how to map mitre att&ck techniques€¦ · bridging the gap between theory and implementation...
TRANSCRIPT
How to Map MITRE ATT&CK Techniques:
Bridging the Gap between Theory and Implementation
Steve Rivers, Director, Threat Intelligence Engineering
Contents
3 MITRE ATT&CK and ThreatQ
3 MITRE ATT&CK Mapping
4 ThreatQMITREMapperConfiguration
5 AThreatHuntingExampleUsingMITREMapper
11 Conclusion
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 3www.threatquotient.com
MITRE ATT&CK and ThreatQ
TheMITREATT&CKframeworkcontainsatremendousamountofdatathatcanprovevaluableinarangeofusecases,includingspearphishing,threathunting,incidentresponse,vulnerabilitymanagementandalerttriage.TomaketheinformationcontainedwithintheMITREATT&CKframeworkactionablefortheseusecases,ThreatQuotientintegratescomponentsoftheframeworkintotheThreatQplatformtoprovidethefollowingcapabilities:
z EnableinvestigationsthatoriginatewithcomponentsfromtheMITREATT&CKframework,suchastechniques.
z AutomaticallybuildrelationshipsbetweenMITREATT&CKdataandotherusefulpiecesofthreatdata.
z Automaticallymapthreatdatafrominternalsources(e.g.,SIEM,ticketing,emailgateway)andexternalsources(e.g.,feeds)withMITREATT&CKtechniques.
z Storehistoricalthreathuntinginvestigations,dataandlearningsandautomaticallyassociatethesewithrelatedcomponentsoftheMITREATT&CKframework.
Theintegrationenablessecurityoperationsteamstotakefulladvantageoftheframework,whileworkingwithintheThreatQplatform,toproactivelyandcollaborativelyacceleratedetectionandresponse.
MITRE ATT&CK Mapping
TheMITREATT&CKframeworkisahugestepforwardincreatingaknowledgebaseofadversariesandassociatedtactics,techniquesandprocedures(TTPs).ManyvendorsarestartingtobuildATT&CKdataintotheirdetectiontoolswhichisdrivingadoptiongloballyoftheATT&CKframeworkforthreathuntingandincidentresponseprocesses.Thisisgreatprogress,butunfortunatelymanyorganizationsstillhaveagapwhentryingtoapplyprocesstotechnologiesthatdonotintegratewithATT&CKdata.ThreatQuotienthascreatedanintegrationbetweentheThreatQplatformandMITREATT&CKthathelpstobridgethisgap.
TheThreatQplatformoffersathreat-centricapproachtosecurityoperations.Purpose-builttoacceleratedetection,investigationandresponse,theplatformisintegratedwithalargenumberofkeysecuritysystemsandisawareofcontextuallyrelevantdetectionsoralertsthatarethreatrelated.ThisinformationisingesteddirectlyintotheThreatQThreatLibrary.TheThreatQMITREMapperintegrationoffersatooltoautomaticallyestablishrelationshipsbetweenMITREATT&CKtechniquesandthreatdatathathasbeeningestedfrominternalandexternaltools.ThefunctionalityispoweredbyThreatLibrarysearches,whichenableuserstoseamlesslyleveragedatafromtechnologiesthatdonotsupportATT&CKdirectlyoutofthebox.
TheremainderofthisdocumentusesathreathuntingusecasetriggeredbyaspearphishingincidenttodemonstratehowtheThreatQMITREMapperintegrationmaybeused.
The integration of MITRE ATT&CK enables security operations teams to take full advantage of the framework while working within the ThreatQ platform.
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 4www.threatquotient.com
ThreatQ MITRE Mapper Configuration
ThissectionshowshowtheintegrationcouldbeconfiguredusingtheMITREATT&CKtechnique:T1193—SpearphishingAttachment.
Step 1 — Define MappingsInthisstep,wedeterminethetypeofdatathatwewouldliketomaptotheSpearphishingAttachmenttechnique.
WesearchforthedatathatwewouldliketomaptoaspecificATT&CKtechniqueandthensavethesearchforusebytheMITREMapperintegration.InFigure1wehavedefinedasearchthatlooksforallfilesthathavebeensenttousfromourProofpointsystem,whichisnotintegratedwiththeMITREATT&CKframework.Crucially,weareonlyinterestedinthefilesandhavelimitedoursearchtothatdata.
Figure 1: Searching for data to map
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 5www.threatquotient.com
Step 2 — Configure the IntegrationTheintegrationisconfiguredtomaptheresultsfromthesavedsearchagainsttheMITREATT&CKSpearphishingAttachmenttechnique.
Theintegrationisdesignedtorunonaperiodicbasis.Eachofthesavedsearchesthathavebeendefinedwillbeexecutedbytheintegration.TheresultsfromeachsavedsearchwillthenberelatedautomaticallytotheirdesignatedMITREATT&CKtechnique.Inthisexample,theintegrationwillmapanyfilesthathavebeensenttoThreatQbyProofpointtotherecordforT1193—SpearphishingAttachmentthatexistswithintheThreatLibrary.
Onceconfigured,theintegrationwillautomaticallybuildanyrelationshipsbetweenadesignatedMITREATT&CKtechniqueandtheoutcomeofthesavedsearcheverytimethatitexecutes.Thisincludesanynewdatathathasarisen.
A Threat Hunting Example Using MITRE Mapper
OverviewManyusersofATT&CKwillbuildariskandimpactmatrixtodeterminewhichtechniquesaremostlikelytoimpacttheirorganization.ItiscommonforThreatHuntingteamstothenusehighriskorhighimpactATT&CKtechniquesasthebasisforfurtherinvestigation.Let’sassumethatthisisthesituationnowandthatathreathunteriskeentoanalyzetheSpearphishingAttachmenttechniqueinmoredetail.
Step 1 — Starting the InvestigationAnewThreatQInvestigationiscreated.Thestartingpointfortheinvestigationthenneedstobedefined.Inthiscase,weareusingtheATT&CKtechnique:T1193—SpearphishingAttachment.Figure2showstheuseofthesearchfeaturewithinThreatQInvestigations,whichisthenaddedtotheinvestigationonceclicked.
Figure 2: Searching the Threat Library for a starting point
Many users of ATT&CK will build a risk and impact matrix to determine which techniques are most likely to impact their organization.
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 6www.threatquotient.com
Step 2 — Identifying Interesting Attachments
Figure 3: Finding related files
ClickingontheSpearphishingAttachmentnoderevealsasetofassociatedrelationships.Inthiscase,thereisalargeamountasThreatQhascapturedcontextuallyrelevantdatadirectlyfromMITREandinserteditintotheThreatLibrary.TheassociatedrelationshipsthatexistinFilesareagreatstartingpointgiventhetypeofattacktechniquethatisbeinginvestigated.Hereweseeasinglerelatedfile.Figure3showstheresultsafterthisfilehasbeenaddedtotheinvestigation.
Step 3 — Related EventsThenextstepistolookforrelatedeventsthatareassociatedwiththefilethathasbeenaddedtotheinvestigation.Relationshipsareusedtoidentifyanyassociatedeventsandaddtheseandassociatedcontextualdatadirectlyintotheinvestigation.
Figure 4: Additional events
Figure4showstheresultofthisprocess.Inthiscase,wehaveidentifiedtwoseparateeventstiedtothisfile,whichwerebothforwardedtoThreatQbyanotherintegration.Botheventswereemailsthatweresenttotwoseparaterecipients.Thoserecipientshavebeenidentifiedasbeingassociatedwiththeorganization’sfinancedepartment.
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 7www.threatquotient.com
Step 4 — Deeper AnalysisItisclearthisfilemayhighlighttheexistenceofapotentialthreatwithintheorganizationandthatfurtheranalysismayberequired.So,thethreathunterchoosestolearnalittlemoreaboutanycontextuallyrelevantdatathatmaybeassociatedwiththefile.
ThefileisanalyzedforanyassociatedindicatorsthatThreatQmaybeawareof.Thisinformationiscapturedfromexternaltechnologies(suchasthreatfeeds)orinternaltechnologies(suchasvulnerabilitymanagement).InterestingindicatorsareaddedtotheinvestigationasperFigure5.
Figure 5: Adding context
Thethreathuntermayalsochoosetouseadditionalenrichmenttoolstocapturemoredataaboutanypotentialthreats.ThisisaccomplishedusingThreatQ’sOperationsfeature,whichallowsuserstoexecuteenrichmentsagainstspecificpiecesofdata.Figure6showsanexampleofaURLbeingsenttoCiscoThreatGridforfurtheranalysis.TheresultswillbeautomaticallycapturedbyThreatQandmadeavailabletofurthertheinvestigationifrequired.
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 8www.threatquotient.com
Figure 6: Submitting a URL for further analysis
FurtheranalysisusingMITREATT&CKandsandboxdatarevealsthattheattachmenthasanassociationwiththeTrickBotmalware.Thisisalsoaddedintotheinvestigation(Figure7)forfurtheranalysisbyIncidentResponseteamsatalaterstage.
Figure 7: Associated TrickBot Malware
Thereareseveraladditionalstepsthatthethreathuntercouldchoosetoundertakeatthisstage.TheseincludedeeperanalysisintoindicatorsandassociatedrelationshipsorlookingforTTP-relatedoutcomessuchasadversaryrelationships.
Step 4 — Mitigation and ResponseThefinalstepistoidentifymitigationandresponseactions.Initially,thethreathunterlooksforsignaturesthatcouldbeusefulinmanaginganythreatfromTrickBot.Thereareseveralsourcesforthesesignatures,butinthiscase,theyhavebeenimportedautomaticallyusingThreatQ’sMalpediafeed.
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 9www.threatquotient.com
InFigure8thethreathunterhasidentifiedthreesignaturesthatmaybeusedtodetectTrickBot.EachsignatureisacompleteYARArule,whichmaybedeployedtoanIPSorothernetworkorhost-baseddetectionsystem.Ataskhasbeenassigned(‘DeploySignaturetoIPS’)totheSecurityteamtodeploythesignatures.
Figure 8: Identifying signatures to respond to TrickBot
TheThreatLibraryalsocontainssomeinformationonmitigationsthatmaybedeployedtodefendagainsttheTrickBotMalware.TheseareaddedtotheinvestigationandassignedtotheSecurityteamforaction(Figure9).
Figure 9: Additional mitigations
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 10www.threatquotient.com
TheinvestigationhasbeenupdatedwithmitigationsandresponsestotheimmediateperceivedthreatfromTrickBot.ThefinalstepistolookforlongertermstepstohelpmitigateanyadditionalrisksthatmaybeassociatedwiththeSpearphishingAttachmenttechnique.
Figure 10: Longer term mitigations
TheMITREATT&CKdatathatresideswithintheThreatLibraryisusedtoidentifyasetofmitigationsthatmaybeappliedtomanagetheriskassociatedwiththeT1193—SpearphishingAttachmenttechnique.Thesehavebeenaddedtotheinvestigationandtasksassignedtotheappropriateteamswithintheorganization(Figure10).
Figure11showsthecompletedinvestigation.
Figure 11: The completed investigation
How to Map MITRE ATT&CK Techniques
© ThreatQuotient, Inc. 11www.threatquotient.com
Conclusion
Thesampleinvestigationinthispaper,startedwithaMITREATT&CKtechniquebutcentredaroundanattachmentthatoriginatedfromathird-partysystem.ThisattachmentdidnotoriginallyhavearelationshiptotheSpearphishingAttachmenttechniquefromMITRE.EstablishingtherelationshipenabledathreathuntertoutilizetheATT&CKtechniqueasthestartingpointforahuntwhich,inturn,yieldedinformationonapotentialactivethreatandotheravenuesofinvestigation.
OneofthekeyadvantagesoftheThreatQplatformisitsopen,extensiblearchitecturethatallowsforstrongintegrationandinteroperabilitywiththetoolsorganizationsusetoday,andthetoolstheymaybeconsideringacrossabroadspectrumofservices.TheThreatQMITREMapperallowssecurityteamstouseMITREATT&CKtoitsfullestextent,evenwhentheirtechnologiesdonotsupportATT&CKdirectlyoutofthebox.UserscandefinesearcheswithintheThreatLibraryandmapthemtooneormanyMITREATT&CKtechniques.Theintegrationautomaticallybuildsrelationshipsbetweentheoutcomeofthesesearchesandtheassociatedtechniquesovertime.
NearlyeveryorganizationisinterestedinusingtheMITREATT&CKframework.TheThreatQplatformcanserveasthegluetointegratedisparatetechnologiesintoasinglesecurityarchitecture,sharingtherightintelligencewiththerighttoolsattherighttime.WithThreatQ,organizationscaneasilyimplementtheframeworkandbenefitfromthesignificantvalueitbringstothreathuntingandotherusecases.
One of the key advantages of the ThreatQ platform is its open, extensible architecture that allows for strong integration and interoperability with the tools organizations use today.
©ThreatQuotient,Inc.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, APAC and MENA. For more information, visit www.threatquotient.com.