MITRE ATT&CK: A holistic cyber approach
Article by ThreatQuotient regional director for APJC Anthony Stitt.
The MITRE ATT&CK framework offers a threat-informed approach to detection, mitigation and protection against malicious attacks. This framework includes a repository of adversary tactics, techniques and procedures (TTPs), using empirical evidence by analysing successful breaches against organisations.
MITRE ATT&CK is a continuously updated knowledge bank, which affords response teams a better ability to track adversary behaviour and better assess the current threats impacting their industry and organisation. The cyber threat intelligence (CTI) derived from this adversary behaviour can help analysts make data-backed security decisions.
For a CTI program to be effective, an organisation needs to have a good idea of the threats they are facing, combined with the assessment of the likelihood and impact such an incident would have. While it is technically possible to send lists of raw threat intelligence to the Security Information and Event Management (SIEM), organisations frequently complain that this has a very low hit rate. Worse, it causes false positives wasting the time of SOC analysts.
There is usually a very low overlap between raw intelligence and internal telemetry gathered from security devices. The overlap requires selecting better sources and also filtering the intelligence, as well as collecting the right internal records of activity. On the threat intelligence side, this process is called threat modelling; on the telemetry side, it’s called collection management.
Threat modelling & collection management
Threat modelling involves documenting various adversaries who target an organisation’s assets, business model, their industry or geographic location, whether country or region.
Effective threat modelling should consider adversaries in the context of which assets within your business are most valuable, as what is valuable to the organisation is valuable to the adversary. Frameworks like MITRE ATT&CK can help identify and understand major threat actors, their motivations, and their methods.
Importantly, MITRE ATT&CK can provide suggestions about the best sources of telemetry to find various threats and how to detect specific types of attacks and methods they use. A level of self-assessment is required to evaluate current collection capabilities in terms of log sources and visibility from various security tools that are deployed in your environment.
There are some good open-source tools, like DeTT&CT, for example, created by researchers from Rabobank, which specifically aims to “assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours”. Understanding current log source coverage against various adversaries forms the basis of an effective collection management framework.
With MITRE ATT&CK, teams are in a much better position to select the right threat intelligence, both sources and types, based on the organisation’s threat model and collection management framework. This starting point — or baseline — needs fine-tuning because the threat model is largely theoretical. Analysing current or past incidents will provide valuable information about the actual attacks your organisation faces.
Attributing attacks to adversaries is challenging; however, systems like a threat intelligence platform (TIP) can help to match internally gathered intelligence with external threat information to find the relationships. A threat intelligence platform also allows analysts to prioritise intelligence according to the threat model or framework your organisation has implemented.
Instead of focusing on individual suspicious data points, threat hunters can use a TIP to work from a higher-level viewpoint with detailed information about the methods of potential and actual attackers. In such a way, the security team can take a more proactive approach, first identifying the organisation’s risk profile by defining the threats. Individual risks can then be mapped to specific attackers and their tactics, allowing threat hunters to more closely examine whether applicable data has been identified in the environment being investigated.
Building a threat model and a collection management framework is fundamental to threat hunting, allowing security teams to anticipate, prepare and hunt for threats that could target their organisation.
Threat hunting aims to proactively find adversary activities not previously identified or blocked and involves actively looking for clues guided by a hypothesis about a threat actor and the tactics or approach they might employ. A burgeoning area in cybersecurity is attack simulation, which attempts to simulate this activity by red-teaming, and then tests the organisation’s ability to detect it by blue teaming.
A collaborative defence method between both teams, called purple teaming, involves sharing threat information to understand the adversary, close vulnerable gaps, and stop breaches before they take hold.
Undoubtedly, skilled personnel are required on both ‘red’ and ‘blue’ teams. Making them as effective as possible requires the right tools and automated solutions. A threat intelligence platform can automate many activities that might otherwise consume time and devote resources to focus on other problems that demand attention.
The collection and curation of the right intelligence sources, prioritising this information, and correlating with SIEM, can effectively automate a CTI program. When guided by a threat model and a collection management framework, this process can also automate basic threat hunting.
The effectiveness of the MITRE ATT&CK framework for organisations depends on whether response teams can collate and analyse the data to make informed decisions. Like any good process, cyber threat intelligence needs a feedback loop.
Analysing incidents, threat hunting, and collecting internal telemetry all contribute to a plan for incremental improvements to cyber threat intelligence programs, by identifying the gaps in the current understanding about threat actors, their behaviours, and any gaps in telemetry sources.
By leveraging MITRE ATT&CK, organisations can accelerate this process, improve situational awareness, and speed acting on cyber threats when the need arises. It may even help to discover evidence of threat actors in and your organisation will be better prepared to respond with actionable intelligence.