You are here

You are here

Why MITRE ATT&CK is a cyber resilience rock star

public://pictures/swm.jpg
Stan Wisseman Chief Security Strategist, CyberRes
 

The motives of the average cybersecurity attacker haven’t changed much in decades. Although we now have to contend with nation-state actors carrying out geopolitical agendas, the reality is that the impetus is largely the same: Hackers primarily seek to profit or cause chaos.

As much as the cybersecurity threat landscape has grown over the last 20 years, it’s been a process that continually returns to the concepts of the CIA triad—confidentiality, integrity, and availability. Attackers are attempting to either steal something valuable, manipulate or delete data, or interrupt an organization’s ability to operate or provide services.

Several years ago, I was part of the cybersecurity leadership team for a large mortgage company when it stood up a security operations center (SOC) with a supporting security information and event management (SIEM) system. Having a SIEM helped tremendously, but my team struggled with the applicable use cases and how best to quickly detect bad actors. It’s not enough to cast a wide net and hope you catch threat actors trying to compromise your data and systems.

It’s best if you can narrow your focus to make your efforts count, so that you can quickly detect threat actors targeting your organization and reduce their dwell time. That sounds nice in theory, but how do you put it into practice? The MITRE ATT&CK framework can help. Here's how to put it to work toward your organization's cyber resilience.

The framework

The framework, typically referred to as "Attack," provides a reference model for measuring the effectiveness of an organization’s detection strategy and the potential impact of deploying security technologies. It's made up of a globally accessible knowledge base developed and maintained by MITRE and is based on real-world reporting of adversary tactics and techniques. Freely available, it is widely used by defenders in industry and government to find gaps in visibility, defensive tools, and processes as they evaluate and select options to improve their network defense.

By using Attack, security teams in an organization have a shared dictionary and a common language they can collectively refer to when discussing their cyber threat defensive strategies. It can also be a valuable tool for evaluating third-party security solutions being considered for deployment in an organization.

If you aren’t familiar with Attack, the framework catalogs cyber attacks by breaking them down into techniques and tactics. Tactics refer to the adversary’s technical goals, including lateral movement or exfiltration of data. There are 12 of them:

  1. Initial access—Tactic used to gain entry into a network
  2. Execution—Results in adversary-controlled code running on a local or remote system
  3. Persistence—Tactic to maintain access to systems across restarts, changed credentials, and other interruptions that could cut off access
  4. Privilege escalation—Used to gain higher-level permissions on a system or network
  5. Defense evasion—Designed to avoid detection throughout an attack
  6. Credential access—Tactic for stealing credentials, such as account names and passwords
  7. Discovery—Tactic to gain information about a system and internal network
  8. Lateral movement—Used to enter and control remote systems on a network
  9. Collection—For gathering information relevant to following through on the adversary’s objectives
  10. Command and control—Allows adversaries to communicate with systems under their control within a victim's network
  11. Exfiltration—Tactic used to remove data from a network
  12. Impact—Tactic crafted to disrupt availability or compromise the integrity of systems, networks, or services by manipulating business and operational processes

Get most of them with limited resources

It's important to understand that the tactics from ATT&CK do not follow any linear order, as is the case with the Lockheed Martin’s Cyber Kill Chain. Instead, attackers can bounce between tactics to ultimately achieve their goal.

In addition, no one tactic is more important to leverage than the others. By mapping out your existing solutions and defensive capabilities to Attack, you can assess your SOC’s maturity level and the realities of your current threat exposure and risk.

Beneath each tactic are techniques. These refer to how the tactic’s goals are achieved, such as sending a spearphishing link or using a man-in-the-middle technique. MITRE now has sub-techniques as well, which is great. Attack also includes procedures, which are specific implementations of the technique, and a list of pre-attack activities such as purchasing domain names and obtaining third-party software defenses.

Since many organizations have limited resources, getting started with Attack can be intimidating. That's why a risk-based approach focused on relevant threats to an organization should drive detection and prevention controls.

If you know through cyber threat intelligence that your industry vertical is being targeted by a campaign or specific threat groups, look at the techniques that they use and determine whether you can detect and prevent them. If you overlay what that group is doing with what your known security gaps are—let's say you know you can't detect certain attack techniques—start there.

For example, the "initial access tactic" is the funnel point by which the threat group is going to gain a foothold in your environment. If you can focus on stopping known techniques for this tactic sooner rather than later, that would be a great starting point.

Once you’ve addressed the techniques of known threat actors targeting you, you can continue developing your coverage. You may want to go on a tactic-by-tactic basis. Start with a single tactic, such as "persistence," and address your coverage. It’s useful to address the coverage for detection and mitigation separately. These techniques can be complex, and just because one portion of the technique may be mitigated doesn’t mean that an attacker can’t abuse it in a different way.

You should also be aware that building analytics to detect Attack techniques might be different from how you’re used to doing detection. Rather than identifying things that are known to be bad and blocking them, Attack-based analytics involve collecting log and event data about the things happening on your systems and using that to identify the suspicious behaviors that are described in Attack.

Engenuity evaluation: Sic the red team on it

An added bonus gained by using an industry-standard framework such as Attack is that its elements have been incorporated into third-party solutions, such as endpoint detection and response (EDR) products and SIEMs. How effectively some of those products use Attack is measured periodically by MITRE Engenuity.

Companies volunteer to have their enterprise cybersecurity products evaluated by Engenuity's red teams. For example, the most recent Engenuity evaluation released in April included the wares of 29 vendors.

That evaluation was a bit of a departure from the two previous ones because it focused on the tactics of threat actors seeking financial gain rather than just espionage. The 2020 Engenuity Attack evaluations focused on two prominent threat actors, FIN7 and Carbanak, that have demonstrated the ability to compromise financial service and hospitality organizations using malware and tradecraft.

Together, the pair have stolen more than $1 billion across hundreds of businesses over the past five years. Despite the arrest and sentencing of key members, Carbanak and FIN7 remain active cyber threats to organizations globally.

This was also the first time that the evaluations went beyond Windows systems and addressed techniques aimed at the Linux devices that are often used on enterprise networks as file servers, databases, and other non-workstation infrastructure.

Another distinction with the 2020 evaluation was that a SIEM maker was among the 29 companies in the participation mix. Even though the evaluation is primed to test endpoint solutions, the SIEM product—which doesn't require an endpoint presence—still performed well, an indication that SIEMs, when properly configured, can provide realistic and tangible value for organizations working with Attack.

Moreover, one of the SIEM's most powerful features—anomaly detection—was disabled because there wasn't time to create a baseline of "normal" behaviors against which anomalous behavior could be compared. Anomaly detection can give organizations a more comprehensive and holistic coverage of Attack by learning, through unsupervised machine learning, the normal behaviors for every user, machine, and device in an organization's operating environment.

Reduce your exposure time

The average time to identify and contain a data breach is 280 days which, no doubt, contributes to why the average cost of a breach—$3.86 million—is so high. Implementing Attack, and products that integrate its knowledge base into them, can reduce detection and exposure time to threats, spare an organization the hefty cost of a data breach—and be part of your shift beyond traditional security to cyber resilience.

Keep learning

Read more articles about: SecurityInformation Security