The MITRE ATT&CK threat framework is seemingly everywhere these days, and with good reason. It is an invaluable tool for understanding the various methods, or as MITRE refers to them Tactics and Techniques, employed by threat actors. It offers annotated and curated details about those methods, and it provides the capability to visualize this data in useful and informative ways. It can be used to support a variety of aspects within a security organization including threat intelligence, threat detection, red/blue/purple teaming, and more. It can also inform strategic thinking and planning.
For purposes of this article, the focus is on how best to utilize MITRE ATT&CK in the threat detection space, and specifically the detection rules within your SIEM. To do that, we need to understand what ATT&CK does well, and where it is limited. To put it another way, what should your expectations be when it comes to ATT&CK and your SIEM rules?
Why use ATT&CK in the first place
The question that is perpetually asked by leaders responsible for an organization’s cybersecurity — either out loud to their teams or to themselves in the middle of the night is: how do I know the right defenses are in place to protect the organization?
Simply put, ATT&CK provides a construct of the known methods in which threat actors may attempt to compromise your organization. From this, you can determine which of these methods your organization is able to detect currently, those in which your detection capability is lacking, and then build a plan to close the gap.
ATT&CK can (and arguably should) be used across all your organization’s security controls and technologies to obtain a full coverage picture. Using it to understand your SIEM’s detection capability, however, should provide much of that picture and is a logical place to start. The reason for this is because, in theory, your SIEM is the centralized point for security alerting.
By mapping each SIEM rule to the Tactic(s) and Technique(s) on which the rule can alert, two things begin to happen. First and obviously, you begin to gain a reasonably accurate picture of what detection capability exists in your ruleset. Second, and arguably more important, you begin to gain an understanding of your ruleset. These two are not the same thing. The first enables you to answer the question as to what coverage exists, while the second enables you to defend that position and answer why. Knowing your ruleset at this level as it relates to ATT&CK enables you to explain the nuances of the coverage that exists, which better positions you to be able to improve it over time.
For example, if you have rules in place to detect 25 different types of ransomware, your ruleset will look as if it is heavily skewed to the Impact Tactic. However, if you have one rule that is constructed in such a way that it detects those same 25 types of ransomware, the graphical representation of your coverage map can look very different. Obviously, both scenarios have the same net effect, and neither is right or wrong as a strong argument can be made for both approaches. But depending on your coverage visualization(s), it can look quite different. Knowing your ruleset at that level of detail will allow you to understand and explain why it looks the way that it does. Both are important for different reasons but knowing why puts you in a stronger position to make the right decisions from a SIEM rule roadmap perspective.
What to expect from using ATT&CK
This leads to what your expectations should be for ATT&CK when utilizing it for SIEM rule coverage mapping and planning. There is a natural inclination to want to compare your organization’s coverage to other similar organizations. While that is understandable and can provide some value, that provides very little actual benefit in improving your threat detection capability for at least two reasons:
- There is a built-in assumption that the organizations against which you are comparing are very mature with their detection capability and you won’t know how valid that assumption is. Besides, if you have a breach that went undetected, it will not be a reasonable item to list on the postmortem that the peers in your industry didn’t have that coverage either.
- While they may be similar to your organization, they will have enough difference and nuance in their technological, organizational and architectural choices that it will almost certainly not be a worthwhile comparison.
Instead, use ATT&CK to compare your organization to an ideal vision of your organization’s detection capability. This will be your customized benchmark — although keep in mind that it changes over time due to changes both in your organization’s environment and the threat landscape itself. You create this customized benchmark by first understanding and documenting the Tactics and Techniques that are most applicable to your organization (there will be some that do not apply). Second, assess your capability against those Tactics and Techniques. Third, prioritize those for which you don’t have detection capabilities, and then create a plan to close the gaps.
The following visualization depicts the Techniques covered by SIEM rules before and after a rule enhancement effort. The darker colors represent a higher number of rules aligned to that Technique. In this example, specific attention was paid to the Techniques within Privilege Escalation and Defense Evasion.
ATT&CK coverage heat map: Before
ATT&CK coverage heat map: After
The following visualization depicts the number of rules aligned to each Tactic both before (blue) and after (purple) a rule enhancement effort. In this example, there was a focus to enhance the Techniques aligned to Privilege Escalation, Defense Evasion and Credential Access (the lower right quadrant of the radar graph).
Rules mapped to ATT&CK: Before and after
ATT&CK doesn’t do everything
As relevant and important as MITRE ATT&CK is, it is not advisable to solely rely on it for determining the rules in your SIEM. It provides one vitally important framework (detection of known Techniques used by threat actors), but there are other types of rules that your SIEM should have that go beyond ATT&CK. Examples of this include:
- Anomaly rules: These are rules that detect a deviation from a known baseline. This could be user behavior that looks different than it has historically, or it could be anomalous levels of activity or events in the network such as traffic patterns.
- Compliance rules: These are rules that exist either to detect the violation of a policy (think authorized use policies, as an example) or to detect the violation of a regulatory requirement such as GDPR.
These do not fit into any type of ATT&CK Tactic or Technique but may be a very important part of the security strategy for your SIEM.
The last reason you should not rely solely on ATT&CK for determining your SIEM rules is the human factor. Theoretically, no one and no technology knows your organization better than you as your organization’s security practitioner.
Using any framework (ATT&CK, NIST, etc.) as a guide is vital, but so is your own intuition, experience, and firsthand research capability when it comes to your organization. Use these frameworks as an indispensable guide and roadmap for detecting those things that are a threat to your organization, but also make sure you employ your own critical thought in the endeavor as well. Pay attention to those things that keep you awake at night, those nagging concerns over a Technique that isn’t adequately covered, or those Techniques that are concerning enough for your organization that secondary or tertiary detection capability is warranted. Combining that with ATT&CK and other threat or regulatory frameworks, along with technology, will put your organization in the best possible position.
The IBM Security Threat Management teams have extensive experience in helping customers to adopt and optimally utilize the MITRE ATT&CK frameworks for their specific environments and security considerations. Schedule a consultation here.
To get started learning about MITRE ATT&CK, visit this page as a great starting point to various introductory resources. You can also visit the main MITRE ATT&CK website to view the framework itself and for a full set of resources and tools.