In the face of cybersecurity threats, teams that respond to security incidents need greater skill and operational efficiency.
In the face of cybersecurity threats, teams thatrespond to security incidents need greater skill and operational efficiency.One important aspect of security threat detection is comprehensive knowledge oftactics, techniques and procedures (TTPs) used by cybercriminals. Even ancientphilosophers, such as Sun Tzu, knew that the key to winning a war was theability to distinguish between strategies and techniques of warfare. TTPs areat the very top of the Bianco Pyramid, which presents the relationships betweenvarious IOC indicators. The higher they are in this pyramid, the higher thecost to cybercriminals. The goal of every SOC is to reach the top of thispyramid, and therefore the situation in which the Blue Team is able to observethe activities of its adversaries. The ATT&CK MITRE knowledge base is aninvaluable help for an organisation to achieve this level of security maturity.
What is ATT&CK MITRE?
ATT&CK MITRE (Adversarial Tactics, Techniques andCommon Knowledge) methodology is a collection of knowledge about cybercriminalbehaviour models
that have been grouped in a matrix of tactics andtechniques. This framework is useful for understanding an organisation’ssecurity risks, methods used by cybercriminals and for planning improvementsand verifying that any defence mechanisms work as anticipated. The MITRE threatknowledge base was created mainly to improve the detection of security threatsand to therefore find gaps in an organisation’s defence systems. Theorganisation’s main idea was to create a guide that would detect advanced APTattacks faster than it is happening now. The time it takes to detect a targetedattack is measured in months, and the average time to recognise an enemy in anorganisation is estimated to be five months. This is a long time for anattacker to thoroughly learn about the company under attack and even to gainillegal possession of sensitive information that could have an impact on theorganisation’s future. It should be remembered that even if an organisation hasa perfect security patches programme and a compliance programme, the attackercan still succeed using zero-day exploits or social engineering methods.
Tactics, techniques...
Over two hundred ATT&CK MITRE techniques have beendivided into twelve groups, the so-called tactics. Breaking down individualphases of attacks so meticulously gives a broad view of the techniques andcapabilities of the attackers that we would like to detect as quickly and asprecisely as possible (without the so-called noise associated with FalsePositives). A cybercriminal carries out an advanced attack and hits the redflag that we have set. These flags are mechanisms for the detection andmitigation of threats implemented in the organisation’s security systems.
The MITRE threat database is not only a table of tactics and techniques, butalso a number of tips on the necessary data sources required for detectingsuspicious activities, as well as numerous examples of actual attacks relatedto specific criminal groups.
Monitoring
In order to detect advanced attacks based on thebehaviour of cybercriminals, the MITRE organisation recommends the analysis ofsuspicious activities by monitoring workstations, i.e. advanced monitoring oflogs from operating systems (including Sysmon), network logs (includingNetflow), logs from firewalls, applications, authentication systems, cloud nodecomponents, DNS, PowerShell and many other data sources.
Drawing on this wealth of knowledge about threats, thecreators of the FlowControl system decided to implement it in their own productfor monitoring network flows. In addition to detecting DDoS attacks, theFlowControl system detects many types of security threats and network anomalies,including those from areas such as Initial Access, Credential Access,Discovery, C2, Lateral Movement, Exfiltration and Impact. More informationabout the FlowControl system can be found here
Summary
The use of ATT&CK MITRE makes it easier for organisations to tighten theirlevels of security thanks to the very meticulous placing of traps on attackers,e.g. in the form of correlation rules in SIEM or other security systems. Due tothe enormous amount of work involved in covering all the techniques, Iencourage you to proceed in stages, so that less experienced specialists havethe right amount of time to become familiar with this methodology and are notdiscouraged too quickly. Yet through this learning, security specialistsimprove the effectiveness of tools for detecting and analysing securitythreats. In my opinion, every IT