White Paper / October 2020

CLTC and McAfee Study: MITRE ATT&CK Improves Security, But Many Struggle to Implement


Download the report

Together with McAfee®, a device-to-cloud cybersecurity company, CLTC has released a new research study, MITRE ATT&CK as a Framework for Cloud Threat Investigation, focused on threat investigation in the cloud through the lens of the most widely adopted framework, MITRE ATT&CK. Authored by Jasdeep Basra and Tanu Kaushik from UC Berkeley’s School of Information, the research shows that as cloud offerings change the delineation of security responsibilities between cloud service providers and organizations consuming cloud services, this complicates and overwhelms security operations center (SOC) teams—creating the need and desire for a framework that can standardize investigation across cloud services and traditional on-premises infrastructure.

While some enterprises adopt other frameworks for threat protection, research shows more than 80 percent of enterprises use MITRE ATT&CK. Furthermore, the study examined adoption of the MITRE ATT&CK Matrix for Enterprise and MITRE ATT&CK Matrix for Cloud, with 63 percent of respondents indicating they leverage both. Currently, 57 percent of those surveyed say they use MITRE ATT&CK to determine gaps in deployed security solutions in their enterprise, with 55 percent recommending it for security policy implementation and 54 percent using it for threat modeling.

Despite this widespread adoption, the study indicates security professionals still are not fully confident of their existing security solutions’ ability to detect the adversary tactics and techniques identified by the MITRE ATT&CK framework. While 81 percent of security professionals say they experience the adversary tactics and techniques in the ATT&CK Cloud Matrix on a daily, monthly or annual basis, fewer than half (49 percent) feel highly confident that their implemented security solutions will detect them. This doubt stems from challenges associated with MITRE ATT&CK: about 45 percent of survey respondents said their greatest challenge is the framework’s inoperability with their security products and 43 percent said they find it difficult to map event-specific data to tactics and techniques.

Additionally, a large fraction (61 percent) of enterprises said they are not correlating events from cloud, networks, and endpoints to investigate threats. This further blurs the lines of shared responsibility between SOCs and cloud providers and adds to the difficulty of managing threats that are intertwined with on-premises and hybrid environments.

The study suggests that security professionals remain optimistic, however, with 87 percent agreeing that adopting MITRE ATT&CK Matrix for Cloud will improve cloud security in their organizations and 79 percent stating it would make them more comfortable with cloud adoption.

“The widespread adoption of Work From Home initiatives is accelerating cloud adoption, and adversaries are increasingly targeting attacks towards organizations’ data and workloads in the cloud,” said Rajiv Gupta, senior vice president, Cloud Security, McAfee. “As organizations review their existing technology stacks and strategies to keep their security posture effective both from an efficacy and operational perspective, they should strongly consider interoperability with a consistent framework such as MITRE ATT&CK, which remains the most widely used framework across all industries to find gaps in visibilities, tools and processes.”

The study highlights key tips for maintaining a strong security posture:

  • Use the MITRE ATT&CK Cloud Matrix: More enterprises are moving toward the adoption of this framework for threat investigation as integration and automation capabilities improve, creating the possibility to better leverage the benefits of cloud computing.
  • Employ comprehensive threat investigation: Increased visibility into events to detect threat patterns is crucial. Investigating threats systematically and correlating events from network, endpoints and cloud are critical for successful threat detection and prevention.
  • Embrace automation: To reduce the workload of SOC analysts investigating multiple environments, security professionals agree that automating tagging of events using a security framework would be beneficial.

To produce MITRE ATT&CK as a Framework for Cloud Threat Investigation, McAfee and CLTC researchers conducted a survey of security leaders — including CISOs, CIOs, CTOs, and SOC analysts — across 325 large- and medium-sized enterprises in the United Kingdom, United States and Australia, categorizing enterprises with 5000+ employees as large and 1000+ as medium sized. The research targeted diverse sectors, including IT, technology and telecoms, retail, transport, financial services, manufacturing and production, and others.

Download the Report