Actor-Based Gap Analysis and the MITRE ATT&CK Framework

GORDON COLLINS: Thank you very much for the opportunity to present this to you today, and it's something very close to our hearts here at Anomali, how we can identify an actor-based gap analysis using the MITRE ATT&CK Framework.

So I'm going to just go through a little agenda here, and I will then show you, using the Anomali tools, how we can arrive at that point, how we can establish an actor-based analysis using the MITRE ATT&CK Framework.

So I'm going to step through this in hopefully a methodical way, just to start at the MITRE world, using the navigator.

So let me go back to my prompt here.

So yes, essentially, we want to understand, based on an assessment of our own organization security coverage, using the MITRE ATT&CK framework, where our gaps exist when understanding the potential threats posed by a threat actor.

So there are three or four parts to that.

And I'm sure that was hopefully easy to follow, but I'm going to step through again.

There are a couple of prereqs required to set up so that we can work out exactly where our organization's gaps exist, in terms of the threats potentially posed by a threat actor.

And I'm going to walk us through an example on some common steps that an analyst might work through.

But first of all, you need to understand your own organization's security posture.

Where are your strengths, where are you secure, where are you confident about your security, and where have you done an honest assessment of your own potential security gaps? And that really is important and feeds into, then, the gap analysis afterwards.

I'm going to put my analyst hat on for a minute and then work through a review of CISA alert and assess the content of that very quickly using Anomali Lens.

And then we'll ingest that content into Anomali Threat Stream, and it's here that we'll find our gaps.

But while we ingest all of the content, I'm mindful that we want to associate some of the further content-- that will become a little clearer when we step through it-- and enrich it.

So we're not just drawing the understood indicators, actors, malware, and other entities and objects that have been found on the alert into Threat Stream.

We want to further enrich it and deepen our understanding of it.

And there are many ways I can go, but I'll step through maybe a happy path so as not to make it too difficult to follow in one go.

And then based on our original understanding of our organization's security posture, I'll then flick the switch, essentially, and show you where an organization's gaps can be easily and quickly identified based on an understanding of the actor's potential threatening TTPs.

So let's get to show you something here.

Let me flick across here.

So I have a couple of MITRE ATT&CK navigators open, and this really is just to step through, very carefully, what one of the prereqs would be, as mentioned.

Depending on what your blue and red teams have done to assess your organization's security posture, you would follow, then, the TTPs made out here.

Version 9, I have here on the Navigator.

And of course, I'm probably speaking entirely to the converted here, but the main thing that I would do here is, of course, attribute a score.

And here, obviously this particular tactic is relevant to other-- let me just click that, yes.

And we're looking for the score here.

Not to worry, I can move on.

Really, it was just an example to show you how you can attribute your score here.

And depending on the attribution that you give, you'll get either a color-coded score from naught to 100.

And I think everyone probably is pretty familiar with this anyway.

And I put in here already for phishing.

Phishing for information, we have a score of 55, a score of 44, and a score of 0-- so 0 being poor coverage.

And this is maybe a trivial example, but just an example as to what is required is a prereq before you start to look at identifying gaps based on an assessment of an actor and an actor's typical TTPs.

So you can, of course, export this as a JSON file, and then what can you do with it? So let me go to Anomali Threat Stream.

And Anomali Threat Stream maybe deserves a little introduction.

It's our threat intelligence platform, where we collect and curate global threat intelligence from many open source, and commercial vendor sources, as well as a threat intelligence that we at Anomali, through our Anomali threat research team, have collated, as well as any content that an organization or customer may have collected themselves using, of course, [INAUDIBLE] or any other mechanism to ingest intelligence.

And of course, then the application can be used to investigate and further push indicators based on confidence score that we would attribute to indicators through an integration capability then to any backend downstream applications.

So this may be just a very high level view of Anomali Threat Stream.

But what I wanted to show you was all very well and good maintaining that security coverage value on through the Navigator, which of course then you can export to JSON, which can be imported here, and of course here, version 9 on Anomali Threat Stream.

And then we'll attribute then based on the score value of a high, medium, low or our strong, medium, weak, and none.

And of course, the color coding here is a reasonable reflection of an organization's security posture.

And this is a demo environment and an example of an organization's security posture.

I've kind of settled on this for a little bit just to emphasize that there are inputs.

In order to find the gap analysis, you have to have a strong understanding of your organization's security position.

So that's all very well and good.

What next? So let me move my Zoom thing to the bottom.

And so if I were to put my hat on and follow the path or the example of an analyst, there are many sources that I may want to investigate to establish if there's content that is important to me, important to my organization, important to my sector, important to my geography.

Actually, just before I go there, let me go back to Threat Stream.

And just as a slight tangent, I wanted to show you the dashboard.

Anomali Lens is our browser plugin, which uses natural language processing to understand and assess content of an alert, or blog post, or even a set of indicators that could be held within a Microsoft Excel worksheet.

We have also, then-- this engine that runs with Anomali Lens is a trending engine, and that allows us to establish those based on an assessment of sources, blog posts or news posts, over a time period, those actors that have been prevalent and active in news reports.

So here is one from the last seven days, and you can see that this particular actor has the highest number of mentions.

But over a 90 day period, then these actors have a number of mentions.

So it's just a nice maybe tool to assess those things that are featuring across the board in a number of different news sources.

So let me go back to my analyst activity.

So this is an alert from CISA.

And no doubt, most of the audience here are regularly subscribing, or receiving these, or assessing them.

And that this is a really information-rich source of information and contains some key information that's been made available by the US Department of Justice, based on an indictment against named individuals who are associated with the APT40 threat actor advanced persistent threat actor 40.

And the key thing to note here was that through state agencies, these actors had been targeting victims within these particular industries, academia-- and I won't read them endlessly but-- aerospace, biomedical, government, health care, and maritime transportation, and others.

There was a parallel to this, an example of perhaps assessing information related to COVID-19, that similar actors have been highlighting, and breaching, and accessing key information on COVID-19 health policies or other information.

But I'm just going to stick with this alert because it is particularly information-rich and contains both content, indicators, some attack patterns, and mentions of an attack actor.

So what I have available to me-- rather than turning this into a manual threat bulletin that I might want to generate and send to my team to maybe assess the risk that this particular threat actor poses, I have Anomali Lens, which is, in this case, the browser plug-in, which is scanning the page.

And at the same time, it's assessing, through a natural language, those entities on the page that are either actors, malware, domains, or indeed, attack patterns.

So of course, it takes a moment to run.

And when it runs, then you'll see that it has marked up a little bit on the page as well.

So I can either navigate the page, I can find some markups here for this particular actor, and I can view the details.

I will click here.

I can view the details in Anomali Threat Stream further information.

And this is where the value starts to add, because this is detail on the actor, as I know it, within my environment, based on associations that I have made, not just generic content from this blog here.

So let me go back to my summary screen.

What I have here are 586 entities that are understood and known to me, and those could be these actors, malware, URLs, and as I scroll down, a whole bunch of attack patterns as well.

So there are a number of things I could do here.

And ideally, I'd probably create a threat bulletin, and import it into threat stream, and pass it on to another team.

But I'm going to create an investigation, because there is so much content here.

But before I go, just a little note on the 45 matches.

So what that tells me already is that because of the list of indicators that is at the tail end of this page, I know-- and here they are.

I know that there are 45 of those that have been identified and matched within my own match environment, where I have correlated my log data with global threat intelligence, as curated in Threat Stream.

So I feel as though I'm saying lots of words.

And I'll keep moving.

So I'll create an investigation, hit the Investigation button.

I'm going to Select Everything.

Maybe in another example, I might not do that.

But just for the purposes of this demonstration, I will attribute the name my name, the date, and a number with my own naming convention.

I'll send that to Threat Stream.

That takes a moment to go to threat stream and then to resolve, if you like.

So while that's working in the background, inevitably, I have one that I have from earlier.

So this is what-- I'm in Threat Stream I have essentially done this beforehand in order to expedite the time that we have available to us.

And here in Threat Stream, I have all of the entities that I've imported.

And you can see here-- let me start at the top.

This is an investigation.

This is an investigation that I have sourced from the CISA site, so that's reminding me there.

I have ingested this content using Anomali Lens, and there are a number of entities or indicators that are already known to me within the application.

And so I don't know.

And I might choose to import them and I might not, but that's fine.

And then I'll go down here, and this is my work palette, if you like.

And I can do a number of things to the entities that have been imported.

Here's a quick summary of those things that are here, and I can view the attack patterns here as well as I can double-click and view them.

And I can see the different attack patterns that were mentioned in that document as they were imported.

And of course, I can then queue them in the application.

So what I'll maybe come back to that again in a moment.

But the key thing I want-- what we're still focusing on is actor-based assessment of our security gaps, based on an assessment of the threats posed by a given actor, using the MITRE ATT&CK Framework.

So there is another aspect to this workflow that I have available to me, and this is the models.

So I can, if you like, fill over, or overlay, or assess the threats posed to me by the content in this investigation palette, using content unassociated against a number of these models.

So available to me is the Kill Chain model or the Diamond model but of course also the MITRE ATT&CK model.

So already, what I have here is simply an assessment of those threat patterns that I've imported from the blogpost, and they've assigned a value here of relatively low frequency.

I could have imported this in a slightly different way and let a couple of my automated recipes run so that I would have been a few steps further.

but I want to run a particular one manually, just to demonstrate how we can then add particular value after we've imported the information from the CISA alert.

So I know that there were a number of actors on the CISA alert, essentially name-checking all the aliases or a number of aliases.

And in particular here, this is an indication here.

The APT40 is an indication of the actor as I know it in my application, based on my subscription to this particular vendor.

But I also know that there is an actor called Leviathan, and I can view further detail on that.

So I can click here, View Detail.

And this is the content on the actor that's held in the application, not just generically, but as I've understood it and also based on some additional content from Anomali threat research team.

So there are, of course, all the aliases that we saw earlier on the alert, some of the tags, which I can show you being rendered in a second as part of my enrichment process, then the associations and attachments.

So let me go back to my investigation and add some color to what I already know about this particular actor.

I can search for metadata, and that will then be associated here.

That'll give me some geographical information to give me some more information on the tags.

But the key thing that I wanted to do here was show that there are a number of things that I can do to enrich, based on what I already in Threat Stream, based on the how I've understood this actor and some of their TTPs in relation to my world.

And so in this case, in this scenario, I'm going to search for additional attack patterns related to Leviathan.

And that will identify further attack patterns, where I have a further understanding of the threat posed by this particular actor.

And, I'll scroll back up to my model here and you'll see that this has shifted the color a little bit.

Based on the enhanced or enriched data that's available to me through Threat Stream, I found that there are specific and other threats posed by this particular actor.

And that's all very well and good.

My security team won't be too pleased if I just fire this off to them.

But the important thing is I come back to the original point.

How do we find gap analysis-- how do we understand a gap analysis based off our organization, based on the threats potentially posed by an actor using MITRE ATT&CK Framework.

So if you remember the piece at the very beginning, if I click this button, that helps me overlay my security posture on top of the threats posed by the actor.

So now I have far fewer reds, reds being danger, danger.

And it's at this point that I can continue on and inform further response or further remediation.

So I think I should stop at that point and just remind, maybe, Chloe, that what we've done here is understand our own organization's security posture, capture that, and then assessed, through some analyst work, the type of information that may be available on a particular actor that could be trending.

There could be something interesting that I want to see.

It could be in my sector.

It could have been something that I've been alerted about.

And then assess the threats that are potentially posed by this actor and overlay, then, my existing security posture to find those things that need work.

So I'll stop there.

And hopefully, that's giving you a flavor for how to find these gaps.