A Maturity Model for Deriving Value from the MITRE ATT&CK FrameworkPOSTED BY STEVE RIVERS
For decades, security professionals have been stuck in a pattern of adding the latest technology or another threat feed to improve their security posture. Clearly this approach hasn’t worked. Attacks are happening with increasing velocity and the average cost of a data breach continues to rise – from $3.62 million last year to $3.86 million in 2018, according to the latest Ponemon Study. What’s behind the rising costs? A huge factor is dwell time that has also risen to 197 days from 191 in 2017, as well as an increase in time to containment, now at 69 days from 66.
One of the latest tools to become available to accelerate detection and response is MITRE ATT&CKTM, and it is attracting a lot of attention. MITRE ATT&CK dives deep into adversaries’ actions so security analysts can use that information to their advantage. It is a huge step forward in creating a knowledgebase of adversaries and associated tactics, techniques and procedures (TTPs) and can deliver a lot of value. However, one of the challenges in using it is that security teams are already bombarded with a massive amount of log and event data from each point product within their layers of defense and/or their SIEM. Not to mention the millions of threat-focused data points from commercial sources, open source, industry and existing security vendors that can be used to contextualize and prioritize these alerts.
So, how can you get started and use the framework? Nearly every organization is interested in using MITRE ATT&CK, but they have different views on how it should be adopted based the capabilities of their security operations. We need to make sure that the MITRE ATT&CK framework doesn’t become another source of threat data that is not fully utilized, or a passing fad, or a tool that only the most sophisticated security operations teams can apply effectively. To avoid this fate, we must look at ways to map the framework to stages of maturity so that every organization can derive value. Here are a few examples of how to use the framework with appropriate use cases as maturity levels evolve.
Stage 1, Reference and Data Enrichment. The MITRE ATT&CK framework contains a tremendous amount of data that could potentially be valuable to any organization. The MITRE ATT&CK Navigator provides a matrix view of all the techniques so that security analysts can see what techniques an adversary might apply to infiltrate their organization. To more easily consume this data, a good place to start is with tools that make that data easy to access and share across teams. This may be through an enrichment tool or a platform with a centralized threat library that allows a user to aggregate the data and easily search for adversary profiles to get answers to questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply? Security analysts can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment.
Stage 2, Indicator or Event-driven Response. Building on the ability to reference and understand MITRE ATT&CK data, in Stage 2 security teams incorporate capabilities in the platform within their operational workflows that allow them to apply a degree of action to the data more effectively. For example, with the data ingested in a centralized threat library, they can build relationships between that data automatically without having to form those relationships manually. By automatically correlating events and associated indicators from inside the environment (from sources including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with indicators from the MITRE ATT&CK framework, they gain the context to immediately understand the who, what, where, when, why and how of an attack. They can then automatically prioritize based on relevance to their organization and determine high-risk indicators of compromise (IOCs) to investigate within their environment. With the ability to use ATT&CK data in a more simple and automated manner, security teams can investigate and respond to incidents and push threat intelligence to sensors for detection and hunt for threats more effectively.
Stage 3, Proactive Tactic or Technique-driven Threat Hunting. At this stage threat hunting teams can pivot from searching for indicators to taking advantage of the full breadth of ATT&CK data. Instead of narrowly focusing on more targeted pieces of data that appear to be suspicious, threat hunting teams can use the platform to start from a higher vantage point with information on adversaries and associated TTPs. They can take a proactive approach, beginning with the organization’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if related data have been identified in the environment. For example, they may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential IOCs or possible related system events in my organization? Are my endpoint technologies detecting those techniques?
The success of MITRE ATT&CK will depend on how easy it is to apply effectively. With an understanding of maturity levels and use cases, and the ability for technologies to support security operations teams at whatever stage they are in, organizations will be able to use the framework to their advantage. As their desire and capabilities to use the data evolve and grow, they’ll be able to dig deeper into the MITRE ATT&CK framework and gain even greater value.