Threat Hunting with The MITRE ATT&CK™ Framework

The MITRE ATT&CK™ Framework

Cyber attacks are becoming more sophisticated every day. Cyber criminals are honing living off the land (LotL) techniques, exploiting off-the-shelf and pre-installed tools to invade online platforms. We’ve also seen threat actors continue to reuse classic tactics, techniques and procedures (TTPs) in their campaigns. As such, the use of emails with malicious attachments or links continue to be the most common initial infection vector, as reported in our annual threat landscape report, CiPulse 2020.

As a result of this ever-increasing volume and sophistication, SOC’s and SIEM’s using traditional, reactive measures are overwhelmed. More and more organizations are turning to detection and response solutions which combine threat intelligence and cyber expertise, to uncover and remediate threats as early as possible, and also to mitigate risk of future attacks.

MITRE ATT&CK™  (Adversarial Tactics, Techniques & Common Knowledge) is an empirically driven framework which facilitates gathering, interpreting and sharing information on cyber criminals (or “adversaries” in the ATT&CK terminology) and their tactics, techniques and procedures (TTPs), in an effort to derive taxonomies of adversaries. The information gathered, analyzed and shared by ATT&CK™ helps cyber security researchers, incident responders, red teams and others to analyze intelligence regarding adversaries’ TTP’s, and use that information to understand what tactics and techniques they should use to detect and mitigate attacks. By grouping and overlaying information from groups of adversaries, ATT&CK™ can help create a threat-centric understanding of a user’s vulnerabilities, and customize defenses.

Threat intelligence teams using ATT&CK™ can provide decision makers with actionable information facilitating prioritization of resources and planning an organization’s cyber security program.

Threat Hunting with MITRE ATT&CK™

Effective threat hunting is continual, proactive, and powered by strong intelligence, and to do it right you need to play offense. A key component to threat hunting is building testing and refining analytic detection capabilities, which can be a complex and time-consuming process. The ATT&CK™ provides a standardized, but flexible, framework which will help you streamline building, testing and validating customized detections for your organization.

ATT&CK™ contains an ever-evolving taxonomy of the behavioral TTPs adversaries use to compromise behavioral networks. With ATT&CK™ you can leverage hypothesis-driven use cases to detect signs of active or residual adversarial presence and activity across your enterprise. Artifacts found during the ATT&CK™ facilitated hunting process are used to build analytics for custom detections, which may be continuously monitored and can be triggered by future malicious, adversarial activity.

Understanding and using MITRE ATT&CK™

MITRE ATT&CK™ is an efficient resource for cybersecurity teams, but it can be fully leveraged only after you have the expertise necessary to understand how it works and should be used. ATT&CK™ is a complex framework, with out-of-the-box logic behind it. Here’s a brief rundown of what you’ll need to understand before trying it for the first time:

1. Understand your environment: To understand how adversaries enter your systems, what they’re looking for, and how ATT&CK can help you stop them, you’ll need to understand your operational environment: Systems, tools and applications that drive the business, as well as methods of operation, assets, intellectual properties, revenue streams and flows. Map users, applications, and servers, and note how they are used on a day to day basis and what visibilities they generate. Try to think like the enemy, and ask yourself how adversaries leverage your systems to find and use what’s important to them (which may not be the same as what’s important to you). This understanding of your environment will help you plan what data ATT&CK™ needs in order to detect signs of malicious behavior in your online systems.
2. Focus on specific tactics and techniques for detection: Identify the tactics and techniques that are most relevant to your organization, and to the vertical in which it operates. How can adversaries leverage your own tactics and techniques against you? Map your tactics and techniques, and verify if your current cybersecurity measures adequately protect them. If you find that they aren’t, try using your existing telemetry to write analytics for custom detections.
3. Build and deploy detection analytics: Once you understand the adversarial behaviors being leveraged against your organization and your vertical, you’ll need to build analytics to detect those behaviors. This requires thinking about how adversaries may implement one or several of the many tactics and techniques identified by ATT&CK™. Also, consider if you want to emphasize “breadth” or “depth” coverage, and customize your detection tactics and techniques accordingly.

In short: First, learn to understand your online environment, with its unique tactics, techniques, and procedures. Next, view your environment from an adversarial perspective and try to understand the adversary’s TTP’s. This will help you utilize ATT&CK™ to its fullest potential, allowing you to build, test, deploy, fine-tune and periodically verify the analytics necessary to mitigate cyber attacks.

MITRE ATT&CK™ for threat hunting:

Traditional cybersecurity measures are frequently overwhelmed not only by sophistication of attackers but also by sheer volume of malicious activity. Cyberint’s cybersecurity teams harness MITRE ATT&CK™ to give you proactive, managed threat hunting services, finding signs of active or residual adversarial presence and activity across your enterprise and using the information it finds to protect your environment in the future.