Skip to content

Trending tags

Why should you care about MITRE?

Alex Davies

24.07.19 4 min. read

In this article we’ll discuss how your defensive team can get the most value out of MITRE’s ATT&CK Framework and give some insights into how we use MITRE internally at Countercept.

This article will tell you:

  • What is MITRE and why it’s important in cyber security
  • How MITRE helps you defend your organization against commonly used techniques

What is MITRE?

MITRE is a US-based not-for-profit company that has been providing engineering and technical guidance for over sixty years. Originally only serving the US government (as it is federally funded), it now provides “cutting-edge solutions to the globe’s most urgent problems.” This includes cyber security.

The MITRE ATT&CK Framework

MITRE ATT&CK is a globally-accessible, continually updated knowledge base of known state-sponsored and criminal groups, and the tactics, techniques, and procedures that they use. It enables organizations – whether public or private – to prioritize detection around the most persistent threats and threat groups. We at F-Secure Countercept use this in our own hunts.

How defense teams can use the MITRE ATT&CK Framework

Defensive teams – whether tactical, strategic or operational – can make good use of this information in hands-on approaches, such as creating prevention and detection rules or to guide architectural and policy decisions to protect your organization.

One of the biggest challenges with the framework in its current form is the sheer number of different techniques, making it potentially difficult for defensive teams to know which techniques to focus on first. The table below is just a snapshot of the hundreds of techniques listed:

Figure 1 – With so many techniques it can be challenging to know where to start.

To get the most value out of MITRE ATT&CK its important to focus on the items which can give your team the best possible chance of detecting real world attacks. The Countercept team tackle this problem by analyzing each technique in a number of ways:

Real world usage

In the majority of real-world attacks we see attackers repeatedly using only a subset of the MITRE techniques. For example, the framework contains 59 different persistence techniques – yet most attacks encountered by Countercept involve just seven of these. In an ideal world security teams would cover all techniques. However, with limited resources it’s important to prioritize the most commonly used techniques to increase your detection rates and overall effectiveness. Analysis of public breach reports can be a great way to learn more about which techniques attackers commonly use.

Signal to noise

As many of the MITRE techniques closely match real-world legitimate activity, they can be false-positive prone and not suitable for alert-based monitoring. For example, Rundll32 usage is common across many organizations making it a lower fidelity indicator, whereas Mshta is used less often making it a more reliable indicator. Focusing on low false positive events can improve your team’s efficiency.

Ease of collection and analysis

Each technique relies on capturing and analyzing different datasets. For some techniques it’s not possible to collect data, either because of technical or performance limitations. Confirming if you have the telemetry can be a quick way to include or exclude MITRE techniques. Also don’t forget the storage and analysis costs associated with each set of telemetry as this may be prohibitive. To give an example, process data is one of the most useful datasets as it can show you what an attacker has executed on a system; firewall logs on the other hand, while useful, can be significantly higher volume and provide only marginal value.

Quality not quantity across the killchain

Using MITRE ATT&CK and testing MITRE techniques teams often focus on whether they “pass” or “fail” at detecting individual TTPs and forget that real world attacks span multiple phases and activities. For real world defensive teams, all it takes is for them to detect just one part of a multi-step killchain to then kick off an investigation and uncover all related activity. For example you might miss an attacker using a brand new browser exploit but then spot the service they drop for persistence alerting your team and triggering further investigation. Detection therefore becomes more effective if you select the most commonly used, high fidelity attacker activities across the killchain and ensure your team are confidently able to triage and respond when they occur.

Use-cases to focus on

Based on the above some of the highest value use-cases we’d recommend focusing on are:

  • Reviewing user login activity, especially admin activity
  • Hunting for suspicious process usage (Rundll32, Powershell, Mshta, Regsvr32)
  • Aggregating persistence data (Services, Registry, Scheduled Tasks) to find anomalies
  • Memory anomalies, such as process injection
  • Known bad software flagged through antivirus or ML equivalents

The next logical question you might ask is: what tooling do I need to enable my team to hunt for these MITRE ATT&CK techniques? We will cover that in our next post where we’ll discuss MITRE ATT&CK Evaluation.

References

https://attack.mitre.org/

Alex Davies

24.07.19 4 min. read

Categories

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

How to protect yourself against targeted cyber attacks?

Contact us

Highlighted article

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.