Understanding Known Adversary Tactics and TechniquesMARKUS AUER
In the last few years, the MITRE ATT&CK framework has been key to many organizations combating cyber threats. Essentially the framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. The objective of the framework is to create a comprehensive list of known adversary tactics and techniques used during a cyberattack. Open to government, education, and commercial businesses, it allows the collection of a wide and exhaustive range of attack stages and sequences.
The mapping of the framework data, summarised as threat information, is ultimately one of the main activities that an IT security department will undertake. There are two ways that the data can be used by organizations for threat intelligence; they can be either consumers or producers.
Consumers will be using the data already created to improve threat intelligence decision-making. A consumer will usually start by narrowing the threat landscape to specific groups of cybercriminals or threat actors. This allows the organization to understand which threat actors are targeting their data, assets, or resources. To further narrow the threat landscape, previous attacks on similar organizations will be investigated and the groups suspected of being involved in these attacks will be identified.
After identifying the relevant adversaries, the security department can use the data set to view the tactics, techniques, and procedures (TTPs) of these groups. The next step is to establish a prioritized list of detection and prevention capabilities that the Security Operations team must put in place. This process uses data already created by other MITRE teams and is highly recommended for smaller teams.
Augmenting your data
A recommendation for many organizations using the MITRE framework is to layer threat information over and above any existing data. This enables further insights and knowledge share across multiple industries and businesses.
To achieve this organizations must give analysts the time and training required to analyze available incident response reports (both closed and open-source, internal and external) to extract the correct data and match it with ATT&CK metrics. In practice, this means reading these reports thoroughly, highlighting tools, techniques, tactics, and group names, and extracting the data to further feed the information the team has about the suspected attackers.
To assist the augmentation of data, the makers of MITRE are developing a new Threat Report Attacks Mapper (TRAM) tool, which helps analysts to partially automate this process. The additional information should improve decision making once the analysis of the attackers’ TTPs has been passed through the organization’s “context filter”.
While the use of the ATT&CK matrix for Cyber Threat Intelligence mapping focuses on external threats, the next logical step is to look at internal threats. First, all techniques need to be listed with information on how security departments identify, detect, and contain them. Extracting this information is an excellent way for security departments to better understand their own ability to defend and prioritize. The first step in this process is the programmatic extraction of data source information. There are several ways to do this using the APIs provided by MITRE or other open-source tools on GitHub. Once completed, comparing the data sources that the security experts have access to and the groups of users and systems that also have access to those data sources can reveal important gaps in coverage and visibility. For example, if the threat information they have collected indicates hacking techniques that target scheduled tasks, a particular group may be behind them. The security experts are then able to determine whether they can detect this technique. The data sources listed in the technique-file and process monitoring, process command line parameters, and Windows event logs provide this answer.
Closing knowledge gaps
If none of these data sources are available to the security department, or if they are only available on a subset of the network, that is the first problem that needs to be fixed. It doesn’t matter whether they capture these new data sources through built-in operating system logging or by adding new security tools (network monitoring, network discovery and response [NDR], host-based IDS/IPS, endpoint discovery and response [EDR], etc.). It is simply important that identification of the most significant missing data has taken place. If the value and benefits of collecting this data can be clearly communicated to stakeholders, this helps to justify the additional effort and potential costs associated with implementing new tools that facilitate collection.
While achieving the collection of the required data sources is already an important milestone, it is only the first step in the process. Once the data has been collected and sent to a threat repository, the next step is to find a suitable analysis tool. MITRE facilitates this step for many hacker techniques with its prebuilt Cyber Analytics Repository (CAR) and even provides open-source analysis options such as the BZAR-project, which includes a set of Zeek/Bro scripts for detecting some ATT&CK techniques.
Having the best possible resources to hand
With information collected from the right sources, security departments can identify priorities for attack groups and techniques that can be used against their own organization. They can also supplement this information with their own internal data. This provides the security department with the best possible knowledge of what techniques and tactics the attackers have and are likely to use against the organization.
After assessing the threat level, the security experts can then use the integrated data source information to get an idea of the potential defense capabilities. Where key information is missing, they must work together to collect the data and implement analysis for these techniques. Tools such as ATT&CK Navigator can facilitate the visualization of requirements. Open source and other vendors of security appliances and software can help accelerate the process of matching the required data against the data they collect and run against the analyses. The final step is to test and continuously review the MITRE ATT&CK framework, which is enriched with the threat intelligence information.