Creating a Smarter Security Operations Center

Insights

Creating a Smarter Security Operations Center with the MITRE ATT&CK

Cyberproof, A UST Company

MITRE’s Attacker Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a powerful tool for improving cyber defense by creating a smarter security operations center (SOC).

Cyberproof, A UST Company

As outlined in the recent SANS report – Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework by John Hubbard – the MITRE ATT&CK creates a categorized list of all known attack methods, and marries each attack method with:

Why is this so significant to your security operations center? In a nutshell, cyber security teams can now assess their organizations’ cyber defenses against the MITRE ATT&CK’s body of knowledge – and use this information in decision-making related to developing their security operations center strategy.

Fundamentally, by leveraging the information in the MITRE ATT&CK to support agile use case development, organizations can better protect themselves from cyber attacks. Let’s have a look at how this works.

WHAT IS THE MITRE ATT&CK?

The MITRE ATT&CK provides organizations with a way to develop, organize, and use a threat-informed defensive strategy that can be communicated in a standardized way.

The goal of the MITRE ATT&CK is to be a living dataset that is continuously evolving – updated with new threat information on a continual basis. It is a framework that organizes known cyber threats, and categorizes the activities of malicious actors in terms of their tactics, techniques and procedures (TTPs).

A technique is a unique method identified by MITRE of achieving a specific tactic, which is an intrusion goal. For example: Privilege Escalation is listed as a tactic, while AppCert DLLs is a technique to achieve it.

For each technique listed in the MITRE ATT&CK, the following information is provided:

Note that MITRE recently changed how the framework is organized – introducing sub-techniques. As pointed out in the SANS report, the addition of sub-techniques enables even more granular tracking within vendor tools, use cases, and detection analytics.

HOW THE MITRE ATT&CK IMPROVES SECURITY OPERATIONS

Using the MITRE ATT&CK, organizations can perform evaluations that are both external-facing and inward-looking:

HOW CYBERPROOF LEVERAGES THE MITRE ATT&CK

At CyberProof, the MITRE ATT&CK framework provides us with the ability to work closely with our customers in improving their security posture effectively – in several important ways:

Thus, by using the MITRE ATT&CK, CyberProof gains greater visibility and ensures that new use cases are aligned accurately with specific threats that are putting the organization at the greatest risk.

THE CYBERPROOF USE CASE FACTORY – DEFINED

In the context of a traditional risk management process, the use case factory is an effective means of regularly ensuring the agile development of new use cases that add business value to your organization.

A use case factory gives clients a big picture of covered vs. uncovered security – providing insight into a customer’s blind spots so they can invest in and plan on the right coverage.

WHAT IS A USE CASE?

Each use case – sometimes referred to as an attack scenario – represents the outcome of an attack, or the attacker’s desired outcome state such as exposing a specific asset (or set of assets). This outcome is mapped to the MITRE ATT&CK.

Note that each use case contains all of the information related to a specific attack scenario, providing greater context and details related to the attack. In addition to mapping an attack to the MITRE ATT&CK’s tactics and techniques, the use case also includes the attack’s source, Kill Chain correlation, log source types, risk level, high-level explanation of the threat, and remediation & mitigation playbook.

Handling a use case effectively is an in-depth process that requires:

WHY IS IT IMPORTANT TO MAP OUT YOUR ORGANIZATION’S USE CASES?

Once the process of mapping your organization’s use cases has been completed, it becomes possible for an organization to visualize and identify exactly where the gaps in the security perimeter exist – and to prioritize the development of new use cases on that basis.

For an example of how specific use cases are covered, including the definition of a rule, playbook, and the integration with the CDC, see: Attack Use Cases – Security Orchestration & Automation.

THE MITRE ATT&CK SUPPORTS AGILE USE CASE DEVELOPMENT

Developing the right use cases, and having an effective development and implementation process, is more than half the battle in reducing response time to a potential attack and minimizing its impact.

Use cases must be customized for each organization. Thus, the choice of which use case to develop first should reflect the following factors:

EVALUATING WHICH USE CASES ARE MOST IMPORTANT

How do you know which use cases to develop? With limited resources, the decision can be tough. Before deciding which use cases are most important, an organization must go through the following process:

This process can take place in a variety of ways, depending on the needs of the organization.

THE PROCESS: DEVELOPING AND IMPROVING A NEW USE CASE

Once the highest priority use cases have been identified, the development process involves the following steps – conducted cyclically, in an ongoing process of review and improvement.

THE MITRE ATT&CK PROVIDES VISIBILITY INTO WHAT MATTERS MOST

To ensure your ability to respond to new and existing threats, an effective SOC team must continuously produce new, relevant use cases – each of which should include all of the aspects of the use case life cycle.

As explored in the latest SANS MITRE report, the ATT&CK framework provides the insight into past threat actor behavior that is necessary for choosing which use cases are important to develop first – i.e., providing information externally about what kinds of attacks the customer needs to prepare for and associated information that drives the activity of the use case factory.

It also offers insight into your organization’s existing security capabilities, highlighting the detection gaps – and providing you with a roadmap for improving your cyber defense.

To read the SANS whitepaper, click here. If you are concerned about the robustness of your organization’s cyber security operations and its ability to protect itself from cyber attacks or would like to speak with one of our experts,https://go.cyberproof.com/talk-to-an-expert

contact us today. We are here to help!