A lot of people are talking about the MITRE ATT&CK framework, and for good reason as it is an open knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common taxonomy of the tactical objectives of adversaries and their methods. Having a taxonomy by itself has many valuable uses such as providing a common vocabulary for exchanging information with others in the security community. But it also serves as a real technical framework for classifying your current detection efforts and identifying gaps where you are blind to certain types of attack behaviors.
But ATT&CK goes far beyond an academic framework for classifying attack techniques. It gets very specific and technical. Here’s just a few examples:
- Rundll32
- Password filter DLL
- LSASS Driver
ATT&CK provides the best of both worlds – it’s comprehensive and deeply technical – while providing structure and organization to keep you from drowning in the details.
ATT&CK provides this organization through 3 principal elements:
- Tactics - represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action.
- Techniques - represent “how” an adversary achieves a tactical objective by performing an action. For example, an adversary may dump credentials to achieve credential access.
- Procedures - are the exact ways a particular adversary or piece of software implements a technique. These are described by the examples sections in ATT&CK techniques.
To check the thoroughness of ATT&CK I thought of a few of the more obscure or newer attack methods and looked for them in ATT&CK. For instance, data exfiltration over DNS, and sure enough, if you look under TA0010 Exfiltration, you will find T1048 - Exfiltration Over Alternative Protocol.
In this webinar, I’ll introduce you to MITRE ATT&CK and how to navigate its website and framework. Then we’ll discuss the many ways you can use ATT&CK. But we’ll quickly zero in on how to use ATT&CK for designing, enhancing, assessing your security monitoring effort and keeping it up-to-date.
ATT&CK can help you find gaps in your visibility and threat detection. But it doesn’t leave you hanging. We will show you a process for building ATT&CK into your SIEM’s monitoring rules. That’s where our sponsor LogRhythm comes in.
Brian Coulson, from LogRhythm Labs, is leading an outstanding project at LogRhythm Labs where-in he will show you how they’re aligning the ATT&CK matrix with log sources, including windows event logs (XML – Security, XML Sysmon 8.0 and XML-System). While the matrix is wide spread in what it monitors, there are effective ways to filter around common and relevant detection techniques and logs.
He will be demonstrating a gap analysis around MITRE ATT&CK Techniques and a SIEM (LogRhythm). While existing compliance and threat module rules are likely to detect the MITRE defined techniques, Brian is going to take it a step farther and walk through a MITRE attack process from inception to finalization while focusing on rule development and alignment in LogRhythm.
Please join us for this real training for free session
I’ve included short quotes from ATT&CK’s website, therefore: © 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.