Operationalizing MITRE ATT&CK for SOCs | Course notes
The course is part of the Proactive Security Operations Center (SOC) learning path by Picus Security
Course agenda
Indicators of compromise
The MITRE ATT&CK framework and TTPs,
ATT&CK Matrix for Enterprise.
The four steps of operationalizing MITRE ATT&CK:
- Threat intelligence
- Adversary emulation,
- Gap analysis,
- Detection and analytics.
1/ Introduction
1.1/ IOC
An IOC is a proof that a cyberattack has occurred.
Indicators of Compromise provide useful information about what happened, assist defenders to prepare for future assaults, and aid in the prevention, detection, and response to similar attacks. However, different sorts of indicators have varying degrees of value, with some being far more significant than others. As a result of the discrepancies in the indications, a classification system is required.
1.2/ The Pyramid of Pain
In 2013, cybersecurity specialist David J. Bianco introduced The Pyramid of Pain, a well-known IOC classification. In this pyramid, Bianco illustrated the importance of each indicator class. Because each level is proportional to the suffering experienced by both security experts and attackers, he termed the pyramid “the Pyramid of Pain.”
As we progress up the pyramid, collecting and applying indications becomes progressively challenging (painful) for security specialists. However, opponents will find it difficult to replace them with new ones.
For example, it is simple to get and incorporate the hash values of malicious files into security controls, but it is difficult to design and implement TTPs (Tactics, Techniques, and Procedures) into security tools, according to a security professional’s perspective.
Changing the hash value of a malware file is straightforward from an adversary’s perspective; however, changing TTPs is difficult and costly.
1.3/ Culture shift in SOCs
there is a clear cultural shift in the way SOCs operate, in which we see SOCs taking a more proactive approach.
We have been identifying atomic IOCs, such as hash values, IP addresses, and domain names, since the earliest antivirus software.
However, we must begin detecting adversarial behavior, tactics, techniques, and procedures (TTPs), as well as their used tools. We must at the very least detect their traces in the network and on the host.
1.4/ The MITRE ATT&CK framework
The MITRE ATT&CK framework describes and organizes TTPS in a systematic manner.
- It’s a publicly accessible knowledge base built on real-world observations of adversary operations that’s accessible from anywhere in the world.
- TTPs are a shared language around security teams.
- Another key feature of MITRE ATT&CK is that it is a community-driven endeavor; as a result, it is an appealing framework since it can be contributed to by the entire global security community.
1.5/ MITRE ATT&CK Matrix for Enterprise (link)
There are many MITRE ATT&CK matrices, such as the Mobile and ICS Frameworks. This is the MITRE ATT&CK Matrix for Enterprise
Each column in this matrix reflects a “tactic” (the adversary’s technical objectives).
Adversaries utilize various means, referred to as “techniques,” to attain these goals or tactics. For example, an attacker may perform an “Active Scanning” or “Phishing for information” to achieve the “Reconnaissance” tactic
1.6/ Relationship between objects in MITRE ATT&CK
Threat groups linked to attack activities, as well as the software used by these threat groups, are also available from MITRE ATT&CK.
A threat group uses some procedures or sub-techniques to fulfill their goals (tactics) manually or via software during the life cycle of a cyberattack.
MITRE ATT&CK provides useful information for security teams, such as metadata, method examples, mitigations, and detection, for each technique and sub-technique. In the next sections, we will go through these items in detail.
MITRE ATT&CK Use Cases:
According to MITRE, the ATT&CK architecture can be operationalized in four ways:
Threat Intelligence: ATT&CK is used as a threat intelligence source.
Adversary Emulation: This involves red teaming and using ATT&CK to assess your defenses.
Gap Analysis: ATT&CK is used to discover defensive flaws.
Detection and Analytics: This includes filling in the defensive gaps that have been detected.
2/ Use Case 1: Threat Intelligence
Any company can benefit from the services of ATT&CK. The MITRE attack team has identified three different levels of maturity and offered suggestions for each.
Level 1 (teams with limited resources): begin with threat groups targeting your industry or country
Level 2 (mid-level teams): map collected Intelligence to ATT&CK yourself
Level 3 (Advanced teams): map more information to prioritize how you defend
2.2/ use ATT&CK for Threat Intelligence — Level 1 —
You might begin by focusing on a specific threat group that targets your company’s industry and country. Then you can investigate the threat group’s techniques, which are organized in ATT&CK.
You can leverage open source and commercial threat intelligence resources that map TTPs to MITRE ATT&CK methodologies in addition to ATT&CK.
PS: from the group (such as darkside) or software (such as mimiktaz) page you can use the attack-navigator to see in used tactics & technics
2.2/ use ATT&CK for Threat Intelligence — Level 2 —
The MITRE ATT&CK team suggests a step-by-step guide to assist you with mapping a threat intelligence source to ATT&CK
image
2.3/ use ATT&CK for Threat Intelligence — Level 3 —
You may begin mapping additional data to ATT&CK (such as incident response data, reports from OSINT or threat intel subscriptions, real-time alerts, and your company’s historical data) and then you can compare threat groups and prioritize commonly used techniques to prioritize how you defend.
3/ Use Case 2: Adversary Emulation
We now have information on threat groups, their tactics, and tools. The next stage is to use Adversary Emulation to test your defensive security controls against these adversary approaches
1/ Conduct atomic tests: which involves comparing the infrastructure or specialized technology to a specific technique
you can use with Atomic Red Team attacks (cover 55% of current ATT&CK techniques)
The other method is to run the test with numerous enemy TTPs that are conducted in order, covering all phases of an adversary’s life cycle
2/ Perform an adversarial attack scenario: that includes all of a threat group’s techniques. This strategy is certainly more difficult, and it necessitates the collaboration of numerous defense teams.
4/ Use case 3: Gap Analysis
Once you’ve evaluated a technique, you’ll be able to determine how much of it you’ve covered. According to MITRE ATT&CK, you should concentrate on logging and detecting gaps, as well as measuring coverage.
the MITRE ATT&CK Navigator tool can help you visualize your logging and detection coverage. You can create a colored heat map to prioritize the following stage of the process, mitigation.
Here are several possibilities:
- You’re not currently importing the correct data sources, indicating a “logging gap” > Red
- Alternatively, you may have logs, but your analytics are unable to detect the technique that revealed the “detection gap” > Orange
- Alternatively, your existing analytics may detect the technique, indicating that there is “no gap” > green
5/ Use case 4: Detection & Analytics
The final step is to fill in the gaps:
Assessment gap: To imitate ATT&CK approaches, you may need to make an effort to gather the right tools in people.
Logging Gap: Once the correct log sources have been identified through gap analysis, companies should begin collecting those logs and check that all required logs are gathered, as well as that there are no infrastructure failures preventing the flow.
Detection gap: detection rules must be designed and revised to avoid false positives and to ensure that they correctly detect harmful activities.
MITRE ATT&CK provides information on the technique’s details, but you should look further to find the exact techniques involved, the MITRE Cyber Analytics Repository (CAR) is https://car.mitre.org/ an example, CAR provides a data model to help security practitioners develop rules and also provide query syntaxes for detecting some techniques
6/ Conclusion
Finally, MITRE ATT&CK has been a game-changer in terms of initiating and accelerating the cultural shift we described before. It has established a common language, and the extensive information it gives ensures that defensive operations are on the proper road. However, putting MITRE ATT&CK into practice is difficult. For example, talented CTI, red, blue, and purple teams, as well as great teamwork, are required.
The Picus Security Control Validation Platform helps security teams operationalize ATT&CK by providing:
Threat intelligence from the Picus Threat Library.
Picus Attack Simulation, which allows for risk-free enemy simulation.
Picus Detection Analytics identifies logging and detection gaps, while Picus Mitigation Library addresses detection and prevention gaps.