By Chris Calvert, vice president, product strategy, and co-founder Respond Software
As major enterprises race to digitize their IT and line of business infrastructures, cybersecurity has become an imperative, both from a business and regulatory perspective. Yet these same forces of digitization and the rise of software have proliferated vulnerable points of access to sensitive information that malicious actors are able to access.
To remedy these challenges, the MITRE Corporation, global technology standards non-profit, developed the MITRE ATT&CK knowledge base. Its objective was to give cybersecurity professionals a way to systematically categorize and mitigate adversary behavior.
With the vast assortment of tactics and techniques being used by attackers, the MITRE ATT&CK framework provides a way to catalog these methods and understand them. The framework itself, as a result, is large and complex, describing more than 500 activities, which can make it tricky to navigate.
How can organizations defend against all of these activities at all times? The answer lies in aligning automation with the MITRE ATT&CK framework.
Understanding the MITRE ATT&CK framework
The ATT&CK framework offers security teams detailed and highly specific information on how enterprise IT environments can be compromised and provides actionable insights into attacker behavior. Red teams or pen testers can emulate all of the attack scenarios discussed in the ATT&CK framework. The framework helps security analysts understand the “how” and “why” of particular malicious activities by focusing on attackers’ actions. The ultimate goal of the framework is to provide a comprehensive overview of each possible attack technique as a foundation for security teams to develop a defense plan against. If you can protect your network against every technique cataloged by the knowledge base, your environment is essentially secure.
The MITRE ATT&CK framework categorizes attack tactics based on 12 different columns of data outlining the different tactics that an attacker can use. The adversary will use multiple tactics in different phases of the cyber-attack life cycle. Each phase consists of behaviors, which are a set of techniques. Techniques, in turn, use varying sets of procedures. Therefore, the initial tactic to gain a foothold in your environment is connected to one or more techniques followed by another tactic with its techniques. And so on, until the adversary has reached their objective or has been stopped.
Setting up the SOC: The more, the merrier
Since it’s possible for any one vendor’s solution to miss particular attack techniques, it’s imperative to create a SOC with multiple overlapping systems and fail-safes. Implementing solutions from a variety of vendors brings a breadth and depth of information that can prevent security holes. For instance, integrated reasoning and decision engines monitor and decide like a human expert analyst at the scale, speed, and consistent depth of analysis of a machine, fully scoping all relevant malicious activity and incidents.
Known as decision automation, this process can pull all of the relevant information about a network IPS event; an approach that is difficult to accomplish successfully with just a rule or playbook. Decision automation can consider all the context relevant to the tactics and techniques outlined by the MITRE ATT&CK framework, including suspicious patterns in the date and time, the attack category and severity, and Source IP/port and Destination IP/port. The solution asks more than 100 questions to decide whether the event is malicious and assigns a score in a probabilistic mathematical equation.
Decision automation maximizes MITRE ATT&CK coverage by cross-correlating disparate sensor data and information to detect, investigate, and prioritize security incidents automatically. It maximizes sensor grid investments because security teams don’t have to tune their sensors. It can understand the attack from a broader and deeper perspective because it’s able to simultaneously investigate, correlate, reason, and decide as a human analyst would, but with a deep memory of all current and past incidents.
Decision automation in action
Let’s consider a real-world example. At the beginning of a holistic attack, decision automation software received telemetry from the endpoint protection product or the antivirus. It saw that there was a malicious executable detected or remote access Trojan. It was categorized as a low-severity event, and the telemetry said that the infection had been cleaned. The same thing happened on another asset. Since the decision automation software will gather the threat intelligence, the asset criticality of the internal assets, the account criticality, the vulnerability status, and much more, it gathered the information, regardless of whether or not it was escalated as an event.
Two hours later, traffic was seen from both of these servers out on malicious domains and endpoints external to the company environment. So, the software investigated, gathered information, reasoned, scoped, prioritized, and escalated this into an incident. This may have been missed by a human analyst because the data that came in said there was a low-severity infection that had been cleaned.
But this is all part of the same big attack story, and the software understood that. It had the deep memory to remember a past incident and be able to tie it into additional data that was gathered and to create an incident.
This is done without the need for rules and playbooks. A SIEM by itself, for instance, needs playbook programming for it to operate and function normally. It also doesn’t have the consistent depth of analysis, speed, and scale of a machine, scoping in all relevant malicious activity into the instance, which may have disparate pieces that are not put together into the big-picture view.
A hybrid security partnership
The MITRE ATT&CK framework is a practical and useful knowledge base, and it underscores just how complex and vast the attack landscape has become. It’s not realistic to expect human security analysts to cover even a small number of attack methods, let alone all of them.
As a result, decision automation is a modern necessity for organizations that want full coverage against all attack types. It makes deeply analytical decisions about what’s likely to be worthy of further investigation, which then gets passed on to the human analysts in a hybrid partnership that covers all the bases.
About the Author
Chris Calvert, vice president of product strategy and co-founder, Respond Software. Chris has over 30 years of experience in defensive information security; 14 years in the defense and intelligence community and 17 years in the commercial industry. He has worked on the Defense Department Joint Staff and held leadership positions in both large and small companies, including IBM and HPE. He has designed, built, and managed global security operations centers and incident response teams for six of the global Fortune-50. As he often says, if you have complaints about today’s security operations model, you can partially blame him. It’s from his firsthand experience in learning the limitations of the man vs. data SecOps model that Chris leads product design and strategy for Respond Software.
Chris can be reached on twitter at @respondsoftware and at our company website