Cysiv Command, our next-gen SIEM platform, includes a powerful and important MITRE ATT&CK preparedness feature, which leverages the MITRE ATT&CK framework and is helping users determine where their detection gaps are, and how to address them. In order to grasp the significance of this feature, it’s essential to understand what the MITRE ATT&CK framework is and how it applies to security information and data protection. In this blog, we’ll provide an overview of the MITRE ATT&CK framework, explore the benefits of Cysiv’s MITRE ATT&CK dashboard, and identify MITRE ATT&CK SIEM use cases.
What Is the MITRE ATT&CK Framework?
The MITRE ATT&CK framework is a leading tool for security practitioners. It provides a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on observations from millions of attacks on organizations. It is the foundation for widely used threat models and methodologies. In essence, the framework enables security teams to understand attackers' methods better and take steps to mitigate those threats.
Looking at the most comprehensive view of the MITRE ATT&CK framework, the TTPs are broken down into 14 categories:
- Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
- Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
- Initial Access: trying to get into your network, i.e., spear phishing
- Execution: trying the run malicious code, i.e., running a remote access tool
- Persistence: trying to maintain their foothold, i.e., changing configurations
- Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
- Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
- Credential Access: stealing accounts names and passwords, i.e., keylogging
- Discovery: trying to figure out your environment, i.e., exploring what they can control
- Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
- Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
- Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
- Exfiltration: stealing data, i.e., transfer data to cloud account
- Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware
MITRE ATT&CK is used worldwide across multiple disciplines, including intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management.
MITRE ATT&CK SIEM Use Cases & TTPs
Now we turn our attention to the need for a SIEM that can provide MITRE ATT&CK coverage. You see, security information and event management tools, or SIEMs, historically have not been good at detecting attacks that bypass traditional layers of defense in depth. SC magazine shared findings of a recent study that found existing SIEM solutions had detection for only 16% of MITRE ATT&CK TTPs.
That is very limited coverage, which the article chalks up to the long standing SIEMs not being designed for detection of TTPs. With the MITRE ATT&CK framework's role as a global repository of attack methodologies in use by threat actors, coverage is a key part of ensuring visibility of ever more complex attacks, and leaving this to the security solutions alone isn't ideal.
Cysiv Command, our cloud-native, next-gen SIEM platform, which forms the foundation for Cysiv SOC-as-a-Service, was created with a focus on deeper telemetry and advanced detections, which allows us to spot TTPs across a wide range of MITRE ATT&CK use cases. In fact, when we look at our coverage, we have one or more sources of detecting over 177 TTPs. That is 86% of the TTPs detailed by the MITRE ATT&CK framework.
The behavioral model presented by the dashboard contains the following core components for MITRE ATT&CK TTPs:
- Tactics denoting short-term, tactical adversary goals during an attack (the columns)
- Techniques describing the means by which adversaries achieve tactical goals (the individual cells)
- Documented adversary usage of techniques and other metadata (linked to techniques)
Cysiv Command successfully targets each of these three essential elements with precise MITRE detection protocols that go deeper than even the most advanced SIEM platforms available.
While we agree with the SC article that some of the TTPs are not detectable by logs, many are, and previous generation SIEMs are simply not up to the challenge. These TTPs range across solutions from network to SaaS and from cloud to campus, but many of the TTPs can be best spotted on endpoints. For that we need deeper telemetry either from our freely available collector or from deep visibility option provided by EDR solutions like Carbon Black, Crowdstrike, Sentinel One, Trend Micro, and others.
For MITRE ATT&CK SIEM use cases, we use the deep telemetry to spot TTPs that may have been missed by the defense in depth layers. We also have the benefit of tying together information from the EDR solution with network, SaaS, and other events.
MITRE ATT&CK is only one part of assessing risk. You also have to look at coverage, asset discovery, external risk, vulnerability management, defense in depth, and other ways to look at maturity of your cyber security practice. However, TTP coverage is an important part of ensuring your organization is prepared for advanced and evasive attacks. With Cysiv Command and its extensive new MITRE ATT&CK dashboard feature, you can easily monitor and mitigate each of these areas and more in an easy-to-use interface designed for understanding and action.
Cysiv’s MITRE ATT&CK SIEM Preparedness Feature
A MITRE ATT&CK preparedness feature of Cysiv Command, our next-gen SIEM platform, leverages the framework to provide users (clients and Cysiv SOC analysts alike) with a powerful dashboard to ensure you are protected against potential attack TTPs.
The Cysiv dashboard provides a real-time view of your MITRE ATT&CK detection coverage against the potential TTPs that can threaten your organization's systems and data. It displays technique coverage in an easy-to-use MITRE ATT&CK dashboard categorized by data source and identified detection gaps.
Users can also take advantage of the dashboard to understand how inputting additional data sources will improve MITRE ATT&CK technique coverage. It indicates when a data source needed to cover a MITRE ATT&CK technique goes offline. If you click on a dashboard technique, this brings you to the Cysiv Command Rules tab, which displays the rules and data sources that consist of specific MITRE ATT&CK detection coverage for that technique.
The dashboard is color-coded to provide easy-to-read status. For example, green indicates the data source telemetry for probable detection of the MITRE technique is online. Dark grey demonstrates the data source telemetry for probable detection has not been onboarded to your instance of Cysiv Command. And red shows that data sources are onboarded, but Cysiv Command is not receiving the telemetry from one or more of them.
Here’s Mark Chatoor, our Director of Product Management, explaining MITRE ATT&CK Framework, and demonstrating this exciting and valuable new feature (9 minutes).
MITRE ATT&CK Dashboard Use Cases
Here are three common use cases for our MITRE ATT&CK dashboard:
- Prioritizing Data Sources to be Onboarded: You can plan your data source input strategy using the MITRE ATT&CK framework. You select the data sources during the onboarding planning phase to simulate potential MITRE ATT&CK detection coverage. You can prioritize data ingestion based on the volume of techniques covered, the techniques known to be executed by adversaries in your environment, or gaps in your security controls. This use case answers the question: "What data sources should I ingest for technique coverage?"
- Analyzing Gaps in MITRE ATT&CK Detection Coverage: You can identify the highest priority gaps in your current detection coverage. You can do this by determining what parts of your enterprise lack visibility, visualizing potential blind spots for vectors that allow adversaries to gain access to your networks undetected and unmitigated, identifying gaps to prioritize investments for improving your security programs, or visualizing lapses in technique coverage based on data sources being offline. This use case answers the question: "Where are my potential blind spots for an adversary to gain access?"
- Tuning MITRE ATT&CK Detection Coverage: You can simulate changes to detection coverage based on onboarding additional data sources. You can select data sources following the initial onboarding phase and handover to the security operations center to improve coverage for detecting adversary behaviors, prioritize future data ingestion as a data onboarding process, or quantify improvements to your detection coverage if deciding to make additional investments in sensors, endpoint detection and response, or other security tools. This use case answers the question: "What happens to my coverage if I onboard an additional data source?"
Cysiv Command is the focal point for a broad range of security-related activities, including accessing enriched logs, generating reports, and managing indicators, detections, security incidents and cases. Now, it includes access to the latest data sources for the MITRE ATT&CK framework in an intuitive and powerful dashboard.
Get Started with Cysiv Command’s MITRE ATT&CK Dashboard
Preparing for cyber adversary threats can be incredibly daunting, and it can be challenging to know where to start. The experts and technology at Cysiv are here to modernize the way your organization handles cybersecurity preparedness. To learn more about Cysiv SOC-as-a-Service, powered by Cysiv Command or the new MITRE ATT&CK dashboard and how it can help you further improve your security and reduce cyber risk, request a demo today.