Page 119 - Cyber Defense eMagazine for September 2020
P. 119

of each possible attack technique as a foundation for security teams to develop a defense plan against.
            If  you  can  protect  your  network  against  every  technique  catalogued  by  the  knowledge  base,  your
            environment is essentially secure.


            The MITRE ATT&CK framework categorizes attack tactics based on 12 different columns of data outlining
            the different tactics that an attacker can use. The adversary will use multiple tactics in different phases
            of  the  cyber-attack  life  cycle.  Each  phase  consists  of  behaviors,  which  are  a  set  of  techniques.
            Techniques, in turn, use varying sets of procedures. Therefore, the initial tactic to gain a foothold in your
            environment is connected to one or more techniques followed by another tactic with its techniques. And
            so on, until the adversary has reached their objective or has been stopped.

            Setting up the SOC: The more, the merrier

            Since it’s possible for any one vendor’s solution to miss particular attack techniques, it’s imperative to
            create a SOC with multiple overlapping systems and failsafes. Implementing solutions from a variety of
            vendors  brings  a  breadth  and  depth  of  information  that  can  prevent  security  holes.  For  instance,
            integrated reasoning and decision engines monitor and decide like a human expert analyst at the scale,
            speed and consistent depth of analysis of a machine, fully scoping all relevant malicious activity and
            incidents.


            Known as decision automation, this process can pull all of the relevant information about a network IPS
            event;  an  approach that  is  difficult  to  accomplish  successfully  with  just a  rule  or  playbook.  Decision
            automation can consider all the context relevant to the tactics and techniques outlined by the MITRE
            ATT&CK framework, including suspicious patterns in the date and time, the attack category and severity
            and Source IP/port and Destination IP/port. The solution asks more than 100 questions to decide whether
            the event is malicious and assigns a score in a probabilistic mathematical equation.


            Decision automation maximizes MITRE ATT&CK coverage by cross-correlating disparate sensor data
            and information to detect, investigate and prioritize security incidents automatically. It maximizes sensor
            grid investments because security teams don't have to tune their sensors. It can understand the attack
            from a broader and deeper perspective because it's able to simultaneously investigate, correlate, reason
            and decide like a human analyst would, but with a deep memory of all current and past incidents.


            Decision automation in action


            Let’s consider a real-world example. At the beginning of a holistic attack, decision automation software
            received telemetry from the endpoint protection product or the antivirus. It saw that there was a malicious
            executable  detected  or  remote  access  Trojan.  It  was  categorized  as  a  low-severity  event,  and  the
            telemetry said that the infection had been cleaned. The same thing happened on another asset. Since
            the decision automation software will gather the threat intelligence, the asset criticality of the internal





            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         119
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   114   115   116   117   118   119   120   121   122   123   124