The MITRE ATT&CK framework offers a threat-informed approach to detection, mitigation and protection against malicious attacks. This framework includes a repository of adversary tactics, techniques and procedures (TTPs), using empirical evidence by analysing successful breaches against organisations. This behavioural CTI can help to take Security decisions
For a CTI program to be effective, an organisation needs to have a good idea of the threats they are facing, combined with the assessment of the likelihood and impact such an incident would have. While it is technically possible to send lists of raw threat intelligence to the Security Information and Event Management (SIEM), organisations frequently complain that this has a very low hit rate. Worse, it causes false positives wasting the time of SOC analysts. On the threat intelligence side, this process is called threat modelling; on the telemetry side, it’s called collection management.
Threat modelling & collection management
Threat modelling involves documenting various adversaries who target an organisation’s assets, business model, their industry or geographic location, whether country or region.
Effective threat modelling should consider adversaries in the context of which assets within your business are most valuable, as what is valuable to the organisation is valuable to the adversary. Frameworks like MITRE ATT&CK can help identify and understand major threat actors, their motivations, and their methods.
Importantly, MITRE ATT&CK can provide suggestions about the best sources of telemetry to find various threats and how to detect specific types of attacks and methods they use. A level of self-assessment is required to evaluate current collection capabilities in terms of log sources and visibility from various security tools that are deployed in your environment.
With MITRE ATT&CK, teams are in a much better position to select the right threat intelligence, both sources and types, based on the organisation’s threat model and collection management framework. This starting point or baseline needs fine-tuning because the threat model is largely theoretical. Analysing current or past incidents will provide valuable information about the actual attacks your organisation faces.
Attributing attacks to adversaries is challenging; however, systems like a threat intelligence platform (TIP) can help to match internally gathered intelligence with external threat information to find the relationships. A threat intelligence platform also allows analysts to prioritise intelligence according to the threat model or framework your organisation has implemented.
Threat hunters can use a TIP to work from a higher-level viewpoint with detailed information about the methods of potential and actual attackers. In such a way, the security team can take a more proactive approach, first identifying the organisation’s risk profile by defining the threats. Individual risks can then be mapped to specific attackers and their tactics, allowing threat hunters to more closely examine whether applicable data has been identified in the environment being investigated.
Building a threat model and a collection management framework is fundamental to threat hunting, allowing security teams to anticipate, prepare and hunt for threats that could target their organisation.
Threat hunting aims to proactively find adversary activities not previously identified or blocked and involves actively looking for clues guided by a hypothesis about a threat actor and the tactics or approach they might employ. A burgeoning area in cybersecurity is attack simulation, which attempts to simulate this activity by red-teaming, and then tests the organisation’s ability to detect it by blue teaming.
A collaborative defence method between both teams, called purple teaming, involves sharing threat information to understand the adversary, close vulnerable gaps, and stop breaches before they take hold.
The collection and curation of the right intelligence sources, prioritising this information, and correlating with SIEM, can effectively automate a CTI program. When guided by a threat model and a collection management framework, this process can also automate basic threat hunting.
The effectiveness of the MITRE ATT&CK framework for organisations depends on whether response teams can collate and analyse the data to make informed decisions. Like any good process, cyber threat intelligence needs a feedback loop.
Analysing incidents, threat hunting, and collecting internal telemetry all contribute to a plan for incremental improvements to cyber threat intelligence programs, by identifying the gaps in the current understanding about threat actors, their behaviours, and any gaps in telemetry sources.
By leveraging MITRE ATT&CK, organisations can accelerate this process, improve situational awareness, and speed acting on cyber threats when the need arises. It may even help to discover evidence of threat actors in and your organisation will be better prepared to respond with actionable intelligence.