Seems like Mitre’s ATT&CK framework is cyber bingo’s new “center square” and Marketing Teams across the globe are stretching to incorporate it into their upcoming RSA collateral [for all you RSA goers…brace for impact because you know it’s coming!!]  ATT&CK is a tremendous step forward to standardize attack TTPs across sharing organizations, however admittedly, I do have some reservations about Mitre ATT&CK – complexity, steep curve to truly operationalize it, and limited resources to dedicate to it.  But time will tell what we [industry] do with it.

But all that aside – many teams are making at least a concerted effort to familiarize themselves with it and trying to determine how they can incorporate it into their workflows to improve or even enhance their processes.  Although I’ve been out of the SOC operational cadence for several years now, I have been noodling on how I would mold some daily routines around it. During the 2018 SANS IR Survey Part II webcast I attempted to explain how companies could mash together ThreatQ + commercial intel feeds + ATT&CK in an effort to trigger high probability threat hunting within their networks.  Though my explanation during the webinar was hurried here’s a better walkthrough.

Currently, 99% of commercial intel providers have not incorporated ATT&CK into their feeds, which makes sense at this point. However, what they do publish is intelligence attached to an Adversary. And in most cases, we can reasonably assume that equates to relatively recent activity.  In most cases, organizations will deploy that intelligence into their sensors (…and again if you are ONLY pushing intelligence into your SIEM and hoping for the best…you’re doing it wrong! )

Let’s hypothetically assume you imported all that Adversary intelligence but didn’t get any hits…can you assume it is a closed case and they luckily decided to skip you this time?!  Don’t be that naive! They didn’t skip you – they are just using different indicators. The overlap of indicators across commercial providers is minimal, yet all the providers are reporting on the same adversaries. Therefore, it’s safe to conclude that adversaries use different indicators across their targeting.  But rather than blindly relying 100% on the commercial intel provider’s indicators, you can use them as a tripwire to initiate threat hunting using the ATT&CK framework to provide a bit of a roadmap.  This is a very proactive way to better defend your environment.

Here’s how it looks step-by-step:

1. In ThreatQ add the relevant adversaries to your Watchlist.  Note: this is definitely NOT a recommendation to add all adversaries to your watchlist – you’ll drown.  Try and determine the adversaries that target you a bit more frequently or are more sophisticated and have historically been able to sidestep defenses.

2. At some point (likely in the near future), ThreatQ will notify you that new intelligence regarding your adversary has entered the system and hopefully you have ThreatQ configured to perform two actions:

a. automatically pushed to sensors for detection and

b. simultaneously perform a rear-view mirror search to find recent attempts.  

After a short grace period to let the integrations do what they do and there are still no sighting alerts…it is safe to assume this might need to be escalated to the threat hunting team to take a deeper look within the environment.  Historically this is where your previous process would stop and you’d prematurely take a deep breathe thinking the coast was clear – wrong!

Figure 1 – Displays the Watchlist Activity within ThreatQ – ANY object in the system can be ‘watched’ (e.g., victims, indicators, adversaries, attack patterns, etc.)

3. With the adversary alert raised + our integration of the Adversary Reader + our integration of the Mitre ATT&CK framework = you can quickly pivot around ThreatQ’s Threat Library to determine the adversary’s historical TTPs.

4. Escalate to the Hunt team and let the expedition begin!

Figure 2 – Highlights the Adversary page – a table of contents along the left with deeper information in each section. With our integration of the Mitre ATT&CK framework each Attack Pattern is clickable to pull the information imported from Mitre.

So in conclusion, if you currently think your company is in the clear just because you don’t have any indicator matches when commercial intel providers toss over information please dig in a little deeper.  Trust me…they’re in there somewhere!