UEBA and the Mitre Att&ck Framework: Detect, Investigate, Respond

by in Security

You don’t need to be very deep in the cybersecurity space to have heard talk about the MITRE ATT&CKTm framework. It’s a popular topic at industry conferences and an increasingly common tool for security vendors to evaluate their strengths in threat detection or prevention. Needless to say, ATT&CK is a critical piece of the puzzle for us at Interset, too, and we’re receiving a lot of questions about it. So, let’s jump right into it.

What is the MITRE ATT&CK framework?

UEBA and the Mitre Attack.pngAround 2012, researchers at MITRE started collecting known techniques that adversaries would use to infiltrate a system and cause damage. The resulting Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a living reference work that defines cyber adversary tactics and techniques based on real-world attacks and research. In a nutshell, ATT&CK describes tactics and techniques by which an adversary can achieve a specific tactic1. It’s a field manual for blue teams and red teams alike. 

What makes ATT&CK special is that the researchers categorized all the information in a way that is comprehensive and detailed, extending the advanced persistent threat (APT) attack lifecycle with very useful specifics. There are similarities to the APT framework, but you’ll see some important differences. Take a look at the table pictured below. In the first row or column headers, you’ll see tactics (i.e. Initial Access, Execution, etc.) that are similar to the APT lexicon, with some expanded tactics (i.e. Defense Evasion, Credential Access). And below every tactic, you’ll see an exhaustive list of all observed and known techniques advanced adversaries to complete that tactic—219 techniques to be exact. It’s very detailed.

Source: https://attack.mitre.org/

This “periodic table” style of visualization is a helpful way to catalog known techniques. But ATT&CK goes beyond serving as a simple glossary. If you click on any one of these techniques, you’ll get helpful information, including a description of the technique, known data sources in which you can detect the technique, known examples where the technique has been seen in the wild, recommendations on mitigation, and—of particular interest to us—a section on detection.

MITRE’s detailed commentary on every technique is noteworthy. The commentary helps to understand which adversarial approaches can be detected by looking for specific signs of compromise and which require rich behavioral context. This helps organizations identify the types of technologies and approaches that can realistically help detect stealthy adversaries like nation states or other originators of APTs.

Why does ATT&CK matter to Interset and our customers?

MITRE’s framework is playing a critical role in the direction and development of our user and entity behavioral analytics (UEBA). Looking at all of the detail that ATT&CK gives us, we can identify three critical pieces for every technique:

  • A “Data sources” section that enumerates all the digital data sources that can be used to identify an adversarial technique
  • An “Examples” section that lists all known instances of the technique in the wild as used by adversaries, thereby giving a sense of the popularity and relevance of a technique
  • “Mitigation” and “Detection” sections that provide information that leads us to the type of anomaly and behavioral models that might be used to detect this type of threat.  

One of the ways in which MITRE talks about detecting the “Valid Accounts” technique, for example, would be looking for multiple accounts logging into multiple machines or a machine being active at an unusual time of day. “Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts” (MITRE, Valid Accounts, Detection). This is valuable information for us from an analytical perspective.

We have over 450 machine learning models that power our threat detection solution, and when we map those models to the 219 techniques in the ATT&CK matrix, we can start to understand where we provide threat detection coverage effectively. Keep in mind, the objective for us—and for any vendor, to be fair—is not to try to cover every technique; for example, the “Bootkit” technique involves the modification of the master boot record (MBR) or volume boot record (VBR) on the hard drive, neither of which are focus areas for Interest’s analytics today.

But thanks to MITRE, we can analyze and quantify which techniques matter the most and present the greatest risks to our customers, and then determine how we can create and leverage the right anomaly models to help them protect their businesses against those techniques. The MITRE framework also helps us, as a community, understand whycertain anomalous behaviors matter; for any given behavior, we can see the specific technique details and examples behind the behavior. We can also quantify the coverage our analytics has on the overall ATT&CK matrix (spoiler: it’s fantastic!) and use it as a way to drive future development and build analytical coverage where it matters the most.

ATT&CK has already proven itself as a fantastic, trusted resource for SOC operators, and we predict it’ll continue to grow into a gold-standard as a cybersecurity threat playbook for vendors, too. Keep an eye out for more from us on our innovation and initiatives using MITRE’s framework in 2019!

If you’d like to learn more about Interset’s anomaly detection, contact us today.

1If you’re interested in taking a deeper dive into the framework’s background, I recommend reading MITRE ATT&CKTm: Design and Philosophy.