Resilient Workflows and Playbooks

As we have learned, all the TTPs potentially used by a known MITRE Intrusion Set are put into relationship by the Relationship SROs that are provided as part of the ATT&CK framework. Since we have loaded the complete framework in STIX2 format in our Postgres test database, we can identify these TTPs recursively by verifying the relationships of the Intrusion Set.

Figure 1.37: MITRE workflow calls APT28 workflow

A SOAR tool like IBM Resilient can further help us by providing workflows and playbooks in order to trigger additional automation actions and giving instructions to an analyst. Depending on which Intrusion Set / Threat Actor has been identified, a generic workflow can call another workflow in order to satisfy the analysis requirements implemented for the corresponding TTPs. E.g. figure 1.37 is illustrating how a generic workflow named MITRE is calling the workflow MITRE: APT28 after identifying APT28 as the Threat Actor. The MITRE: APT28 workflow extract can be seen on the right side of this illustration. This workflow combines the creation of task instructions (e.g. MITRE: T1003/Credential Dumping, MITRE: T1056/Input Capture) that are provided to the analyst in the form of a playbook and the calling of another workflow named MITRE: T1059/Command-Line Interface (top right) that is triggering an automation script for additional data collection and enrichment for satisfying TTP # T1059 requirements.

Figure 1.38 is further elaborating on how the playbook that is eventually providing task instructions to the analyst looks like. All the TTP task instructions regarding APT28 have been loaded into the incident’s Tasks tab as part of this playbook.

Figure 1.38: MITRE Playbook loads TTPs for APT28

The output of workflow MITRE: T1059/Command-Line Interface can be seen in table 1.2. MITRE T1059, on a very high level, is instructing us to search for all cmd.exe processes that have been spawned by a parent process other than explorer.exe. These might be suspicious and require further attention.

For the rest of this feed we will demonstrate how we are implementing the individual TTP detection and mitigation instructions with workflows and playbooks. For this, we will firstly integrate with additional Cyber Security systems and tools and secondly we will extend our solution draft in building Stage 1/2 Analysis capabilities.

Table 1.2: MITRE T1059/Command-Line Interface automated action

The goal is to help Security Operations and DFIR in streamlining deep security and forensic analysis, drastically reducing analysis and response time as well as understanding and keeping track of the full scope and complete impact of an attack.

Figure 1.39 is itemizing our currently biggest challenges along with exemplary product roadmaps of the vendors we have included in our solution draft. The latter shall give us some idea on where the journey in terms of MITRE ATT&CK and STIX2 is going.

One of the biggest challenge during our development process was heavy data re-formatting and conversion. Commercial vendors as well as open source tools are currently not providing result sets of queried data in STIX2 format. We needed to convert their native JSON formats into STIX2. Also, if the CTI is not providing any Threat Actor, mapping out the MITRE TTPs can be a nightmare.

Figure 1.39: Current biggest challenges – Product roadmaps

But vendors have identified the power of MITRE ATT&CK and STIX2 and many have these on their roadmaps. E.g. the upcoming Q4/2018 QRadar release will have a mapping to MITRE TTPs for every detection rule. Vendors like Carbon Black have already built a lot of MITRE mapping into their products which is constantly improving.

Figure 1.40 is showing more details on our upcoming plans.

Figure 1.40: What’s coming next