The MITRE ATT&CK Framework Defeats Hackers Guerilla Style

August 10, 2022

Story

Of course, these vulnerabilities often provide easy system access to hackers. And, unfortunately, industry remains in a reactive state when it comes to cybersecurity – and in the absence of threat modeling capabilities, there’s really no alternative.

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) behavior model is a repository of adversary tactics, techniques, and procedures (TTPs) based on real-world cybersecurity incidents.

This knowledge base can be used as the foundation for threat models and methodologies.

Addressing Adversary Tactics with MITRE ATT&CK

The goal of the MITRE Framework is to help security engineers identify gaps in their cyber defenses and demonstrate detection coverage with proven security technologies. The ATT&CK framework contains a matrix of focused methods, or adversary tactics, that hackers have used in their attempts to compromise systems and their data.

Its Behavior Model contains the following core components:

• Tactics denoting short-term adversary goals during an attack
• Techniques describing how adversaries achieve tactical goals
• Documented adversary usage of techniques and other metadata

For security professionals, this model can be used for adversary emulation, red teaming, behavioral analytics, defensive gab assessment, SOC maturity assessment, and cyber threat intelligence enrichment in the implementation of more robust system security. 

(Image Credit: Security HQ)

The industry-agnostic ATT&CK framework supports environments such as Windows, Linux, macOS, Azure AD, containers, and more.

Of course, the cyber threat landscape is dynamic. And as security threats evolve, so too must the frameworks designed to detect and prevent them.

“To truly leverage the MITRE Framework, we must constantly add custom anomaly-based use cases, which are then tagged and aligned with MITRE Tactics and Techniques, to improve the overall detection coverage,” says Deodatta Wandhekar, Manager of Global SOC at SecurityHQ.

The MITRE ATT&CK Framework at Work in the Wild

The MITRE ATT&CK Framework Behavior Model can help guard against changing threat landscapes by supporting features like behavioral traffic analytics described above. However, supporting that means constantly providing the model with your own system’s data and comparing it against the ATT&CK knowledge base.

When used in conjunction with Security Information and Event Management (SIEM), MITRE ATT&CK collects log data from endpoints, networks, and cloud services, identifies threats, and maps them to MITRE ATT&CK. Changes to security posture are then implemented in the security tools that provide log data.

It can also combine with Endpoint Detection and Response (EDR) solutions to map events observed by endpoint agents so security teams can determine the phase of a threat, assess associated risks, and prioritize their response.

These allow organizations protecting ICS systems to stay as up to date as possible, but integrating the Framework with such tools requires manual mapping and integration.

(Image Credit: Security HQ)

A recent partnership between Security HQ and SentinelOne accomplishes this by integrating the former’s Managed Endpoint Security Service with the latter’s technology for detecting signature-based and unknown behavioral threats across all known MITRE ATT&CK TTPs.

If a threat is detected, the solution also supports Windows remediation features and rollback protections against alteration, deletion, or encryption of sensitive data caused by security breaches.

“SecurityHQ’s  24/7 SOC Managed Endpoint service, powered by SentinelOne, is delivered through a single agent, that tracks code in real time, while Active EDR, applies ML-based behavioral scoring to all events, to track the root cause,” Islam Rashad, MSSP Solutions Presales Lead for SecurityHQ

Start Your Own Guerilla War Against Cyber Adversaries

Getting proactive against cybersecurity threats is now easier with thee MITRE ATT&CK Framework. .

Here is a list of adversarial “groups” broken down in sets of related intrusion activities tracked by common names.

Islam Rashad says, “Deep investigation of the storyline saves time for analysts, as well as reduces dwell-time without fine-tuning, to promptly understand the full chain of a detected threat. This empowers a proactive response to threats, to e­ffectively suppress the spread of any infiltration, and place control at the source of compromise.”