Using MITRE ATT&CK for Threat Detection
The information provided by MITRE ATT&CK is invaluable to organizations wishing to improve their cyber detection capabilities. The more insight that security solutions like Security Information and Event Management (SIEM) can provide regarding a potential threat, the more valuable they are. MITRE ATT&CK enables organizations to configure their solutions to provide this insight.
When developing custom rules for a SIEM, it is important to balance the need to monitor suspicious alerts with the deluge of false positives and negatives generated by toolsets. Too many alerts overwhelm security analysts, while too few may result in true attacks being overlooked.
Threat detection rules routed in MITRE ATT&CK enables an organization to achieve this careful balance. These rules are as follows:
- Identify Threats of Interest. Identify potential threats that are extremely likely or of high potential impact to the organization. This identification should be based on threat intelligence regarding common and trending attacks against your organization and industry.
- Identify Necessary Data Sources. Every MITRE ATT&CK technique describes how it can be detected and remediated. The information highlights the types of data that a SIEM solution must have access to in order to effectively detect that particular technique.
- Achieve Required Visibility. Verify that the SIEM solution has access to the necessary data. Accomplishing this may require deployment of new solutions to close visibility gaps or reconfiguring existing log or network traffic capture solutions.
- Build Custom Rules. Based on the information provided by MITRE ATT&CK, create an alert that detects the threat based upon collected data. Include as much information as possible in the alert message to enable security analysts to rapidly gain context if the alert is triggered. When possible, automate threat responses to decrease the impact of an attack.
- Test and Deploy New Rules. If possible, verify the relevance of the rule by performing actions that should and should not trigger it. Once the rule has the desired level of sensitivity, deploy it in production.
- Review and Refresh Rules. As new threats and security technologies emerge, rules may become outdated and require updating. Periodically review rules to ensure that they are providing the best possible protection.
By developing detection rules that focus on attack techniques, rather than malware variants, an organization can develop threat detection capabilities that scale with the expanding cyber threat landscape. As zero-day and targeted malware attacks become more common, signature-based detection of particular malware variants is a losing battle. However, understanding what a piece of malware does and how it enables prevention or incident response, even if you never know the malware’s name, is beneficial.