In a recent Anomali webinar, experts AJ Nash, Senior Director of Cyber Intelligence Strategy at Anomali, and Roberto Sanchez, Senior Director, Threat and Sharing Analysis at Anomali, presented the importance of the MITRE ATT&CK framework and showed how to use it to better understand threat actors, campaigns, and associated tactics, techniques, and procedures (TTPs).
Major Analytical Frameworks
The Cyber Kill Chain, developed by Lockheed Martin in 2011, is one of the best known of the cyber threat intelligence frameworks. Based on the military concept of the kill chain, it breaks down an attack into seven stages, so defenders can pinpoint which stage an attack is in and deploy appropriate countermeasures.
In 2013, looking for a way to better understand adversary concerns, The Center for Cyber Intelligence Analysis and Threat Research (CCIATR) developed The Diamond Model. This model helps defenders track four aspects of an attack: the attacker, the victims, the attacker’s capabilities, and the infrastructure the attacker uses. Each of the points on the diamond is a pivot point that defenders can use during an investigation to connect one aspect of an attack with the others.
Also in 2013, MITRE - a unique United States corporation responsible for managing federal funding for research projects across multiple federal agencies - released the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework as a means of tracking adversarial behavior over time. ATT&CK builds on the Cyber Kill Chain, but rather than describe a single attack, it focuses on the indicators and tactics associated with specific adversaries.
MITRE ATT&CK can provide a better understanding of adversaries by quantifying and categorizing them. Universal nomenclature and taxonomy of specific tactics, techniques, and procedures enable a shared understanding of threat actors. Recognizing these advantages, Anomali has integrated this framework into their platform.
There are four main issues that MITRE ATT&CK is designed to address:
- Adversary Behaviors – Tactics, techniques, and procedures (TTPs) are tracked, which are more durable than indicators of compromise (IOCs).
- Improved Lifecycle Model - MITRE ATT&CK has the ability to map specific behaviors back to an organization’s defenses to understand how it relates to that specific environment.
- Real-World Applicability - TTPs are based on observed incidents.
- Common Taxonomy – TTPs need to be comparable across adversary groups using the same terminology. It enables the comparison of adversaries from different nation-states, etc.
MITRE ATT&CK’s approach uses behavioral methodology guided by five principles:
- Include Post-compromise Detection – This is necessary for when threats bypass established defenses or use new means to enter a network.
- Focus on Behavior - Signatures become unreliable, as they change frequently. Behaviors tend to remain more stable, enabling better profiling of adversaries.
- Use of Threat-based Model - An accurate and well-scoped threat model that captures adversaries’ tools and how they overlap with each other enables preventative actions.
- Iterate by Design - Constant, iterative evolution and refinement of security models, techniques, and tools make it a constantly improving tool based on adversary behavior.
- Develop and test in a Realistic Environment - Detection capabilities are tested by emulation of adversary behavior within a specific environment. This enables a better response to an attack or preemptive actions, when possible.
MITRE ATT&CK Inside Anomali
Anomali’s commitment to empowering security professionals to better identify and disrupt malicious activity has led to their integration of ATT&CK into their platform. Its focus on mapping techniques to actual events is key to getting ahead of the adversarial lifecycle.
Anomali prioritizes the quick identification of adversary techniques from online research from blogs, forums, and other sources through the use of Anomali Lens™, a unique technology that integrates the ATT&CK framework automatically. Lens is the first natural language processing (NLP) based web content parser that highlights all cyber threat information for further investigation. Lens scans a security report or blog, for instance, and highlights entities of interest, such as malware families based on ThreatStream instances and data sources. From the resulting data, overlapping techniques from different malware families can be identified to prioritize the building of security controls.
ThreatStream®, an Anomali technology that also works with ATT&CK to unite research, analysis, and publishing tools, speeds the detection of threats and delivers operationalized threat intelligence directly into security controls. This automation provides tremendous productivity for security analysts and enables proactive defense measures.
Using relevant threat information to understand adversarial techniques and how they are leveraged against a specific environment is another advantage of Anomali’s integration of ATT&CK. For example, if a bank sees that another financial institution has been attacked by a particular threat actor or malware family, and the security team is able to identify the attack techniques, it will improve the bank’s ability to emulate an adversary with red and blue team scenarios. Another way the Anomali platform uses ATT&CK is to build visual representations of the attack techniques. Being able to visualize threat actors and their malware and map it to the appropriate techniques is a powerful tool. Effective visuals can communicate up the chain of command to those with less technical skills the threats that are either being encountered or tracked so the organization can better take action.
Topics:Cyber Threat Intelligence