How can companies use threat intelligence and the ATT&CK framework to make their security programs more effective?
I recently obtained my Master’s Degree in Cybersecurity and, to do so, had to complete a capstone project. For my project, I chose to demonstrate how threat intelligence can be used to help security teams better understand their organization-specific threat landscape and use that knowledge to drive decision-making and defense activities.
In addition to presenting the case study to my peers at Quinnipiac University, I presented a higher-level version of my topic at an (ISC)² chapter meeting. Since then, I’ve been asked if I’ll be sharing the presentation, which is what I’ve set out to do in this blog post.
Below you’ll find the presentation along with a few paragraphs per slide that provide further detail.
All content within the slides pictured is owned by the author.
To start off, I wanted to provide a quick introduction to the MITRE ATT&CK framework for those who may not be familiar with it, as it was a key component of my project.
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge and it serves as a library of adversary behaviors seen in the wild. The ATT&CK framework is a great resource for security professionals of all levels and offers many advantages and use cases.
When looking at the ATT&CK matrix, you’ll find three types of information: Tactics, Techniques, and Procedures, otherwise known as TTPs. These three items refer to the Why, How, and What in terms of an adversary’s actions. Why are they performing these actions? How are they doing so? And what are they doing to achieve their goal?
There are various advantages and use cases the ATT&CK framework offers but the most common are that it has provided a common language to discuss adversary behaviors, it enables the shift from thinking about traditional IOCs (Indicators of Compromise) to analyzing behaviors, and it helps to enrich existing threat intelligence data.
Across the industry, vendors and consumers alike have adopted TTPs as a new language. Terms like persistence, lateral movement, and privilege escalation, all tactics within the framework, appear in technical whitepapers, marketing materials, and of course within security tools.
In developing their library of behaviors MITRE has provided the security industry with a language that any individual can learn and understand, improving discussion around incidents and cyberattacks and making both internal and external collaboration much easier.
Not only has the ATT&CK framework enabled security teams to shift their focus to understanding adversary behaviors, but it’s also developed some common use cases that help organizations further mature their security programs. These include performing assessments of Security Operations capabilities and the maturity of the overall program along with technical activities like adversary emulation.
Now that we have an understanding of the ATT&CK framework and its typical use cases, let’s look at how organizations can begin to integrate its use, along with threat intelligence, into their existing program.
As mentioned earlier, the goal of my capstone was the show how threat intelligence can be used to understand a company-specific threat landscape and identify how well the program is doing to defend against those threats. To do this, I performed a threat profiling exercise, assessed a sample of the Security Operations’ controls, and then reviewed and prioritized the identified risks.
The threat profile is an essential part of this concept of threat-informed defense as it’s used to narrow the scope of the threats an organization analyzes in terms of:
the threat actors they should worry about
the malware variants they should worry about
The primary activity in this phase is using a threat intelligence tool or platform to gather historical cyber event data related to your company’s industry, peers, and partners. While the search can be as broad as you’d like, typically it’s best to gather data within a two or three-year timeframe to ensure it’s as relevant as possible.
At the end of a threat profile, the security team should be able to answer the Who? What? and How? related to threat actors likely to target their organization, its peers, and its industry.
The Who? refers to the threat actors and answers the question of which actors have targeted the company, its peers, or its industry in the past?
The What? refers to what types of attacks they’re performing and you’ll typically be able to answer this question when you identify the variants of malware they use to carry out their attacks.
Lastly, the How? is where MITRE ATT&CK TTPs are pulled into the equation. In this part of your threat intelligence gathering, you’ll be using the threat actors and malware variants you’ve identified so far to understand the techniques those actors and malware variants leverage in order to be successful.
After performing a threat profile and gathering the ATT&CK techniques involved in the historical cyber events, you must map the information to the ATT&CK framework. This exercise helps paint the picture of the company’s threat landscape in terms of the adversary behaviors that are most prevalent and significantly narrows the scope of the MITRE techniques a security team needs to focus on.
It’s also important to choose a color-coding scale that will help depict the occurrence frequency, where red is typically the techniques that occurred most often, the yellow ones were less prevalent, and orange fell somewhere in the middle.
With the company-specific threats and techniques identified, the next stage of applying this data is to perform a capabilities assessment on the Security Operations program. This assessment further integrates the gathered intelligence by using it to identify the strengths and weaknesses of the program in terms of how effective the security controls are at detecting or preventing the behaviors.
The goal of a SOC assessment is to look at the security controls in place, both administrative and technical, to determine which ATT&CK techniques they do and don’t detect or prevent. While this might seem like a daunting task, MITRE has already done a lot of this work for popular security vendors like CrowdStrike, Microsoft, Palo Alto, and Trend Micro through their ATT&CK Evaluations initiative. For vendors that haven’t participated in ATT&CK Evaluations, a little research can usually uncover technical whitepapers that detail how the product stacks up against the framework.
SOC assessments require time and resources but, if done properly, they are an excellent way to find gaps in coverage where security controls might not be providing detection or prevention of a certain technique used by the organization’s threat actors.
As mentioned, the goal of the SOC assessment is to identify which techniques from the prioritized matrix your security stack can detect or prevent. The matrix above uses the colors yellow, orange, and green to depict the techniques where the security team can’t detect it (yellow), can detect it sometimes (orange), or has high confidence they will detect it most or all of the time (green).
It’s important to note that the team performing the assessment should come up with a scoring method to avoid subjectivity. To do this, the team must define criteria to describe no confidence of detection, some confidence of detection, and high confidence of detection. For example, agreeing that a tool must be able to detect 90% of the sub-techniques in order to mark the technique in the high confidence (green) category. Defining these criteria is crucial to performing an unbiased, objective assessment.
More information about performing a SOC assessment can be found here.
The final stage of this process is to review and prioritize the gaps identified during the assessment. As you noticed in the post-assessment ATT&CK matrix, there are a handful of techniques highlighted in yellow and orange, meaning those techniques cannot be detected at all or the SOC has a medium level of confidence in its ability to detect or prevent the behavior.
These are the gaps and it’s important to review each of them and determine their criticality based on the level of risk they pose, the impact they would have if the risks are realized, and then prioritize based on that criteria. Using the prioritized list of gaps, the security team can then begin to identify how best to reduce or mitigate the risks.
It’s important to note that these gaps don’t mean a security team needs to purchase more tools or spend more money. Oftentimes, there is existing technology that can be used to implement new capabilities that help to close the gaps quickly and without requiring additional budget.
So why does all of this matter? At a high-level, threat-informed defense can lead to four things:
A narrowed scope of defense activities. There are just too many threats that exist in today’s technological landscape for us to be able to defend against them all. Threat-informed defense enables teams to narrow the scope of threats they should defend against based on the likelihood of occurrence within the organization.
More relevant work being performed. As a result of using threat intelligence to identify a company’s threat landscape, the work being performed by the security operations team is as relevant as possible. Rather than trying to defend against threats trending globally, the team can focus on threats trending within the industry and the behaviors their adversaries are exhibiting.
Disclaimer: this does not mean ignoring the global threat landscape, however, we need to recognize that not all companies need to respond to global trends in the same way and some may need not respond at all.
An understanding of the adversaries most likely to target your organization. The continuous loop of gathering, analyzing, and sharing intelligence leads to a more informed team with a deep understanding of adversary behaviors and the ways they operate. Gaining this perspective provides a huge advantage to the organization, as it helps the defenders recognize the behaviors quicker when they see them. Additionally, learning how adversaries operate can help the security staff stay one step ahead of the attacker during incident response.
A shifted focus from reactive to proactive defense. Arguably, threat-informed defense’s biggest advantage is that it shifts the security staff from having a reactive perspective of defense efforts to a proactive one. The stages of threat-informed defense outlined in this article are all proactive activities that help organizations identify the threats most likely to impact them and the behaviors that are likely to occur during any of those attacks.
Security teams should no longer be ingesting thousands of IOCs from attacks that have already occurred because the threat-informed defense activities have enabled them to prevent the actual behavior rather than blocking domains, IPs, and hashes.
This article was originally published at https://medium.com/dark-roast-security on July 19, 2022.