Operationalizing the MITRE Att&ck framework for Security Operations, Threat Hunting and DFIR
By Rukhsar Khan on Friday, December 7, 2018
Cyber attackers are constantly becoming more and more subtle while Security Operations (SOC, CERT and CSIRT) continues to scratch on the surface. It doesn’t matter whether that’s a large enterprise, bank or government institution. The evidence is fairly strong that most organizations are pretty bad at security operations1 . Why are there so many global high-profile breaches? Why can organizations today not adequately detect and respond to breaches while they have spent millions in their Cyber Security defense? You don’t have to be a genius to figure out that there must be vital gaps in the defense ecosystem of organizations. But how to identify these gaps and what course of actions are required?
The MITRE Att&ck framework is one of the long awaited answers to these kind of questions. From a long time the Cyber Security industry was lacking a holistic approach to detection and mitigation of advanced targeted attacks. In order to develop such a holistic approach and make it available to the public, MITRE, a US-based nonprofit organization, spent many years in analyzing the global high profile breaches and categorizing them into individual Tactics, Techniques and Procedures (TTPs). As a result to this work, three matrices have been evolved, namely the Pre-Att&ck Matrix, the Att&ck Matrix for Mobile and the Att&ck Matrix for Enterprise.
The Pre-Att&ck Matrix covers the pre-exploit phases of a breach whereas the Att&ck Matrix for Enterprise is a post-compromise matrix. And as the name implies, the Att&ck Matrix for Mobile is dedicated to mobile devices. At its core, the Att&ck Matrix is based on the Structured Threat Information Expression (STIX) language in order to allow organizations to integrate it with their Cyber Security defense ecosystem.
This blog series starts with an overview of current major problems that we have identified in Security Operations and Digital Forensics and Incident Response (DFIR) teams and the reasons behind these. We will then move forward with a solution draft that encompasses the MITRE Att&ck framework along with a robust Cyber Threat Intelligence (CTI) and appropriate data collection sources for data enrichment including all Cyber Security threat information expressed in the STIX language. Although the solution draft includes specific commercial and non-commercial products and tools from various vendors and organizations, we are not necessarily in favour of any specific one. However, the core implementation of the MITRE Att&ck framework in our solution draft is performed in the IBM Resilient Security Orchestration, Automation and Response (SOAR) product.
Signup for 5-Day Training ClassOperationalizing the MITRE Att&ck framework for Security Operations, Threat Hunting and DFIR
with commercial and non-commercial products and tools from IBM, Recorded Future, Carbon Black, A10 Networks, Google Rekall, Volatility and more . . .
This class is about Incident Response in a post-compromised environment.
In this class we will show you the major reasons why Security Operations is currently doing bad and what is required within Security Operations in order to produce high value results that can be consumed by a Threat Hunting and Forensic team. We will also focus on how to streamline security analysis, starting off with the initial triage within Security Operations to Threat Hunting to Forensics in case of an advanced targeted attack by quickly forming up a defense team that is able to collaborate directly from within IBM Resilient as the central hub for Incident Response.
The goal is to rapidly identify and respond to advanced adversaries that have gained a foothold in a compromised environment (post-compromise). The initial triage will be conducted by the Security Operations team (L1) which will hand-off valuable results to the Threat Hunting team (L2) which will in turn produce results that will be consumed by the DFIR team (L3) for a deep dive forensic analysis focusing on a few affected systems out of hundreds or thousands of systems... Read more
Cyber security practitioners or Consultants of Security Operations, Threat Hunting and DFIR teams.
Training class dates:
2nd-6th of September 2019
11th-15th November 2019
13th-17th January 2020
Structured Threat Information Expression (STIX™)
Introduction to STIX, STIX Domain (SDO) and Relationship Objects (SRO).