Creating a Smarter Security Operations Center with the MITRE ATT&CK

Creating a Smarter Security Operations Center with the MITRE ATT&CK

By Eran Alsheh

July 21, 2020

MITRE’s Attacker Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a powerful tool for improving cyber defense by creating a smarter security operations center (SOC). 

As outlined in the recent SANS report – Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework by John Hubbard – the MITRE ATT&CK creates a categorized list of all known attack methods, and marries each attack method with:

  • The threat intelligence groups that are known to utilize these attack methods
  • Unique methods used by malicious actors in implementing the attacks
  • Mitigations and detection methods for preventing or identifying attacker techniques

Why is this so significant to your security operations center? In a nutshell, cyber security teams can now assess their organizations’ cyber defenses against the MITRE ATT&CK’s body of knowledge – and use this information in decision-making related to developing their security operations center strategy. 

Fundamentally, by leveraging the information in the MITRE ATT&CK to support agile use case development, organizations can better protect themselves from cyber attacks. Let’s have a look at how this works.

What is the MITRE ATT&CK?

The MITRE ATT&CK provides organizations with a way to develop, organize, and use a threat-informed defensive strategy that can be communicated in a standardized way. 

The goal of the MITRE ATT&CK is to be a living dataset that is continuously evolving – updated with new threat information on a continual basis. It is a framework that organizes known cyber threats, and categorizes the activities of malicious actors in terms of their tactics, techniques and procedures (TTPs).

MITRE ATT&CK Framework

A technique is a unique method identified by MITRE of achieving a specific tactic, which is an intrusion goal. For example: Privilege Escalation is listed as a tactic, while AppCert DLLs is a technique to achieve it. 

For each technique listed in the MITRE ATT&CK, the following information is provided:

  • An identifier
  • Tactic that it’s associated with
  • Platform it’s applicable to
  • System or permission requirements
  • Defense strategies bypassed
  • Data sources that identify use of the technique
  • Mitigations and detection methods

Note that MITRE recently changed how the framework is organized – introducing sub-techniques. As pointed out in the SANS report, the addition of sub-techniques enables even more granular tracking within vendor tools, use cases, and detection analytics.

How the MITRE ATT&CK Improves Security Operations

Using the MITRE ATT&CK, organizations can perform evaluations that are both external-facing and inward-looking:

  • Threat intelligence mapping – This external-facing assessment is the primary use of the ATT&CK framework. Listing attackers’ TTPs in a structured and usable way is a useful resource for threat intelligence teams, enabling threat-informed cyber defense. The assumption is that it is possible to predict an attacker’s future behavior based on past observed TTPs – and having this information listed in a structured way (with supporting details) is useful for both cyber defenders and threat intelligence teams.
  • Data source gap identification – The next common use for ATT&CK is an inward-looking assessment: Each technique in the ATT&CK is listed together with information on how to identify, detect, and mitigate that technique. And by programmatically extracting data source information for techniques that are of interest, you can highlight an organization’s visibility gaps. ATT&CK allows you to focus  on what data is missing and gain a more measurable understanding of the organization’s ability to defend itself.

How CyberProof Leverages the MITRE ATT&CK 

At CyberProof, the MITRE ATT&CK framework provides us with the ability to work closely with our customers in improving their security posture effectively – in several important ways:

  • Visibility into what matters – ATT&CK creates a map that makes it very easy to see, visually, where an organization is protected and where the vulnerable areas are. By combining the known threat techniques from the MITRE ATT&CK framework and our own investigations into the clear, deep and dark web for unknown threats, CyberProof is helping security teams discover high risk vulnerabilities and prioritize remediation.
  • Collaboration – ATT&CK allows CyberProof to work together collaboratively with the customer. As part of our hybrid engagement model, we work as an extension of our customers’ team to define a target response window that is aligned to their acceptable level of risk, baseline their detection gaps against the MITRE ATT&CK framework, and continuously tune their detection and response controls to measurably reduce risk. Thus, CyberProof ensures that customers’ security capabilities are mapped to ATT&CK and we can understand exactly where the problems are and work effectively to improve their security posture. 
  • Continuous improvement – ATT&CK provides an extensive knowledgebase of attack information which is continuously being updated. This can make it difficult for security teams update their defenses quickly before a vulnerability is exploited. CyberProof maps its extensive library of uses cases and playbooks (called a Use Case Factory) to the MITRE ATT&CK framework to continuously reduce detection gaps and automate responses to threats. The ATT&CK framework helps CyberProof’s team – together with our customers – identify the security gaps that are most significant from a risk perspective and prioritize which use cases should be developed first.

Thus, by using the MITRE ATT&CK, CyberProof gains greater visibility and ensures that new use cases are aligned accurately with specific threats that are putting the organization at the greatest risk.

MITRE ATT&CK Framework

SANS Mitre Report

THE ULTIMATE GUIDE
MEASURING AND IMPROVING CYBER DEFENSE USING THE MITRE ATT&CK FRAMEWORK

The CyberProof Use Case Factory – Defined 

In the context of a traditional risk management process, the use case factory is an effective means of regularly ensuring the agile development of new use cases that add business value to your organization. 

A use case factory gives clients a big picture of covered vs. uncovered security – providing insight into a customer’s blind spots so they can invest in and plan on the right coverage. 

What is a Use Case?

Each use case – sometimes referred to as an attack scenario – represents the outcome of an attack, or the attacker’s desired outcome state such as exposing a specific asset (or set of assets). This outcome is mapped to the MITRE ATT&CK. 

Note that each use case contains all of the information related to a specific attack scenario, providing greater context and details related to the attack. In addition to mapping an attack to the MITRE ATT&CK’s tactics and techniques, the use case also includes the attack’s source, Kill Chain correlation, log source types, risk level, high-level explanation of the threat, and remediation & mitigation playbook. 

Handling a use case effectively is an in-depth process that requires:

  • Collecting the right security data to perform security analytics
  • Orchestrating security monitoring and incident response technologies
  • Developing incident response playbooks and incident management workflows
  • Automating responses by enabling integration with network and security controls

Why Is It Important to Map Out Your Organization’s Use Cases?

Once the process of mapping your organization’s use cases has been completed, it becomes possible for an organization to visualize and identify exactly where the gaps in the security perimeter exist – and to prioritize the development of new use cases on that basis.

MITRE ATT&CK Framework

For an example of how specific use cases are covered, including the definition of a rule, playbook, and the integration with the CDC, see: Attack Use Cases – Security Orchestration & Automation.

The MITRE ATT&CK Supports Agile Use Case Development

Developing the right use cases, and having an effective development and implementation process, is more than half the battle in reducing response time to a potential attack and minimizing its impact. 

Use cases must be customized for each organization. Thus, the choice of which use case to develop first should reflect the following factors:

  • The organization’s current unique requirements and threat profile
  • The current threat landscape, based on the organization’s industry vertical
  • The types of assets owned
  • The organization’s operating regions, applications and services used, and more

Evaluating Which Use Cases are Most Important

How do you know which use cases to develop? With limited resources, the decision can be tough. Before deciding which use cases are most important, an organization must go through the following process:

  • Identify the current use cases and playbooks
  • Identify any matches or near matches between new use cases that the organization would like to develop – and the use cases that are already available. 
  • Modify existing use cases (where relevant)
  • Create a list of which new use cases are highest priority

This process can take place in a variety of ways, depending on the needs of the organization.

MITRE ATT&CK Framework

The Process: Developing and Improving a New Use Case

Once the highest priority use cases have been identified, the development process involves the following steps – conducted cyclically, in an ongoing process of review and improvement:

MITRE ATT&CK Framework

The MITRE ATT&CK Provides Visibility into What Matters Most

To ensure your ability to respond to new and existing threats, an effective SOC team must continuously produce new, relevant use cases – each of which should include all of the aspects of the use case life cycle. 

As explored in the latest SANS MITRE report, the ATT&CK framework provides the insight into past threat actor behavior that is necessary for choosing which use cases are important to develop first – i.e., providing information externally about what kinds of attacks the customer needs to prepare for and associated information that drives the activity of the use case factory. 

It also offers insight into your organization’s existing security capabilities, highlighting the detection gaps – and providing you with a roadmap for improving your cyber defense.

To read the SANS whitepaper, click here. If you are concerned about the robustness of your organization’s cyber security operations and its ability to protect itself from cyber attacks or would like to speak with one of our experts, contact us today. We are here to help!

Eran Alsheh
Written by Eran Alsheh
Eran is the chief technology officer and cyber visionary at CyberProof. He has over 18 years of experience in designing and developing cyber security services, intelligence information systems, National CERTS, Cyber Operations Centers (SOCs), and operating Cyber Incident Response, Orchestration & Automation solutions. Prior to CyberProof, Eran was a co-founder at BISEC, a SOC management, orchestration and incident response company that CyberProof acquired in January 2018. Eran has held several senior leadership positions at AGT International, Elbit Systems, and Elron Telesoft.