Get A Quote
Written by Robert Bond on 2 September 2022

MITRE ATTACK Knowledge Base Provides Insight into Attacker Behavior

MITRE framework for Threat Hunting

Empowering SecOps with MITRE ATT&CK framework

Security teams often employ threat modeling to understand their adversary’s potential techniques, methods, and procedures (TMPs) to detect them before they occur. Today, the most popular tool for performing vulnerability assessments is the MITRE ATT&CK® (MITRE Attack Taxonomy) Vulnerability Assessment Toolkit. It provides a method for assessing vulnerabilities in an organization’s IT infrastructure.

MITRE ATT&CK was created in 2013 as a result of MITRE's Fort Meade Experiment (FMX) where researchers emulated both adversary and defender behavior in an effort to improve post-compromise detection of threats through telemetry sensing and behavioral analysis. The key question for the researchers was "How well are we doing at detecting documented adversary behavior?" To answer that question, the researchers developed ATT&CK, which was used as a tool to categorize adversary behavior.

To be clear, MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Essentially, MITRE ATT&CK is an empirical approach for analyzing adversary behavior. It provides a way to group and overlay different data types to gain insight into adversary behavior. This industry-leading framework provides context data for organizations' threat-hunting processes.

The MITRE ATT&CK (Assess, Threat Model, Analyze, Test, and Control) methodology provides a foundation for security professionals to assess their environment, identify threats, analyze them, test defenses, and control access.

Developing a Structured Workflow for Threat Hunting

ATT&CK contains an ever-changing taxonomic framework of adversary tactics, techniques, and procedures (TTP) that they employ to compromise behavioral networks. Using ATT&CK allows you to leverage actual case studies to identify indicators of active or residual adversarial initiated behavior within your organization. These indicators are then leveraged to create analytic models for custom detection, which can be continually monitored and triggered when new malicious, adversarial activity occurs.

A structured hunt is built around indicators of compromise (IOCs) to determine what actions should be taken against the target. They are then mapped to the ATT&CK TTP.

A threat hunting workflow begins by constructing a baseline of what’s known about the attacker. The next step is leveraging the baseline information to determine the kind of evidence that attackers leave behind. Each assumption leads us through a series of investigative steps, beginning with figuring out how the attacker entered our environment. The ATT&CK framework provides a structured approach to doing just that.

Leveraging MITRE to Hypothesis Threat Hunting

Hypothesis threat hunting is a proactive hunting model. It's aligned with the MITRE ATT&CK framework and uses global detection playbooks to identify advanced persistent threat groups and malware attacks.

MITRE's taxonomy library continues to evolve. Hypothesis use-case becomes updated as MITRE discovers new behavior tactics. Even custom analytics to find zero-day attacks become part of the MITRE taxonomy library.

By using hypothesis hunting use cases, organizations have another tool to help set the level of priority for remediation for their existing cybersecurity adaptive controls. MITRE has a role in shaping future policies for organizations based on the outcome of hypothesis threat hunting use cases.

Value the Alignment with MITRE Framework

CISOs and CIOs, along with risk management, continuously evaluate the overall cybersecurity vulnerability exposure to the company. Here are common questions often posed by the C-suite trying to understand the cybersecurity landscape and the organization's available capabilities to deal with the threat:

  • Do we have the right people to manage our cybersecurity challenges?
  • Did we invest in the correct security adaptive controls, and are they operating as expected?
  • What part of our digital landscape is most exposed to cyber-attacks?
  • Where should we make critical investments to protect our data?

Answering these questions for SecOps and NetSecOps teams required extensive investment including time and tools. Collecting and analyzing the data to answer these questions often takes weeks to complete.

Organizations can leverage the MITRE framework to analyze when adaptive controls are working as expected by seeing the number of active and persistent attacks. SecOps teams can adjust current adaptive controls to reduce the risk-specific category tactics impacting the organization. The SecOps and DevOps teams also collaborate to determine if additional adaptive controls need to be acquired in category areas reporting higher actual attacks within the MITRE portal.

The value of knowing where the most impact risks are in the environment helps determine if the existing people, security technologies, and operational procedures are covered correctly. The MITRE framework also allows organizations to disable and remove redundant adaptive controls that are no longer effective or relevant.

 Analyzing MITRE and Lockheed Kill Chain

Lockheed Martin released Cyber Kill Chain in 2011 as one of the first efforts to describe how cyberattacks work. The Cyber Kill chain describes seven high-level actions attackers perform during an attack.

However, Cyber Kill Chain focuses on high-level tactics (goal or phase). It’s great for talking to non-practitioner audiences about a specific attack, how it occurred, and maybe even discussing how defenders can break the Cyber Kill Chain.

A kill chain describes how an attacker moves through different phases of an attack. MITRE framework tactics and techniques integrate into the kill chain. Leveraging the kill chain, threat hunters can see how the actual attacks and what tactics were used by hackers.

SecOps can prevent attacks by anticipating attackers' next moves by analyzing the current kill chain attacks. The team can then take action to mitigate any vulnerabilities identified during their investigations.

Unified Kill Chain for SecOps

The Unified Kill Chain “was developed through a hybrid research approach, combining design science with qualitative research methods. The Unified Kill Chain extends and combines existing models, such as Lockheed Martin's Cyber Kill Chain® and MITRE's ATT&CK™.”

Unifying the kill chain strategy brought out the merge of tactics from the Lockheed model and MITRE. Both models provided vital details of attack vectors helping threat hunters with structured visibility and framework. However, the tactics specific to Lockheed had a stronger focus on the network perimeter, emphasizing malware. In contrast, MITRE framework TTP was far broader, covering several security domains.

The unified kill chain help develop more realistic modeling based on each specific attack, especially ones that didn’t follow the standard kill chain. The original models focus on a structure including has scored in critical areas like reconnaissance, weaponization, and exfiltration.

What if the attack occurred after a regular connection was made, and the chain started without any reconnaissance due to malware?

The Unified Cyber Security Framework provides insight into hackers' tactics in advanced cyber threats and the steps they take during an attack. These steps can also be applied to understand the behavior of hackers in individual incidents or the tactical Modus Operandi of an attacker, by placing them in the correct sequence as observed in a specific incident or the typical modi operandi of an attacker.

Conclusion

With an ever-growing volume and sophistication, security operations centers (SOCs) and security information and event management (SIEM) systems using traditional, reactive measures have become overwhelmed. More and more companies are turning to detection and prevention tools that combine real-time and historical analysis to uncover and remediate potential risks before they happen and minimize their impact once detected.

MITRE's framework gives organizations a workflow for threat hunting, incident response, and visualization of cybersecurity attacks. Investing in MITRE frameworks helps organizations determine risks based on cloud, 0365 servers, endpoints, and applications. The framework is not a real-time tool compared to SIEM or SOC collecting tools. MITRE brings a level of intelligence, including access to the APT group that might be behind the attacks.

To learn more about how to protect yourself from cyber-attacks, please call us – as always, we’re here to help - 1 (888) 982-0678

 

Related Posts

phone-handsetcrossmenu