Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

Leveraging MITRE ATT&CK for Security Operations

pwheiler Respected Contributor.
Respected Contributor.
6 0 2,003

In 2013, MITRE™ introduced the MITRE ATT&CK™ (Adversarial Tactics, Techniques & Common Knowledge) Framework to help define and categorize known cyber-attack techniques. Based on real-world observations, the Framework lists out hundreds of confirmed adversarial techniques, and displays them in matrices arranged by 11 core attack stages (tactics). This globally-accessible knowledge base is a living and growing tool that has become increasingly popular with Security Operations (SecOps) teams world-wide, who find that implementing the Framework has helped them to mature their SOCs and better formulate their defenses.

By clearly mapping out known tactics and techniques, the MITRE ATT&CK Framework provides security teams (detection teams, response teams, hunt teams, etc.) with a shared dictionary… a common language that they can collectively use when discussing their cyber threat defensive strategies. By mapping out their existing solutions and defensive capabilities to the matrices provided by MITRE, organizations can determine their existing coverage against hundreds of specific cyber-threat techniques. This will give them a birds-eye view of their SOC’s true maturity level, and of the realities of their current threat exposure and risk.

Using the MITRE ATT&CK Framework

Micro Focus’ Emrah Alpa (Sr. Product Manager for ArcSight Global Content and Connectors) recommends that organizations start today, by first identifying the top techniques used by their most likely threat actors. From there, they can compare the techniques of those threat actors and identify the top 5 shared techniques (the “common denominators”). This will give them a starting point of top techniques to defend against. They can then continue developing their list, and determine perhaps the top 30 techniques they should be focused on. See the below images for an example of this approach, using only a small segment of a MITRE ATT&CK matrix and using FIN7 and APT29 as the threat actors.

FIN7APT29clipboard_image_6.png

FIN7 and APT29

After determining the top threat techniques, organizations just need to map their existing breach defense capabilities to the matrix. This will leave them with a clear picture of which techniques they’re currently protecting against and where their biggest defensive holes lie. By following this approach, organizations can mature their SOC in ways that truly matter and that actually help them enhance their defensive posture.

Boosting your Coverage with Layered Analytics

There are many security solutions out there that can help a SOC improve their coverage against the techniques outlined in MITRE ATT&CK. SecOps technologies like real-time correlation from a SIEM solution, and unsupervised machine-learning from a UEBA solution, can play major roles in boosting coverage and filling security gaps. Rule-based correlation can detect threats that get past your core defensives in real-time, and act as a critical “last line of defense”. Machine-learning solutions are also incredibly effective, as they can be used to identify practically any unusual behaviors demonstrated by both users and entities.

Both technologies take different approaches to their security analytics, but both are important to protecting against common and dangerous threat techniques. And while there is some overlap in what they can address, there is certainly plenty that’s different. This is why Micro Focus recommends taking a “layered analytics” approach by implementing both technologies, and more where possible, to leverage the power of each. This will help you maximize your security coverage and minimize your security gaps.

Micro Focus and MITRE ATT&CK

Micro Focus strives to help organizations do this with layered security analytics from our ArcSight (SIEM) and Interset (UEBA) solutions. Micro Focus also offers clear mapping of our SecOps product capabilities to the MITRE ATT&CK Framework through our brand new MITRE ATT&CK Navigator webpage. Compare your current MITRE ATT&CK coverage and gaps to those outlined on the Navigator to see how much of a difference Micro Focus can make in your Security Operations, and get direct links to our relevant products and solution content. I also recommend viewing our recent joint-webinar with Forrester, on SC Digital: “Next-level SecOps with UEBA and MITRE ATT&CK”.

Summary

The MITRE ATT&CK Framework is an incredibly powerful tool that is seeing world-wide adoption, and will likely see continual growth in the coming years. It can guide your SOC and help take your security coverage to the next level. Organizations should map their current SOC capabilities to a relevant MITRE ATT&CK matrix, and then seek out security solutions that map to MITRE and that will help them fill in their gaps and maximize their overall threat coverage.

MORE INFORMATION

For more information, check out our latest video: “Next-Gen SOC | Episode 4: SecOps and the MITRE ATT&CK Framework”.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.