The motives of your average cybersecurity attacker honestly haven’t changed much in the past few decades. Although we now have to contend with nation-state actors carrying out geopolitical agendas, the reality is that the methods are largely the same, with hackers primarily seeking to profit or cause chaos. For as much as the cybersecurity threat landscape has grown over the last 20 years, it’s been a circular process that continually returns to the same core concepts of the CIA triad, or confidentiality, integrity and availability. Attackers are attempting to either steal something valuable, manipulate or delete data, or interrupt an organizations’ ability to operate or provide services.
Prior to joining Micro Focus, I led a security program for a large financial mortgage company. We established a SOC using ArcSight as our SIEM. However, we struggled with the applicable use cases and how best to quickly detect bad actors. It’s not enough to cast a wide net and hope you catch threat actors trying to compromise your data and systems. It’s best if you can narrow your focus to make your efforts truly impactful so you can quickly detect and reduce the dwell or exposure time of threat actors targeting your organization. Nice in theory, but how to you put into practice?
The MITRE ATT&CK framework, or simply referred to as “Attack”, provides a reference model for measuring the effectiveness of an organization’s detection strategy and the potential impact of deploying other security technologies. ATT&CK is a globally-accessible knowledge base grounded on real-world observations and has become increasingly popular with SecOps teams world-wide. By using ATT&CK, security teams in an organization have a shared dictionary and a common language that they can collectively use when discussing their cyber threat defensive strategies.
What the Framework Entails
If you aren’t familiar with it, the Framework catalogs cyberattacks by breaking them down into techniques and tactics. Tactics refer to the adversary’s technical goals, including lateral movement or exfiltrating data, and there are twelve of these. Beneath each tactic are techniques. These refer to how the tactic’s goals are achieved, such as sending a spear phishing link or using a man-in-the-middle technique. MITRE now has sub-techniques as well, which is great. ATT&CK also includes procedures, which are specific implementations of the technique and a list of pre-attack activities such as pre-purchasing domain names and obtaining third-party software defenses.
Now don’t assume the tactics from ATT&CK are followed in any linear order, such as the case with the Lockheed Martin’s Cyber Kill Chain. Instead, an attacker can bounce between tactics to ultimately achieve their goal.
And there’s not one tactic that is more important to leverage than the others. By mapping out your existing solutions and defensive capabilities to ATT&CK, you can assess your SOC’s maturity level and the realities of your current threat exposure and risk.
But given that you likely have limited resources, it can be a bit intimidating as to how to get started with ATT&CK. I believe a risk-based approach focused on relevant threats to your organization should drive your detection and prevention controls.
If you know through cyber threat intel that you our your industry vertical is being targeted by a campaign or by specific threat groups, look at the explicit techniques that they are known to use and determine whether you can detect and prevent them. If you overlay what that group is doing with what your known security gaps are — let's say you know you can't detect certain attack techniques— I’d start there. The Initial Access tactic is the funnel point in which the threat group is going to gain a foothold in your environment. If you can focus energy on stopping their known techniques for this tactic sooner rather than later, that would be a great starting point.
Once you’ve addressed the techniques of known threat actors targeting you, you can continue developing out your coverage. You may want to go on a tactic-by-tactic basis. Start with a single tactic, such as Persistence, and address your coverage. It’s useful here to address the coverage for detection and mitigation separately. These techniques can be complex, and just because one portion of the technique may be mitigated doesn’t mean that an attacker can’t abuse it in a different way.
Building analytics to detect MITRE ATT&CK techniques might be different than how you’re used to doing detection. Rather than identifying things that are known to be bad and blocking them, ATT&CK-based analytics involve collecting log and event data about the things happening on your systems and using that to identify the suspicious behaviors that are described in ATT&CK.
Give Your SOC Team a Leg Up
ATT&CK is giving security operations teams a leg up on how to focus their detection and response efforts and at Micro Focus we’ve gone all in with ATT&CK. Here are some of our ATT&CK related assets you can leverage:
- We have a new video, Moving Left in MITRE: Reducing Exposure Time, that is now available on our SecOps Unplugged YouTube channel. The video does a great job of demonstrating ATT&CK benefits and our capabilities. A shorter video, ArcSight for Exposure Time Reduction, is also available.
- We map our SecOps solutions to the ATT&CK Framework through our Micro Focus MITRE ATT&CK Navigator webpage. With it you can compare your current ATT&CK coverage and gaps to those outlined on the Navigator to see how much of a difference our SecOps solutions can make for you, and get direct links to our relevant products and solution content.
- Interset (now ArcSight Intelligence) was an early adopter of ATT&CK. Here is an ArcSight Intelligence & ATT&CK flyer.
- If want more, the Marketplace has our ESM Default Content for ATT&CK that you can check out.
The continued adoption of the MITRE ATT&CK framework will allow cybersecurity teams to build better detection strategies and, ultimately, stronger defense infrastructure. I sure wish that it was around when I was attempting to tune content for ArcSight to find threat actors quickly. But due to the efforts of many researchers, it’s available today - so I recommend taking advantage of it.
Have technical questions about Security Operations? Visit the ArcSight User Discussion Forum. Keep up with the latest Tips & Info about Security Operations. Do you have an Idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.