The Power of Cyber Threat Intelligence Together with MITRE ATT&CK

- I'm Greg Fischer, senior director of product solutions here at Anomali, and today I'm going to talk about the power of cyber intelligence combined with the MITRE ATT&CK Framework.

Next slide, please.

So, maybe a little bit more specifically when we talk about this is how TTPs, tactics, techniques, and procedures, can help connect the dots between a sea of IOCs and potential adversaries and the groups behind them.

So I want to walk through a little bit about what's relevant in your environment and then how TTPs can provide context to that relevancy.

And then finally, walk through some used cases from our customer experience on how those actions are performed.

Next slide.

So this is a quote from Gartner that I really like that talks about the realistic situation that you cannot possibly defend against all threats, especially with limited resources.

So what you're trying to do is determine or narrow that down, reduce that down, to what's relevant.

And the way that you can do that is by leveraging threat intelligence to determine what's relevant in your environment.

And then combined with MITRE ATT&CK Framework, providing context to that relevancy.

Next slide.

OK.

So what's relevant, right? Well, relevant's what we care about.

What do I care about? Well, in this little Venn diagram I put together-- and you may have seen similar graphics that depict this-- is that there's a whole sea of activity that you're trying to manage across your environment, all the vulnerabilities that are out there, all the threats that are out there.

Well, when you start to draw the intersects, you can start to narrow down where your focus should be and your threat landscape.

So for example, when you combine all the vulnerabilities that are out there with your environment in that intersect, there are vulnerabilities in your environment, but perhaps there is no known exploits for those.

And so while they are a concern of yours, they're not your top concern.

And then in areas where there's threats, but you've already addressed those vulnerabilities through mitigation.

So obviously, those are no longer a threat because you've addressed those.

If there's areas where we have threats against vulnerabilities where there's a known exploit and that is a vulnerability that exists in your environment that hasn't been mitigated, now you have that triad, right? Now you have that area of concern or that threat landscape.

Next slide, please.

WOMAN: Hey, Greg you can just press the slide itself.

You have full control of the screen.

So you just have to press on the right-- yeah, on the right side.

GREG FISCHER: Let me try.

OK.

And how do I go back? WOMAN: Just click on the left.

I'm going forward.

MAN: Greg, you can use your arrows on your keyboard to go back.

GREG FISCHER: Oh, let me do that.

There you go.

That's better than my mouse click.

Thanks, guys.

So let's pivot now and talk about-- we talked about relevancy.

Let's talk about TTPs and how they provide context.

So you guys are all familiar with the Pyramid of Pain.

And what I've done here is I've kind of pulled in a contrast pyramid of the knowledge hierarchy.

So where you're moving from just raw data and reactive type capabilities up to more proactive and prescriptive and even predictive capability in the knowledge space.

And if you think about it, that actually parallels the Pyramid of Pain.

You're moving from nondescript uncontextualized indicators of compromise up through a pyramid of more information, more context, so more knowledge.

And with that knowledge, the ability and capability to do more proactive, prescriptive, and predictive capabilities.

So let me walk through an example of that because sometimes we throw this out there and it doesn't necessarily resonate or it doesn't necessarily immediately connect with what we're trying to achieve when we talk about, will TTPs provide that context? So let's go to the next slide.

OK.

So what I have here is just a simple example of four IOCs captured from your internal telemetry.

I mean, everybody will recognize the IP addresses, some hashes in there, domain name.

But without any context, I don't know what's happening, I don't know how it's happening, I don't know what's going to happen next, I don't know who's behind it.

I could start to take some guesses, but you really don't have enough information to work.

Now, when we move a little bit further, I'm going to take those same IOCs and now I'm going to place them on a timeline.

[INAUDIBLE] help, right? So I know what came first, what came second, what came third, what came fourth.

Depending on your experience, you might start to guess what's going on, but you still-- I've got the context of time and a little bit of context just in the fact of the atomic IOC, whether it's a URL or domain or hash.

But I still wouldn't, with confidence, be able to say, well, what's happening, how it's happening, what's going to happen next or who's behind it.

So now I'm going to introduce TTPs.

And look how much more story unfolds.

Now, relatively good confidence I can say, OK, now we have a series of techniques.

Those techniques call out what's taking place.

So now I know what's happening and I have good confidence on how it's happening.

I still don't necessarily know what's going to happen next or who's behind it.

But this is the power of TTPs, where we moved-- this is moving up the pyramid, right? So I moved from those IOCs down at the baseline of the pyramid and up to the top of the pyramid with techniques.

And in doing so, I now have context, I now have those capabilities of being able to describe or even predict in the knowledge space.

Let's go to the next slide.

OK.

So now if I take that example and I move through that sequence, and I have that sequence to refer to or reference back to, now I can start to do something that in the past I wasn't able to do.

With the benefit of context and with the benefit of storing that information, I can actually say, OK, I've seen a spoof domain come in before and I've seen the results of that, so what's the missing-- what's missing or what fills in that missing space, right? That question there.

I have a prior sequence of activities I could refer back to that and it would provide, potentially, the answer that fills in that question.

And the same thing if I shift to another example that says, all right, I've got a spoof domain technique, I've got a phishing attachment, what would happen next? It's almost like those little puzzles where they give you the first three in a series and then they say, what's the fourth in the series? The same for that final, right? So what I'm trying to show here is that as we've move up the pyramid from IOCs to techniques, and now we have a series of techniques.

And those series of techniques are something we can refer back to.

It provides us not only context, but it also provides us a pattern that when we observe this pattern, that we're able to fill in the gaps if we don't have the information.

And that provides us not only context, but also a form of prioritization.

Here's that same example now drawn on the Enterprise Framework, where you have that sequence of activity as a visualization.

It's a rudimentary visualization, but it's meant to show you that this is the sequence of activities that's taking place.

And with that information is something that you can actually use to prioritize areas of focus-- and I'm going to get to that a little bit further down in the used cases, but it's something that I wanted to show just in this visualization within MITRE ATT&CK Framework.

OK, so back to trying to answer the questions.

We've moved up the pyramid, and we're able to now, with TTPs, to provide the context to say what's happening, how it's happening, and what's going to happen next.

But who's behind it? Here's another area where the MITRE ATT&CK knowledge base provides that additional information.

And what's important to remember is that you may not, even with MITRE's-- with the benefit of MITRE, you may not actually have, you know, exact attribution.

But again, if you-- if you've-- if you're able to refer back to a prior sequence of events, then even without the named actor behind it, you still understand, based on that prior sequence of events, what's going to happen next.

So it could continue to operate as an unnamed actor, but you have the context and the behavior to guide you on what potentially would happen next.

So with this example, we're saying-- and this is an example utilizing the MITRE framework, where you've got a sequence of techniques.

You also have those techniques that are attributed to prior advanced persistent threat groups.

And then you narrow down the list of advanced persistent threat groups based on all the techniques that are being used.

So now you've narrowed your list, the focus, to say, OK, maybe these five advanced persistent threat groups are known to use these techniques.

And with that information, now I can, again, narrow my focus on, all right, now I kind of understand who I'm dealing with here and where I need to focus some of my defense posture, my mitigation, where to look for additional information on some security control monitoring, those types of things.

So we've moved through what is happening, how it's happening, what's going to happen next, and potentially who's behind it.

Now we're going to go through a couple of use cases.

This is probably one of the most common use cases, in my experience and definitely within our customer base.

And that's where you're trying to do-- and again, this is back to that relevant-- you know, I've got that threat landscape, and I'm trying to focus my efforts on that intersect of what I care about.

So in this example, we're first looking at the-- identifying and capturing the security control coverage within our environment.

So this is an exercise where you map the security controls that you have in place, the-- you know, within your environment areas that you're protecting and map that on to the MITRE framework.

Some customers do this manually, where they audit through each one of their security controls with an understanding of what, within their intrusion detection systems, within their EDR products, within their secure email gateway and their website gateways, which techniques are covered and which areas are not covered.

There's automation ways.

I've seen customers utilize breach attack simulation tools and attack surface monitoring tools to run automated auditing, if you will, of their security controls.

And then, taking the results of that, there's some of the breach attack simulation tools that'll actually export the results of where you're protected and where you're not in the form of a JSON that you can load right up into a-- the ATT&CK navigator.

So that then gives you a color-coded view of, OK, here's where my security controls are providing coverage on techniques.

And that next step is, OK, I have an attack, right? I've got a visualization of where I'm covered, from a tactics, techniques, and procedures.

And now I have an attack.

It's an attack that was documented in a threat bulletin that came out.

They've got techniques labeled in there.

And now I throw that up, and I want to get a contrast of-- here's my security coverage, and I'm going to contrast that against-- here's the techniques used by this threat actor or this campaign, this active campaign.

Am I covered? So that's the security control-- what I'm calling a "security controls gap analysis," on a case-by-case basis where I can actually contrast each one of these attacks against my security controls and immediately, through that contrast, see where I'm covered and where I'm not.

It might identify a technique that's being utilized.

It's not covered, or perhaps it's partially covered in my environment.

And then I can focus that-- focus my efforts on improving a security control, adding a monitoring function, or adding an additional defense or detection capability in order to cover that space in that-- against that particular attack.

And you can iterate through these attacks.

You can even start to do, you know, proactive-type-- you know, like red teaming exercises, to say, OK, where are these areas that I am not covered and I want to be covered.

So that's a common use case that we see in our customer base, within our product, where they're doing just that.

They're loading up their security controls and then contrasting that against various attacks that are being brought in through cyber threat intelligence.

OK, so for this next use case, this is one that we are seeing, I first became aware of-- it was through a conversation through one of our utility customers.

And this was a case where they're trying to determine not only who's behind the threat but-- and not only doing what I just showed prior, in the prior use case, where they're contrasting that against their existing security controls on a MITRE ATT&CK framework.

But now they're trying to determine what additional areas that are not reflected in that particular campaign-- so let's see if I can restate that.

So I have an attack, and I contrast it against the-- my security controls.

And I can say, OK, I'm covered on this particular attack.

I'm covered in all the technique areas.

I'm good.

However, when you apply attribution to that campaign or that threat-- and let's say it's APT29.

Now, when I look at APT29, well, what other techniques campaigns and techniques is this threat actor associated with? And you pull that list up, and now you can get a complete list-- well, a list of additional techniques that are used by this threat actor, either prior in other campaigns, that this particular attack doesn't reflect.

But because now you believe you understand who you're dealing with, you want to go that extra step and say, OK, this threat actor has a certain modus operandi, and they're known to use all these different techniques.

Let's take those techniques and contrast that, not just this particular attack or not just this particular campaign.

But let's take all the techniques that have been associated with this threat actor, and let's contrast that.

And the goal from that customer's point of view was, they wanted to be more comprehensive in their security control auditing and their defenses, to say, look, once I know who I'm dealing with here, I don't want to just focus on this particular campaign or this threat that's active today.

I want to look at all the different threats that have been associated with that threat actor and the techniques that they've used.

And then I want to use that in my environment as a contrast to say, OK, what additional IOCs should I be detecting for and monitoring for and alerting on within my environment.

Let's go to the next use case.

And this one's one of my favorite ones.

It's actually the last one in the-- in our presentation.

So this one was from one of our more sophisticated customers, where they had really gone-- actually had gone beyond what-- something novel and something really new, as far as the way we had seen the product and the capability leveraged.

So this was a case where a customer was leveraging the capability to map IOCs to techniques.

So you're taking specific input telemetry from your intrusion detection systems and your secure web gateway and, you could imagine, from secure email gateways.

So they're pulling in this telemetry, and because of where they're pulling it from, they're able to associate techniques to it because the technique is observed from that security control, so a reconnaissance scan activity or port knocking activity, these types of things.

And they pull that information in, and then they store that information based on the IOC activity.

So again, we've got a timeline or a temporal store of, here's when the activity started.

And it was followed by this sequence of activity, followed by this sequence of activity in that IOC chain of actions.

And now that I have that mapped to a technique-- each one of those mapped to a technique, I actually have a correlation.

So I've got a correlation of the sequence of these techniques over a timeline.

So you could consider this a pattern.

So a pattern of recon activity followed by a credential stuffing attempt-- you know, recon activity followed by a phishing campaign attempt.

So this is where the customer was storing prior activity and behavior and then being able to bring that back through our Match product and say, hey, any time that I see the beginnings of that pattern-- so again, in the earlier slide where I showed you that I have a sequence of techniques taking place.

And then I've got a question that says, all right, what's going to be the next technique within this sequence.

This customer, in this use case, had actually mapped that out.

And that was really impressive and powerful to me, was that now that we've-- we've gone beyond just providing context to IOCs.

We've actually now taken that context and correlated it over a timeline, and we're leveraging that going forward.

So now we've moved up the pyramid to tactics, techniques, and procedures, but we've also moved up that knowledge pyramid from just reactive all the way to predictive capability.

And that is the end of my presentation.