How the MITRE ATT&CK Framework Can Improve Your Defenses

Image

Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices. https://open.spotify.com/episode/77iN96fmuS1Vzmz4jSJSj7?si=t3_C1lkTRyiaJFe6_GcyWA

Image

Image

Spotify: https://open.spotify.com/show/5UDKiGLlzxhiGnd6FtvEnm Stitcher: https://www.stitcher.com/podcast/the-tripwire-cybersecurity-podcast RSS: https://tripwire.libsyn.com/rss YouTube: https://www.youtube.com/playlist?list=PLgTfY3TXF9YKE9pUKp57pGSTaapTLpvC3   The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast. Tim Erlin: Thank you for spending some time with us on the Tripwire Cybersecurity Podcast. I'm Tim Erlin, vice president of product management and strategy at Tripwire. Today I'm joined by Travis Smith, principal security researcher at Tripwire. Welcome, Travis. Travis Smith: Thanks, Tim. Glad to be here.

The Importance of Defense for Organizations

TE: So, Travis, what’s it like as a security researcher at Tripwire? TS: One of the cool things is that I get to look at the latest trends in the security world and see what's going on. I get to investigate how these developments relate to our products and customers. So, it’s a defense-minded focus. There's a lot of security researcher-type jobs out in the world. The majority of them probably focus more on the offensive side where they're looking at hacking things or reverse engineering things. My team is really focused on the defensive aspects. How do we detect the attackers, and how do we stop them? TE: Well, and I think the reality is that most organizations spend more of their time on that defensive side of things than on tracking down criminals. So, it seems like it's more relevant to where customers need help. TS: Exactly. If you look at cyber threat intelligence, there is this whole concept of attribution all the way down to indicators of compromise and anything in between. Looking at attribution and who's behind those things is really cool. But there's not a ton of value for most businesses with actually knowing who that person is behind the keyboard. TE: I always think that's interesting. The activity in the industry doesn't always map particularly well to the value that customers and organizations need. And so there seems to be a fair amount of press and even products that don’t really solve a problem for our customers. Has that been your experience, as well? TS: It's pretty much the same thing. You're exactly right.

An Overview of the MITRE ATT&CK Framework

TE: So, I know that one of the things you've spent a fair amount of time on lately is the MITRE ATT&CK Framework. Can you start by explaining a little bit about what it is? TS: Yeah, so the “ATT&CK” in the framework is really just an acronym for “adversarial tactics, techniques and common knowledge.” It's broken out down into quite a few different tactics like persistence, lateral movement and exfiltration of data. Then within each one of these different tactics, we have a huge number of different techniques. So, if an adversary wanted to gain persistence in your environment, they could leverage a couple of dozen different techniques to achieve that end. Accessibility features and external remote services are two different things that come to mind through which they could use to establish persistence. When you dig into these different sets of techniques, there's a ton of data within each of these techniques. The Framework actually describes what such an attack might look like, partly by using real-world examples of malware families or APT groups that have leveraged them. So, it's not just a researcher like myself presenting at Black Hat or DEFCON saying, “Here's the art of the possible.” It's real-world examples of a technique being used. From there, it goes into how one can detect and mitigate that type of abuse on your systems. There's a ton of knowledge in there. TE: So, the tactics and techniques included in the framework aren’t new, but the collection of them into a framework is something that is. The framework itself has been around for a little while, but not a long time. What's the point of collecting these tactics and techniques into a framework? How is this useful to defenders? TS: Having that common body of knowledge is really the valuable thing. Some of these techniques have been around for a long time, and they've just been scattered all throughout the internet, or in books or in the minds of security professionals. The value of the MITRE ATT&CK Framework is bringing all this information together into a single place.

What Success Looks Like in Using the ATT&CK Framework

TE: I know in conversations with customers that they've said they have a strong interest in the ATT&CK Framework and that they've employed it and implemented it in a variety of ways. So, let's talk a little bit about that. Do you have a couple of examples of how the Framework is useful to a specific organization? TS: When organizations bring it in, I see them starting to leverage it in one of two ways. One was looking at it on a tactic-by-tactic basis, addressing one after the other as they made their way down the list. The other they’re looking at is mitigating things and detecting things and then putting those into two separate different categories. From a security operations team, those two things are really distinct. Hardening the system versus actually detecting things that are going on a system. So, when they're hardening things, it's really just about going through and looking at the hardening or mitigation guidance that they provide. The July update from ATT&CK did a really good job of providing mitigation categories. But from the detection category, there's still some work that needs to be done to increase that. The best way to do it is really red team your own systems. Some organizations might not have a dedicated red team. Actually, I would probably say a lot of organizations don't. So, there's a lot of tools that are available to do it. And there's usually about two or actually three, I should say, that I recommend people look at. One is the attack evaluations that MITRE has actually done. They have already gone through round one. Round two is coming up in 2020. TE: So, it sounds like if you're interested in starting a red team within your organization, the ATT&CK Framework will provide you with a good starting point towards that end. Absolutely. That's interesting; it's part of the defense of course, but if you're a defender in a position of managing tools within the organization—you're not doing that red teaming, that is—this is potentially an opportunity for you to grow your skillset. TS: Yeah, absolutely. It's a way to move from blue to red or become purple, so to speak. TE: Yeah, that makes a lot of sense. So, while the framework has been out there for a while, and as you said, there've been these evaluations, what do you think it looks like when an organization is successful using this Framework? TS: The success could mean a couple of different things, right? So, the ATT&CK Framework isn't just a checkbox solution where you’re safe because you're tracking all of the techniques. You're still going to be somewhat vulnerable, right? There's still going to be different ways of getting in. It's all about making sure it's part of your process to assess your coverage. Right? So, if we look at adopting the ATT&CK Framework, most organizations will at the first step just assess their coverage to see what it is and then identify what those critical gaps are. I mentioned one of them of looking at the APT groups that are relevant to a specific industry, addressing those, going back and assessing your coverage again and then identifying your new critical gaps. By doing that and doing that continual coverage and that continual assessment, you're going to increase your security proficiency. TE: So, it's not a one-time thing. You don't get to implement the ATT&CK Framework and be done with it. You have to continue using it, especially when it's updated, because your organization changes. TS: It's like a carousel. You put your quarter in, and you go up and down and around. TE: I think we've given folks a few tips on where to start with the ATT&CK Framework. All right, thanks everyone for spending a little bit of time with us on this podcast. Once again, I'm Tim Erlin, and my guest today was Travis Smith. We hope that you'll join us for the next podcast, as well.