Product

Maximize the MITRE ATT&CK® Framework with the Respond Analyst

Mike Reynolds
by Mike Reynolds
category Product
tags mitre att&ck framework, mitre att&ck framework explained, Security Operations Center

The MITRE ATT&CK® framework categorizes attack tactics based on 12 categories.

When an adversary has a malicious objective (like establishing persistence, a long-term command, and control or defense evasion just to name a few) the adversary will use multiple tactics in different phases of a cyberattack lifecycle.  Each phase consists of behaviors which are a set of techniques.  Techniques, in turn, use varying sets of procedures. Therefore, the initial tactic to gain a foothold in your environment is connected with one or more techniques, followed by another tactic with its techniques, and so on until the adversary’s objective is reached.  This layering of tactics down to specific procedures is where the acronym  TTP originates and is known as Tactics, Techniques, and Procedures. 

Understanding that the MITRE ATT&CK framework is grounded in real-world observations, it’s applicable to real IT environments. Any of the attack scenarios described in the ATT&CK framework can be emulated by red teams or during penetration tests.  And, because it’s behavior-focused, the framework can help security teams understand the “how” and “why” of particular malicious activities.  Security teams can employ the ATT&CK framework as a way to map their sensor grid’s detection capabilities against real-world attackers’ tactics, techniques, and procedures.  Taking the output of the sensor grid and building a case, scoping, escalating, and prioritizing the detections of disparate sensor output, threat intel, and company contextual data to fully understand a cyberattack is difficult for human analysts and where Respond Software excels.

To show you how and why the Respond Analyst escalates an incident, let’s walk through a typical example.  Here you see an incident that was scoped from 114 disparate events from the sensor grid, threat intel, and the company’s contextual data all gathered automatically by the Respond Analyst.

REASONS FOR SCOPING, ESCALATION AND INCIDENT CREATION

Why did this incident get scoped?  Here’s the evidence that the Respond Analyst pulled together:

  1. External System on Threat Intel List: via Threat Intel query
  2. Malware Not Successfully Removed by Endpoint Protection Agent: via Network IDS
  3. Suspicious User-Agent Observed: via Web Proxy events
  4. File Hash on Threat Intel List: via Threat Intel query
  5. Suspicious External System Attributes: via Web Proxy events
  6. Internal Assets with Repeated Malware Infections: via the Respond Analyst’s memory
  7. Multiple Network IPS Signatures Triggered by Same Internal Asset: via Network IDS and the Respond Analyst’s memory

On May 9, 2020 at 8:29 pm PDT the Respond Analyst received EPP/AV alerts and found events that would fall under Initial Access and Execution Tactics.

“Suspicious executable detected | RAT – Low severity”

  • Internal asset smiller.acme.com: infection has been cleaned

“Suspicious executable detected | RAT – Low severity”

  • Internal asset jthompson.acme.com: infection has been cleaned

The alerts show that the EPP had found an infection and cleaned it.  In addition to the specific security event, the Respond Analyst also gathers contextual information including asset criticality, account criticality, and vulnerability status.  This helps the Respond Analyst make decisions on how critical the incident may be and what incidents to triage before others.

In the next phases, the Respond Analyst uncovers Persistence, Defense Evasion, and Command and Control Tactics. The Respond Analyst received telemetry from the network IPS that shows that the assets deemed “clean” by the EPP may not be.

NIDS events tell a different story

“Zeus.Gen Command and Control Traffic | Malware – Medium severity”

In fact, it appears that the two systems are indeed infected with Zeus.Gen and communicating with a Command and Control system.  The Respond Analyst continues its investigation, gathers information, and scopes the related events and those particular systems (jthompson.acme.com and smiller.acme.com) into an incident.

In addition, the Respond Analyst digs in further and finds that there are additional assets (mpeterson.acme.com, kwillits.acme.com, and eholmes.acme.com) communicating via the same Zeus-bot command and control and to the same malicious domain.  These events are also scoped into the incident.

At the exact same time, the Respond Analyst has performed threat intel lookups.  Through threat intelligence comparisons, we find that the registration country for the domain is in Russia and there is a high probability that the destinations the systems are communicating with are malicious:

  • tmweb.ru | External – High – Russia
  • tmweb.ru | External – High
  • tmweb.ru | External – High
  • 34.89.98 | External – Medium
  • 44.65.109 | External – Low
  • 20.243.162 | External – Low – Nigeria

The Respond Analyst has also gathered corroborating evidence from the Web Proxy. We find that the registration country for the domain is in Russia and was recently registered. The Respond Analyst gathers domain details from the Web Proxy including the users involved and the following domain attributes:

  • Registrant Country: Russia
  • Suspicion: High
  • URL Classification: Uncategorized URL
  • Registration Data: 5/09/20 | 11:15pm PDT
  • Updated Data: 5/10/20 | 2:08pm PDT
  • Purchaser: WhoisGuard Protected
  • Seller: NAMECHEAP INC
  • Suspicious Attributes: Recently Registered Domain

With the incident fully scoped, the security analyst can now kick off the incident response.  The mean time to detection was brought down significantly, as much of the investigation and scoping work has been handled by the Respond Analyst.

The Respond Analyst maximizes your MITRE ATT&CK coverage by cross-correlating disparate sensor data and information to detect, investigate, and prioritize security incidents automatically.  It maximizes your sensor grid investments because you don’t have to tune your sensors; the Respond Analyst is always on the job; it never sleeps.  The Respond Analyst understands the attack from a broader and deeper perspective because it is able to simultaneously investigate, correlate, reason, and decide like a human analyst would but with a deep memory of all current and past incident events.

If you would like to learn more about how The Respond Analyst Maximizes MITRE ATT&CK Framework Coverage, please: