, and will increase the cost of the attack required to try and compromise their systems.


Uptycs can help you harden your defenses with MITRE ATT&CK. You can use osquery with the Uptycs platform to manage endpoint security on all major operating systems, including Windows, macOS, and Linux. Furthermore, Upytcs facilitates osquery at scale, making it an excellent solution for enterprises of all sizes.


We're excited to have participated in the 2022 MITRE ATT&CK Enterprise Evaluation focused on two ransomware groups: Wizard Spider and Sandstorm. Check out the on-demand webinar below to learn more!