Cyber Threat Management with MITRE ATT&CK - PART 1
Let’s agree on this first, job of a SOC analyst is TOUGH, as tough as finding a needle in a haystack. Threat hunters are mostly presented with thousands of logs and telemetry data every second and are supposed to identify threat adversaries from this pool of information. This is one challenge which can fatigue both the human and machine intelligence.
There are many frameworks designed to help SOC analysts tackle this situation in different ways. Within our cyber threat research team at HAWKEYE, which consists of RED, BLUE and PURPLE team members, the effectiveness of all these frameworks are often debated. (At the end such debates bring us the best results). There is one framework which we unanimously agree up on and that’s MITRE ATT&CK vs. all the other Cyber-Attack Kill Chains.
So, What is MITRE ATT&CK?
MITRE ATT&CK is a comprehensive matrix of adversary tactics and techniques designed to help SOC analysts and threat hunters classify the threat adversaries and effectively detect the attacks in various stages. In short, it helps to make large pile of hay in to smaller piles based on type of needle you are searching for.
All the tactics and techniques are based on real world scenarios and accumulated over years (actual malware, viruses, trojans, exploits and so on). So, it covers most if not all of the known attack techniques.
Attacks do not happen in just one step. A typical cyber-attack lifecycle passes through various stages from initial access through persistence to the actual impact.
MITRE ATT&CK classified attacks according to the stage and provides various techniques to detect attacks in each of these stages. Even if the attack has evaded the detection system in the first stage, it can still be identified and remediated in later stages as long as you know how to do that.
Each stage has a list of all known tactics and techniques used by adversaries and procedures to detect them. If the SOC is configured to detect attacks in all these stages, there is rare possibility that an attacker can pass through the attack life cycle without detection. Not all attacks pass through all these stages, so it’s imperative to have all the procedures followed and detection rules to be configured for each tactic.
An example of a real-world cyber-attack scenario is shown below; where each technique being executed across the different stages / tactics of the cyber-attack lifecycle to eventually cause business loss or damage.
Tactics are the different stages in the attack lifecycle. MITRE ATT&CK shares five types of tactics used by adversaries.
PRE-ATT&CK Tactics: List of all tactics which are used by attackers to identify the target and information gathering. Example are target selection, technical information gathering, technical weakness Identification, etc.
Enterprise Tactics: This are the tactics for the actual attack from initial access to the network till the impact and covers Windows OS, Linux and MAC OS systems.
Mobile Tactics: Similar to Enterprise Tactics, this is the list of tactics specific to mobile devices to compromise and network.
Cloud Tactics: Similar to Enterprise Tactics, this is the list of attack tactics specific to cloud service provider environments (AWS, Azure, Office365, Azure AD, GCP and other forms of IaaS, PaaS and SaaS).
ICS (Industrial Control Systems) Tactics: Similar to Enterprise Tactics, this is the list of attack tactics specific to critical infrastructure (power plants, water desalination, oil and gas, aviation, airports, manufacturing etc.) or what is known as Industrial Control Systems (ICS). These set of attach tactics are aimed specifically to cause disruption to an industrial process and in turn cause major impact to society.
Techniques are the actual methodology used by adversaries to compromise the network in each stage / tactic. Each tactic can have tens of techniques. Attackers can use the most suitable one of them.
This is exactly where the BLUE and SOC team should spend most of their time on. Each technique should be carefully reviewed, and detection capabilities must be configured for them across the different tools. Security tooling plays a part such as endpoint security, EDR / MDR, NGFW and IPS, NDR, DLP, email security, WAF, MFA, PAM and so on but equally it is important to collect logs from endpoints, servers, domain controllers, hypervisors, applications and databases to be able to build proper detection capabilities.
Leaving even one of them unconfigured would be like sending an invitation to the attacker.
How can SOC analysts make use of MITRE ATT&CK Matrix?
Looking from a SOC analyst’s perspective; each tactic and technique can be a considered useful in building monitoring “use cases”. A SOC analyst should:
1) Understand cyber-attacks pertaining to their environment, assets, systems and applications and how they could materialize
2) Configure each critical and dependent log source to send relevant security events and audit logs and telemetry data to the SIEM or big data security analytics platform
3) Identity how each technique across the different tactics can be identified and detected with these logs.
4) Develop and build use cases and rules to detect these techniques being executed; correlate events based of MITRE techniques and generate events
5) Configure alerting for triggering these correlation rules and events
6) Simulate each technique and ensure the effectiveness of the configured rules and use cases. Threat adversary simulation to be performed here.
7) Define response procedure / incident response playbooks for each threat events.
To read more about tactics and techniques of MITRE ATT&CK Matrix, please click here.