Fueling Resilience: Optimization and Adapting the MITRE ATT&CK Framework for Robust Security
Sun Tzu was a Chinese military strategist and general best known as the author of the immortal work, The Art of War, which is still studied and quoted to this day. Sun Tzu was a believer in preparedness prior to battle and believed that battles are often won prior to being fought. One of his classic sayings was as follows:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Military leadership utilizes scouts and spies to attain data on the enemy. In the cybersecurity war, companies have traditionally relied on logs and automated alerts to provide reconnaissance into what is occurring within their network. As networks have grown larger and more complex, IT operational teams needed some way to collect and aggregate all this data from across the IT estate. That paved the way for the SIEM that consolidated event data from across the IT estate into a single system.
Why a SIEM Alone Is Not Enough
We might live in the era of data, but data alone is not going to keep your business safe from cyberattacks without knowing how to apply that information. The fact is that simply implementing a SIEM is no longer enough today. According to a 2023 study, the average SIEM fails to detect an alarming 76% of tactics, techniques, and procedures utilized by known cybercriminals and hackers. That is not to say that SIEMs are ineffective, quite the opposite. Like any security tool, it needs to be configured, managed, and fine-tuned to maximize its true effectiveness. The same study showed that 12% of configured rules on average are broken and thus are doing nothing. A SIEM in the end is just another tool in the security arsenal, without the proper configuration, maintenance, and optimization, it is likely not doing what you thought it is.
What Is the MITRE Framework
The tactics, techniques, and procedures (TTPs) mentioned above are from the MITRE ATT&CK Framework. The framework is a global knowledge base of adversary tactics and techniques based on real-world observations. Think of it as “the playbook” to understand your cyber adversaries and how they might implement an attack on your organization. Like a coach that needs to understand all the plays in the playbook, security analysts need to understand all the outlined TTPs in the framework. Currently, the framework includes more than 500 TTPs used by known threat groups.
In American football, a coach may signal a defensive play based on the offensive formation of the opponent for the coming play. The ability to recognize the tactics of the other team is an integral part of the game’s strategy in real time. Of course, new plays are continually being added to each team’s playbook to counter new strategies implemented by their opponents. This is a pertinent aspect of MITRE ATT&CK as threat actors are continually transforming their tactics and techniques to take advantage of newly discovered exploits and circumvent new security controls.
This attack playbook is used by both internal security teams, SOCs, and MSSPs as well as security product vendors, security researchers, and red team personnel. The framework was designed to go beyond the process of signature-based detection which was the de facto standard approach used by security controls. Rather than relying on signature identifiers, the MITRE ATT&CK framework focuses on the behavior of an attack. For instance, while the initial formation of a sports team on the field may give a heads up to the opposing coaches on what may transpire, the players on the field concentrate on the play as it progresses into a predicted pattern. Because attackers are always modifying their tactics, signature-based defenses are usually behind the curve. The MITRE framework is a living document that is in sync with these changing TTPs, thus giving organizations the latest information to keep them safe. Some of the other ways in which the MITRE ATT&CK framework eclipses traditional signature-based strategies include the following:
- It understands how an attack progresses from its initial system access to the point of data exfiltration, encryption, or command & and control. This provides a security team insight into the various stages of an attack so they can create the proper defenses along the way.
- It provides contextual awareness of an attack so that the right responses can be prioritized as security personnel know more about the ultimate goal of the attackers, helping defenders think like attackers.
- While signature-based tools are more defensive in strategy, the ATT&CK framework allows security teams to proactively hunt for threats by looking for the behaviors associated with the known tactics and techniques of nefarious players and groups.
Two Real Examples of the MITRE ATT&CK Framework
Let’s look at a couple of known attack organizations and how the MITRE ATT&CK framework might aid in protecting against them. ATP28 (Advanced Persistent Threat group 28) is a Russian nation-state organization that has been active since 2004. Also known as Fancy Bear, the group is known to target defense and government organizations. Some of the techniques that they regularly use to gain initial access include spear phishing, credential harvesting, and the exploitation of software vulnerabilities. They are also known for registering domains that closely resemble the domains of well-known legitimate organizations that they use in their spoofing attacks. The group is also known to use key loggers as part of the credential harvesting attacks.
Another active organization is the Lazarus Group, a North Korean state-sponsored cyber threat group that has been active since 2009 and has been credited with the WannaCry ransomware outbreak in 2017 as well as incidents involving multiple well-known corporations. They are known to host malware on file hosting services including DropBox, OneDdrive, and Github. Some of their techniques include targeting the startup folder of a user’s computer and using PowerShell to execute commands and malicious code.
The Role of a SOC
Of course, the MITRE ATT&CK framework is a strategy tool, and thus only part of an effective multi-layer security plan. Except for Fortune 1,000 corporations, the framework is not something that the average business has time to work with. That is one of the many reasons why utilizing a SOC is so important today. Using a managed SOC such as CYREBRO gives your organization faster detection and response capabilities to ensure that your business remains resilient to attack and an IR team ready to defend in the case of a threat. We design and configure our SIEM using the tactics and techniques outlines in the MITRE ATT&CK framework to protect out clients’ environments against wide range of known attack tactics. Detection tools alone are no longer enough to ensure the security of your critical business systems. You need keen insights and an understanding of the faceless cyber villains that are targeting you because if you know the enemy and yourself, you need not fear the result of the next attack.
CYREBRO creates its own custom, proprietary rules, instead of using generic, out-of-the-box rules. Detection and response algorithms are created based on specific attributes, not specific systems, enabling us to detect a wide range of threats, covering the attack landscape. Detection attributes are based on the MITRE ATT&CK framework, CYREBRO incident response cases, and our threat research, helping defenders stay one step ahead of threats.