Operationalizing the MITRE ATT&CK framework for Security Operations, Threat Hunting and DFIR

Executive Summary

By Rukhsar Khan on Friday, December 7, 2018

Cyber attackers are constantly becoming more and more subtle while Security Operations (SOC, CERT and CSIRT) continues to scratch on the surface. It doesn’t matter whether that’s a large enterprise, bank or government institution. The evidence is fairly strong that most organizations are pretty bad at security operations1 . Why are there so many global high-profile breaches? Why can organizations today not adequately detect and respond to breaches while they have spent millions in their Cyber Security defense? You don’t have to be a genius to figure out that there must be vital gaps in the defense ecosystem of organizations. But how to identify these gaps and what course of actions are required?

The MITRE ATT&CK framework is one of the long awaited answers to these kind of questions. From a long time the Cyber Security industry was lacking a holistic approach to detection and mitigation of advanced targeted attacks. In order to develop such a holistic approach and make it available to the public, MITRE, a US-based nonprofit organization, spent many years in analyzing the global high profile breaches and categorizing them into individual Tactics, Techniques and Procedures (TTPs). As a result to this work, three matrices have been evolved, namely the Pre-ATT&CK Matrix, the ATT&CK Matrix for Mobile and the ATT&CK Matrix for Enterprise.

The Pre-ATT&CK Matrix covers the pre-exploit phases of a breach whereas the ATT&CK Matrix for Enterprise is a post-compromise matrix. And as the name implies, the ATT&CK Matrix for Mobile is dedicated to mobile devices. At its core, the ATT&CK Matrix is expressed in the Structured Threat Information Expression (STIX) language in order to allow organizations to integrate it with their Cyber Security defense ecosystem.

This blog series starts with an overview of current major problems that we have identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and the reasons behind these. We will then move forward with a solution draft that encompasses the MITRE ATT&CK framework along with a robust Cyber Threat Intelligence (CTI) and appropriate data collection sources for data enrichment including all Cyber Security threat information expressed in the STIX language. Although the solution draft includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favour of any specific one. However, the core implementation of the MITRE ATT&CK framework in our solution draft is performed in the IBM Resilient Security Orchestration, Automation and Response (SOAR) product.

1Securosis Research Paper: The future of Security Operations (https://securosis.com/research/ papers/the-future-of-security-operations)