In this article we’ll discuss how your defensive team can get the most value out of MITRE’s ATT&CK Framework and give some insights into how we use MITRE internally at Countercept.
This article will tell you:
- What is MITRE and why it’s important in cyber security
- How MITRE helps you defend your organization against commonly used techniques
What is MITRE?
MITRE is a US-based not-for-profit company that has been providing engineering and technical guidance for over sixty years. Originally only serving the US government (as it is federally funded), it now provides “cutting-edge solutions to the globe’s most urgent problems.” This includes cyber security.
The MITRE ATT&CK Framework
MITRE ATT&CK is a globally-accessible, continually updated knowledge base of known state-sponsored and criminal groups, and the tactics, techniques, and procedures that they use. It enables organizations – whether public or private – to prioritize detection around the most persistent threats and threat groups. We at F-Secure Countercept use this in our own hunts.
How defense teams can use the MITRE ATT&CK Framework
Defensive teams – whether tactical, strategic or operational – can make good use of this information in hands-on approaches, such as creating prevention and detection rules or to guide architectural and policy decisions to protect your organization.
One of the biggest challenges with the framework in its current form is the sheer number of different techniques, making it potentially difficult for defensive teams to know which techniques to focus on first. The table below is just a snapshot of the hundreds of techniques listed:
Figure 1 – With so many techniques it can be challenging to know where to start.
To get the most value out of MITRE ATT&CK its important to focus on the items which can give your team the best possible chance of detecting real world attacks. The Countercept team tackle this problem by analyzing each technique in a number of ways:
Real world usage
In the majority of real-world attacks we see attackers repeatedly using only a subset of the MITRE techniques. For example, the framework contains 59 different persistence techniques – yet most attacks encountered by Countercept involve just seven of these. In an ideal world security teams would cover all techniques. However, with limited resources it’s important to prioritize the most commonly used techniques to increase your detection rates and overall effectiveness. Analysis of public breach reports can be a great way to learn more about which techniques attackers commonly use.
Signal to noise
As many of the MITRE techniques closely match real-world legitimate activity, they can be false-positive prone and not suitable for alert-based monitoring. For example, Rundll32 usage is common across many organizations making it a lower fidelity indicator, whereas Mshta is used less often making it a more reliable indicator. Focusing on low false positive events can improve your team’s efficiency.
Ease of collection and analysis
Each technique relies on capturing and analyzing different datasets. For some techniques it’s not possible to collect data, either because of technical or performance limitations. Confirming if you have the telemetry can be a quick way to include or exclude MITRE techniques. Also don’t forget the storage and analysis costs associated with each set of telemetry as this may be prohibitive. To give an example, process data is one of the most useful datasets as it can show you what an attacker has executed on a system; firewall logs on the other hand, while useful, can be significantly higher volume and provide only marginal value.
Quality not quantity across the killchain
Use-cases to focus on
Based on the above some of the highest value use-cases we’d recommend focusing on are:
- Reviewing user login activity, especially admin activity
- Hunting for suspicious process usage (Rundll32, Powershell, Mshta, Regsvr32)
- Aggregating persistence data (Services, Registry, Scheduled Tasks) to find anomalies
- Memory anomalies, such as process injection
- Known bad software flagged through antivirus or ML equivalents
The next logical question you might ask is: what tooling do I need to enable my team to hunt for these MITRE ATT&CK techniques? We will cover that in our next post where we’ll discuss MITRE ATT&CK Evaluation.
Leave a comment