Let the MITRE ATT&CK Framework Be Your Guide: Building a Robust and Effective Security Sensor Grid in Your IT Environment
There’s no doubt about it: cybercriminals are wily and shrewd. To help security professionals make sense of the near-infinite variety of tactics and techniques attackers use to infiltrate networks, steal data, extort payments, or otherwise do harm to legitimate businesses and their reputations, MITRE has developed and published the MITRE ATT&CK framework.
MITRE is a not for profit organization that operates federally-funded research and development centers. Their mission is to solve problems that test the U.S.’s safety, stability, and well-being—including cybersecurity challenges.
By definition, the ATT&CK framework is a “globally accessible knowledge base of adversary tactics and techniques based on real-world observations.” (The acronym stands for Adversarial Tactics, Techniques and Common Knowledge.) In essence, ATT&CK is a comprehensive library of descriptions of the activities and strategies that threat hunters and security researchers have observed attackers employing in real IT environments. It aims to be a common repository of shared intelligence.
In recent months and years, the ATT&CK framework has been widely discussed—and given much praise—in the cybersecurity industry. It meets a very real need: it provides a list of methods by which enterprise IT environments can be compromised, and the information is detailed and highly specific. If you can defend against every technique that’s mentioned in the framework, the common wisdom goes, your environment will be fundamentally secure.
MITRE ATT&CK: Strengths and Limitations
As it stands today, however, the framework is large and complex. More than 500 activities are described among the adversarial techniques it includes. It would be extremely challenging—if not downright impossible—for any organization to defend against all of them, all the time, completely.
A number of the techniques included within the ATT&CK framework are not purely technical in nature. From “dumpster diving,” in which would-be cybercriminals look through an organization’s trash in the hopes of finding discarded technology or information that could help them infiltrate the network, to “exfiltration over physical medium,” where attackers steal a laptop computer or storage device to obtain the data it houses, many can best be thwarted by physical security controls or increased employee vigilance.
Without question, the framework is valuable and useful. It enables security professionals to move beyond identifying the simplest—and easiest to modify—indicators of malicious activity, such as file signatures associated with known malware or IP addresses linked to phishing attempts, to instead train their attention upon adversaries’ behaviors.
Because it’s grounded in real-world observations, it’s applicable to real IT environments: any of the attack scenarios described in the ATT&CK framework can be emulated by red teams or in penetration tests. And because it’s behavior-focused, the framework can help security analysts understand the “how” and “why” of particular malicious activities.
Top use case for MITRE ATT&CK: Mapping your sensor grid’s detection capabilities against actual attacker tactics and behaviors
Though the ATT&CK framework can be put to use in a number of ways, including as a source of intelligence for threat hunters seeking a deeper understanding of their adversaries’ behavior or as a tool to aid in assessments of how well behavioral analytics platforms can identify suspicious activities, security teams can maximize the value they gain from it by employing it as a map to their defenses and their visibility into the environment.
Because the framework is so highly detailed, and because it associates attack procedures with the specific platforms upon which they can be leveraged, it’s relatively easy to extrapolate from ATT&CK a list of the systems and processes that need to be monitored in order to detect attacks taking advantage of each technique in the framework. That is, the framework provides a useful way to map your sensor grid’s detection capabilities against real-world attackers’ tactics, techniques, and procedures.
For example, the coverage offered by an individual network intrusion detection system (NIDS) can be compared with the full catalogue of attack techniques in the framework to evaluate how well it can actually monitor—and thus enable protection of—the environment. Security sensors are like the eyes and ears of a security operations team: the higher the quality—and the greater the quantity—of the information they report, the better you’ll be able to detect malicious activity.
Designing a sensor grid according to the MITRE ATT&CK framework
Sensor diversity and overlapping coverage is best. It might seem obvious, but if you were to to compare the volume and quality of the sensor data you’d get from implementing tools from all the various NIDS, endpoint protection platforms (EPPs), URL filtering tools, and other security sensors, you’d find that all of them, used together, would provide tremendously deeper coverage across the entire taxonomy of attacks than any single data source.
Because any individual vendor’s solution has the potential to miss particular attack techniques, this really is a case where “the more, the merrier” is true. What types of traffic are you monitoring? Does your sensor grid include east-west network coverage? The depth and breadth of information you are gathering is of critical importance here. Including solutions from multiple vendors can help insure you against security flaws or poor signature-writing on one vendor’s part.
Turn up the volume, tune up your sensors.
Whenever you tune down your network telemetries, you are excluding potentially valuable and illuminating information from consideration. No matter how carefully you construct rules and policies, you still inherently increase the risk that an attacker will evade detection with every alert you dismiss without analysis or consideration.
Unless it’s being managed and monitored, you’re not deriving real value from your security sensor data.
It goes without saying that information that’s collected only to be stored within a data lake or security information and event management (SIEM) platform without subject to monitoring or analysis will never help you detect attacks that are in progress. Though the argument is often made that this log data can be useful after the fact for forensic purposes, making post-breach investigations easier isn’t the same as reducing your organization’s real risks.
Visibility is key. As cybercriminals increasing turn to encryption as a tool to aid them in the delivery of malware, knowing when and where to decrypt traffic for inspection is critical, especially in today’s cloud-first and microservices-based environments.
Security analysis software: the most critical tool for deepening sensor grid coverage
Designing a security sensor grid that can monitor for more of the techniques and procedures in the ATT&CK framework requires an adequate number and variety of sensors, of course. But it also demands that your SecOps team maintain the capability to monitor these sensors—thoroughly, with care, and continuously. Implementing an automated software solution that’s able to make deeply analytical decisions about what’s likely to be worthy of further investigation is essential to achieving this degree of coverage.
With the latest generation of automated security monitoring technologies, including Robotic Decision Automation, you’re able to bring together a broad array of information from multiple security sensor sources within a single, integrated virtual analyst. The intelligent decision engine can correlate data across the various sources for enhanced effectiveness; the more multi-source corroboration that can be achieved, the more accurate and comprehensive your monitoring will be.
Given the MITRE ATT&CK framework’s complexity, it’s near-impossible for human security analysts working without the assistance of security automation software to achieve real coverage of even a small fraction of the attack methods it catalogues. With Robotic Decision Automation on board your team, however, it’s possible to perform at an entirely new level.