Using Frameworks like MITRE ATT&CK for Cyber Defense


Welcome to this week’s blog, where I’ll dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience.

Coming in at number eight on our “Top 10 List of the Challenges Cybersecurity Professionals Face” is the Underutilization of Frameworks to Support Investigations.

What are Frameworks?

Threat frameworks allow a security analyst to streamline investigations and make sense of the chaos of never-ending streams of alerts coming from security logs and intelligence feeds. They help tell a story about a threat actor or the phases of an attack using visualizations about a threat actor, how an attack can progress, what steps a given threat actor is going to take, and what mitigation steps are possible.

Where did Frameworks Begin?

In 2011, the US Department Of Defense recognized cyber warfare as a component of the 5th domain of warfare, information operations. Threat frameworks were derived from the term kill chain, a military concept that identifies the structure of an attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the target.

Lockheed Martin, a defense contractor, extended the military concept of a kill chain and adapted it to a cybersecurity threat model to help defend against cyber threats.

Why Should Analysts Use Frameworks?

Frameworks are a way to help organizations understand the context of a cyberattack and how worried they need to be and improve the security posture of their enterprise networks. As the latest vulnerability or breach makes its way around, threat frameworks can help organizations conduct a security assessment to outline their security vulnerabilities and quickly answer the question everyone wants to know: Are we affected?

Another reason is to improve organizational efficiencies, enabling all teams to benefit immediately with success commensurate to the degree of integration in daily operations. Security teams are already stretched thin, making it difficult to defend against every threat. Frameworks are scalable from the smallest Security Operations Center (SOC) to a full enterprise with dedicated CTI, SOC, Threat Hunters, IR, Red Teams, and Blue Teams.

And lastly, by visually characterizing the threat landscape in real-time, analysts can map threat actors to their footprint on the framework to reduce the scope of analysis to only what is relevant for their organizational architecture and vulnerabilities.

Different Frameworks in Use

Many different kinds of frameworks are used worldwide, each serving different purposes. Some of the frameworks were designed to help design, organize, deploy, and manage an entire IT and cybersecurity architecture. Others focus on one area or industry, such as banking and finance for PCI-DSS or healthcare for HIPAA. It’s also not uncommon for one organization to use several different frameworks.

Cybersecurity experts say that one of the most essential things for organizations to embrace in order to protect themselves from cyberattacks is to focus on adversarial behavior, including attacker tactics, techniques, and procedures (TTP). It’s important to understand the mindset of an attacker to build and validate the best cyber defenses and eliminate potential threats.

Frameworks enable analysts to understand and visualize attack patterns. This is one of the main reasons cybersecurity has been a major driver for framework adoption. Compliance needs and regulations have also brought mandatory cybersecurity frameworks, which are also key drivers for adoption.

I won’t go into deep detail here and just outline the more widely used frameworks. Pre-register for our upcoming eBook: Utilizing Frameworks to Enhance Cyber Defenses. This upcoming ebook will dive deeper into the different frameworks and include expert opinions on why and how to get the most out of them.

Three well-known frameworks include:

Lockheed Martin’s Cyber Kill Chain

The Lockheed Martin Cyber Kill Chain® framework is part of the Intelligence Driven Defense™ model for identifying and preventing cyber intrusions. The model identifies what an adversary must do to achieve its objectives and provides a view into the activities an attacker might take.

MITRE ATT&CK

MITRE ATT&CK® is a global knowledge base of adversary tactics, techniques, and procedures based on real-world observation. ATT&CK is used to develop specific threat models and methodologies in the private sector, government, and the cybersecurity product and service industry.

The Diamond Model

The Diamond Model emphasizes four key aspects of an intrusion: the adversary (who), the infrastructure (what), the capabilities (how), and the victims (where). An intrusion event is defined as how the attacker demonstrates and utilizes certain capabilities and techniques over infrastructures against a target.

While the Diamond Model, the Cyber Kill Chain, and the MITRE ATT&CK framework are still used and referenced by most security professionals, a majority of them use the MITRE ATT&CK framework. Anomali uses the MITRE ATT&CK framework as well as the others mentioned in our solutions to analyze threat behaviors and give analysts flexibility in their investigations.

How to Implement Frameworks for Cyber Defense

The adoption of MITRE ATT&CK has grown exponentially, making it a perfect place to start as it’s an excellent resource for cybersecurity professionals to help them understand their current security posture and identify potential risks.

MITRE ATT&CK complements most IT and cybersecurity frameworks in use today and adds significant value as it focuses on the attackers’ adversarial tactics, techniques, and procedures. It helps your team to better understand attackers so they can better defend your enterprise against security risks.

By operationalizing MITRE ATT&CK, security analysts can answer critical questions, including:

  • Are my security tools working as expected?
  • How can I assess and reduce risk?
  • Am I optimizing the value from my security controls expenditures?
  • Are we protected against an imminent threat?

MITRE ATT&CK: The Current Weapon of Choice

MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 to describe and categorize adversarial behaviors based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII.

Over the years, ATT&CK has expanded quite significantly, examining other platforms and technologies, evolving into a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.

Join us for the Detect LIVE March session to hear more about the MITRE ATT&CK framework.

Is MITRE ATT&CK Top Dog?

Again, as I mentioned previously, it all depends on organizational needs. MITRE ATT&CK is gaining traction rapidly, and here’s why.

First, the MITRE ATT&CK framework goes into significantly more depth on how each stage is conducted through ATT&CK techniques and sub-techniques. MITRE ATT&CK is regularly updated with industry input to keep up with the latest techniques so defenders update their practices and attack modeling regularly.

Second, some of the other models do not factor in the different tactics and techniques of a cloud-native attack. With more organizations moving operations to the cloud, that’s important.

Using Solutions with Integrated Frameworks

The Anomali Platform integrates frameworks into our solutions to help automate the process and deliver relevant intelligence analysts need when conducting an investigation.

For example, by integrating automation with built-in ATT&CK mapping, The Anomali Platform can quickly surface threats, and threat actors, by matching indicators of compromise (IOCs) and TTPs across each stage of the MITRE ATT&CK framework. This helps analysts understand the threat and how to defend against it, reducing mean time to detect and respond. It also enables analysts to understand an attacker’s objective to predict the next steps and interrupt the threat, ideally before any damage occurs.

When dealing with a cyber threat, time is of the essence. An effective cybersecurity strategy needs to understand adversarial techniques to ensure a resilient cybersecurity posture. By utilizing frameworks, enterprise organizations can improve the effectiveness of their defense tools to ensure a threat-informed defense.

Scroll through below for direct links to the other blogs in this series.

Join me next time as we look at number seven on our list.

Learn more about MITRE ATT&CK.





Source link