MITRE ATT&CK is a framework that is increasingly adopted by cybersecurity vendors to describe cyber threats and tactics. The value of MITRE ATT&CK, however, is not limited to marketing material. It’s a globally-accessible knowledge base that organizations can use to increase the effectiveness of their threat detection and response programs.
Inside MITRE ATT&CK
The MITRE ATT&CK framework is a tool created by MITRE to enhance understanding of cyber threats and create a standardized vocabulary to facilitate communication and collaboration. To accomplish this, MITRE began with the Cyber Attack Lifecycle and Cyber Kill Chain and evolved those concepts into a framework that breaks the lifecycle of a cyberattack into twelve stages or “tactics.”
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
Under each of these tactics is a collection of techniques designed to allow a hacker to achieve the goal of that phase of the attack. For example, the Credential Access tactic includes techniques for brute force attacks, stealing credentials for web browsers, and intercepting two-factor authentication tokens.
For each of these techniques, MITRE ATT&CK provides a great deal of useful information. This includes descriptions of how the attack is performed, affected platforms, tools and malware families known to use it, and steps for detecting and remediating the attack.
Using MITRE ATT&CK for Threat Detection
The information provided by MITRE ATT&CK is invaluable to organizations wishing to improve their cyber detection capabilities. The more insight that security solutions like Security Information and Event Management (SIEM) can provide regarding a potential threat, the more valuable they are. MITRE ATT&CK enables organizations to configure their solutions to provide this insight.
When developing custom rules for a SIEM, it is important to balance the need to monitor suspicious alerts with the deluge of false positives and negatives generated by toolsets. Too many alerts overwhelm security analysts, while too few may result in true attacks being overlooked.
Threat detection rules routed in MITRE ATT&CK enables an organization to achieve this careful balance. These rules are as follows:
- Identify Threats of Interest. Identify potential threats that are extremely likely or of high potential impact to the organization. This identification should be based on threat intelligence regarding common and trending attacks against your organization and industry.
- Identify Necessary Data Sources. Every MITRE ATT&CK technique describes how it can be detected and remediated. The information highlights the types of data that a SIEM solution must have access to in order to effectively detect that particular technique.
- Achieve Required Visibility. Verify that the SIEM solution has access to the necessary data. Accomplishing this may require deployment of new solutions to close visibility gaps or reconfiguring existing log or network traffic capture solutions.
- Build Custom Rules. Based on the information provided by MITRE ATT&CK, create an alert that detects the threat based upon collected data. Include as much information as possible in the alert message to enable security analysts to rapidly gain context if the alert is triggered. When possible, automate threat responses to decrease the impact of an attack.
- Test and Deploy New Rules. If possible, verify the relevance of the rule by performing actions that should and should not trigger it. Once the rule has the desired level of sensitivity, deploy it in production.
- Review and Refresh Rules. As new threats and security technologies emerge, rules may become outdated and require updating. Periodically review rules to ensure that they are providing the best possible protection.
By developing detection rules that focus on attack techniques, rather than malware variants, an organization can develop threat detection capabilities that scale with the expanding cyber threat landscape. As zero-day and targeted malware attacks become more common, signature-based detection of particular malware variants is a losing battle. However, understanding what a piece of malware does and how it enables prevention or incident response, even if you never know the malware’s name, is beneficial.
How MorganFranklin Can Help
The MITRE ATT&CK framework is a valuable tool, but it is designed as a reference rather than an implementation guide for security. MorganFranklin advisors can help your organization identify its most significant cyber risks, achieve full threat visibility, and design and implement solutions to minimize exposure to attack.