No-surprise attack: Creating a database for online incursions
Connecting state and local government leaders
Building a knowledge base of adversary tactics and techniques based on the MITRE ATT&CK framework can greatly improve organizations' preparedness and breach response.
It’s often said that by failing to prepare, you are preparing to fail. This holds true for organizations that do not learn from the lessons of previous cyberattacks, or from incursions they might see trending, yet fail to prepare themselves for these similar breaches.
Indeed, at last month’s Black Hat USA conference, a pair of industry experts discussed the importance of developing a specific and internal information source based on the MITRE ATT&CK framework that organizations can use to share threat information.
Simply put, MITRE ATT&CK -- which stands for stands for adversarial tactics, techniques, and common knowledge -- is a globally-accessible knowledge base that describes adversary tactics and techniques based on real-world observations of cyberattacks. It provides a common taxonomy for both cybersecurity offense and defense that can be used to develop threat models. Information is displayed in matrices that are arranged by attack stages, from initial system access to data theft or machine control. The framework can inform intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management.
In their presentation at Black Hat USA in Las Vegas in August, Ryan Kovar, principal security strategist for Splunk, and Katie Nickels, ATT&CK threat intelligence lead at the MITRE Corp., discussed the importance of developing such an attack database and how to integrate it with an over-arching cybersecurity program. “The MITRE ATT&CK page is a matrix of real-world operations, from a threat intelligence perspective,” Nickels said. “We care about what attackers are doing, in terms of tactics, techniques and procedures.”
Organizations make many of the same mistakes, including having a false sense of security, not following up with new threats, leaving gaps in defense due to alert overload and not testing in depth, Kovar said. However, it is easy to gradually develop a system for sharing cybersecurity information, he added. “You can start with sharing information via email, then move to Excel to collaborate and trade among different groups,” Kovar said during the “MITRE ATT&CK: The Play at Home Edition” presentation at the security conference. “When you’re ready to accelerate, find a tool with an API like Jira,” he said. “Each person can jump in and add value.”
Splunk has a MITRE ATT&CK matrix that is color-coded, according to Kovar. “The people who are using it now are taking the taxonomy from ATT&CK, changing it to meet their needs, and then using it to describe, across multiple teams, what's going on.”
“Using a range of confidence levels, leaders can integrate different teams, each of those teams has something the others need,” Nickels said. “ATT&CK can be a common language that [IT security] can help others in communicating.” Indeed, taking ATT&CK methodology, building onto an organization’s threat library and creating specific data analysis with internal examples, can help “build a framework,” she said.
Using an ATT&CK database, “leaders can communicate a lot of defenses and make better decisions, implement a new taxonomy, create a threat intel that people can move to, detecting pain and tracking multiple threats and incorporating new information,” Kovar said. “Defenders can prioritize alerts and find polymorphic attackers. And red teams can help defenders improve.”
It is important to recognize that ATT&CK can be useful to small and mid-sized companies and agencies, as well as larger enterprises. Kovar said he worked with a small company in the Midwest whose chief information security officer was concerned about APT10 targeting his organization.
Using the ATT&CK framework, “I was able to show him the names people came up with for the group, what they did, and who they went after,” Kovar said. Vendors tend to come at the ATT&CK framework from a tools point of view, while most companies will look at ways in which they can base operations on the framework. Tracking an adversary’s behavior can help organizations large and small better prioritize their defenses.
“It gives you a really easy way to pair the threats to the defenses you have, which is what I think a lot of organizations struggle with,” Nickels said. “Don’t let the perfect be the enemy of the good enough.”
NEXT STORY: Preventing ransomware attacks with zero trust