If you ask me how I picture the cybersecurity landscape, I would say it is like a maze with constantly evolving paths, twists, tunnels and holes that malicious actors try to find and use in order to infiltrate areas they are not permitted to enter, and then, achieve their goals of stealing and causing harm.
And just as a map that helps navigate the maze and understand its shortcuts and side roads, cybersecurity defenders need a guide to help them navigate the adversaries techniques and their evasive approaches.
The great news is that we have in our hands such a guide and it is called THE MITRE ATT&CK FRAMEWORK. With its structural approach and broad knowledge, this framework helps in understanding adversary behaviors and implementing effective defensive measures in order to safeguard the valuable resources.
As stated above, the MITRE ATT&CK framework contains a comprehensive knowledge base of adversary behaviors based on real-world observations of cyberattacks. Here's an overview of what it entails:
This behavioral-focused framework, with all the information listed above, provides guidance to security researchers, blue teamers and red teamers in their different tasks.
In this blog, we are going to discuss the practical applications of this framework for blue teams and how it can help them design and enhance their defenses and assess them. In this first part, we will focus on how it could be used in detecting threats and how it could help in ensuring the effectiveness of this detection.
One of the first applications of the MITRE ATT&CK is using the outlined TTPs (Tactics, Techniques and Procedures) to detect threats. The described attack behaviors in the framework, the tools and the needed data sources to monitor that behavior present valuable ingredients to craft the needed detection rules allowing to identify potential threats.
When you think about it at first, it feels reassuring when we say that the adversaries' tactics and techniques are organized and summarized in one place, which is the MITRE matrix, and that we could use it to create detections. But usually, this reassurance quickly fades when we confront its practical implementation, and what felt reassuring at first will start to feel more intimidating since the matrix is huge and covering all its content is really challenging and time consuming.
So the question here is how can you use the MITRE framework in a manageable way ?
Well, the journey of a thousand miles begins with a single step, or in our case, a few steps. Let’s say you want to start creating detection rules. First, you need to scope down the matrix to get the most relevant techniques to your organization. To do this, you first need to assess your assets and determine what are your most valuable services and where your most valuable data is stored. The platforms used in these assets should be considered your most valuable platforms.Then, you can use this information alongside the MITRE ATT&CK Navigator to determine where you should start and what are the techniques that you should prioritize.
When using this Navigator, we start by choosing the type of environment that we want: Enterprise, Mobile or ICS. If we select Entreprise for example, all the Entreprise techniques will be displayed as shown in the figure below:
Then, we filter on our most valuable platforms. Taking “Containers” as an example, we get the following result:
We can see clearly that the number of techniques has considerably decreased providing the critical areas we should start with (in this example scenario).
Similarly, you can also use the MITRE Engenuity ATT&CK tool top-attack-techniques to determine what are the top 10 techniques relevant to your environment, especially if you already have security solutions that provide some detection rules (CAR, Elastic, Sigma or Splunk).
As demonstrated in the following figure, the top 10 techniques that should be prioritized are calculated, based on the applied filters for security controls, detection analytics, operating system and modifiers for network, process, file, cloud and hardware monitoring coverage.
Next, you should develop use cases and create detection rules based on the top priority MITRE ATT&CK techniques and tactics for your organization.
Here again, you can start with what you have where you are: identify what detections you can create with the data you are already collecting (Authentication logs, Sysmon logs, DNS logs, Firewall logs, etc.) and work on that.
At this point, consider exploring the MITRE Cyber Analytics Repository (MITRE CAR) and SIGMA rules as they can provide extremely useful insights and details that can aid in the creation of effective detection rules.
Last but not least, while the result that you get from these tools provides a very insightful information, it should not be considered as the comprehensive solution. These results are more of a starting point in your threat detection journey, the foundation to build upon.
In case you already have some rules, MITRE could be a very useful resource to assess the detection coverage and provide insights into what is covered, what works well and where are the gaps that need to be covered, fostering your environment of ongoing enhancement.
This could be done by having visibility over the rules distribution in the MITRE matrix (aka the MITRE coverage), and assessing the effectiveness of the created ones, as highlighted in the following points.
When creating the detection rules, make sure to map each one to the tactics and techniques outlined in MITRE ATT&CK.
This mapping allows you to gain visibility of which attack techniques your detection rules are protecting against, and which ones are lacking protection, therefore you need to create or add the appropriate detection rules to cover them.
One approach to doing this is to create a dashboard featuring MITRE tactics alongside their corresponding techniques, and then assessing the coverage of detection rules across these techniques. An example of this dashboard is the Elastic MITRE ATT&CK coverage, where columns represent major tactics, and cells within each column represent a tactic’s related techniques. Cells are darker when a technique has more rules matching the current filters, as shown in the following figure.
After creating the detection rules, it is important to test them to ensure that they are capable of detecting the specific behaviors they were designed for.
You can test your rules by emulating adversary techniques and observing what is working fine and what behaviors are not detected. In the later case, you should examine the situation to figure out why that behavior was not detected: Is it due to the logic of the rule? To its syntax? Are there any logs missing? Or any other issue.
After the issue is fixed, the refined rules should be re-tested again to confirm that they are working properly.
Some tools that could help to accomplish the tests are the following:
Once validated and deployed in production, the detection rules should be tuned by adjusting them as needed to improve the accuracy and reduce the false positive rate.
This cycle of assessing, improving, and reassessing should be repeated regularly. Keeping in mind that there is no perfect detection, the question here is to get better and better every time
