Risk Management
Optimize Your Incident Response Planning with the MITRE Framework
Threat research experts discuss the evolving landscape and how the MITRE ATT&CK framework can help optimise incident response across your organisation.
When threat researchers look towards the future, it’s critical to start with a solid foundation that includes a clear picture of the current threat landscape. The MITRE ATT&CK framework provides researchers and security experts around the world with a common language to help identify and build a complete attack story, helping the community share vital cybersecurity insights and breakthroughs.
Connecting the dots you didn’t know existed
In the past, threat researchers relied on Lockheed Martin’s Cyber Kill Chain framework to help identify intrusion activity out in the wild. Although this privately owned and operated model proved successful, it omitted important information regarding the journey of certain threats; specifically how did malware get into a system, how did it propagate, and did it impact other systems. The MITRE ATT&CK knowledge base is completely publically sourced, allowing a greater number of researchers to work together to connects these dots. This allows for adversary tactics and techniques to be sourced from real world attacks and mapped back to the adversaries, so the cybersecurity industry can develop specific threat models and solutions to protect private, public, and government environments more effectively.
A community of threat researchers
As the threat landscape continues to evolve, the MITRE ATT&CK framework makes it easy for threat researchers to keep up to date with cybercriminal activity. This is due to a vast number of researchers across the industry discovering new threats, vulnerabilities, and kinds of attacks, then using data and insight from these findings to build up a large amount of intelligence data within the MITRE ATT&CK framework. This real-time intelligence can be fed back into the community to build up a wealth of knowledge, including cybersecurity vendors, in turn providing organisations across the globe with greater and up-to-the-minute security solutions.
Strengthening the framework
Although the MITRE ATT&CK framework is evidence-based and highly effective, it’s not all inclusive and still contains blind spots. Director of Threat Research at Trend Micro, Pawan Kinger, highly recommends that researchers use the framework within a variety of threat modelling and planning at all different stages. Predicting scenarios that may be specific to one’s organisation is a good indicator of future attacks waiting to happen across the industry. The MITRE ATT&CK framework’s ability to connect dots and tell the whole story of an attack is key to keeping not just your organisation protected but that of your peers, partners, and colleagues across the globe.
Transcript
Ian Heritage So, welcome to this session on leveraging the MITRE ATT&CK framework to optimise instant response. In this session, we're going to provide you an introduction to the ATT&CK framework and how it can be used to help optimise incident response across your organisation. We also discuss the threat landscape and how it continues to evolve and how the ATT&CK framework provides a common language to help identify and build a complete attack story. We also discuss how our research has helped the community in shaping attack for containers, with our research and insights.
So, first of all, I'd like to introduce both Pawan and Alfredo. Pawan, if I could just ask you to just introduce yourself and tell us what you do at Trend Micro.
Pawan Kinger My name is Pawan Kinger, I'm the Director of Threat Research at Trend Micro. I manage a team that conducts research on cloud and container threats, always trying to stay ahead of threats and I was pretty much looking for what's the next thing coming out there from a search perspective, create a picture of the current threat landscape for how things look like in the wild. Along with this, I also manage a team and handling voluntary protection for more than a decade now, so the goal there is we conduct research and ensure that we are protecting those as well as all those trends.
Ian Excellent. And, if we talked about virtual patching, that’s one of the key rule sets that's coming out of your team, right Pawan?
Pawan That's right. So, IPS/virtual patching test/vulnerability shielding has been my key focus area for about 15 years now. We specialise in vulnerability researchers and looking at the right set of vulnerabilities to prioritise, what's the best IPS protection and how quickly we can get it to the customer. That that's what my focus is on.
Ian Now Alfredo, if I could just ask you to introduce yourself too.
Alfredo De Oliveira Oh yeah, of course. First of all, thank you for inviting us for this event. So my name is Alfredo De Oliveira, I'm part of Trend Micro Research for eight years now and I lead this super cool team that is, for a while now it's focused on cloud and container research. And one of the key parts of our team is to choose cloud and container products and services and do threat modelling for them. We look about everything related to the products and services like security gaps, misconfigurations that can happen, third-party resources that can be added and could be a problem, vulnerabilities old and new. We also find vulnerabilities. And one of the key parts of our job is not only work on the service, but also try to see the bigger picture and actively threat hunt anything that is in the wild that can, leverage one of these weak points that we see on products and services.
So we are constantly looking for new threads to come up and study them and adopt our model and produce this intelligence to give back, both for the company and to the communities.
Ian And yeah, I definitely look forward to the chat today. So what I just want to double-click on first is exactly what is ATT&CK and what is the ATT&CK framework?
Alfredo I know we hear a lot about it, out there in the global community. For me, MITRE ATT&CK is that globally accessible knowledge base, effectively MITRE have taken adversary tactics and techniques from real world attacks and mapped those back to the adversaries that are out there. I think at the moment they're monitoring around 110 active groups, but with understanding the tactics and techniques against the businesses and organisations out there, the ATT&CK knowledge base is completely public sourced. So it's completely publicly available knowledge base. And I really think now that is used as one of the foundational building blocks for development of specific threat models, methodologies in both private and government, and also most importantly in cybersecurity products.
Ian And, effectively that services our customers, moving into the next decade when they're trying to keep up to date with all of the latest attacks that are out there. So, Pawan, when we speak in previously, we started talking about the MITRE ATT&CK and how that's similar to other frameworks that have been there in the past. You mentioned Cyber Kill Chain, could you just double click into the similarities and the differences between the Cyber Kill Chain and MITRE ATT&CK? And I might just throw up on screen as well, just to help us with that conversation.
Pawan Yeah. The Cyber Kill Chain model was really the pivot for a lot of years and people talked about, but it really doesn't fit in into a practical world. MITRE ATT&CK framework, this whole enterprise framework overall, the framework is pretty, technical, and it goes into very specific items there. Like someone entered the door where it says someone broke the glass and entered the door. That kind of just training analogy there. It goes really precise. It also goes, to the extent of looking at the motives and actually connecting the dots across all of the things that are happening as part of an attack.
For example, we observe a malware gets into a system, but how did it get in the first place? And it, it just didn't appear from nowhere. And when it appeared, how did it propagate and how it actually impacted other systems? So, from a response point of view it's really helpful. It helps string the story together.
And especially when you're looking at some incidents, it really helps connecting the dots, especially across multiple products from the same vendor or multiple vendors, if everybody's call them tagging their events for the MITRE IDs. If they're enriched with that information, it's very easy to put the story together with the MITRE ATT&CK framework versus the Kill Chain. You can talk about things, but you cannot put it into practice.
Ian I like you mentioned about stories there, we've often talked about the MITRE ATT&CK framework has that common language, almost like a dictionary of words that are available to that CISO, to that security professional.
An example of that would be, if you think of a tactic story, a goal of the attacker was to gain initial access to the network. That would be the focus on the tactic. And then if we wanted to drill down into the technique, in terms of a storybook approach, that would be using a drive-by compromise with spearphishing link and a trusted relationship and then the attacker gained initial access using this technique.
If we can have more of those high level conversations that not only security professionals understand, but business understand as well, we can sort of use a common language that is really understandable and talks about the risks and also talks about some of the low level detail as well. I think it's really important to have that framework.
One thing I've really sort of really thought about with MITRE ATT&CK is, as the threat landscape continues to evolve, now how is MITRE able to keep up to date with the latest groups and things like that? I think is really interesting just delving a bit deeper into the community aspect here. Is there anything you can tell us about that?
Alfredo So you said the key word here, which is community, right? So I imagine like, all the researchers from different several companies, working on their day-to-day jobs, finding out new threats and new kinds of attacks, and then building up a huge amount of intelligence data. And then using that data, not only to feed back the products with detections and search, but also feeding the community with, so how to recognise this X attack, or a hacking team by the behaviours that they present on different steps. Right, so giving back to the community with those intelligence data is really the key here to build up this library now of knowledge on attacks and attackers.
Ian Yeah, thanks Alfredo. Yeah, really interesting. And I think as, as you look on the MITRE ATT&CK website, the amount of monitoring groups, they're looking at, as a community, they definitely need our help and we definitely support, here at Trend Micro, that assistance. As I said, that they're monitoring over 110 groups at the moment, but also one part I like to look into is the common use cases surrounding that.
The common use cases have really well documented on the website and there's a great white paper about MITRE ATT&CK as well. They talk about adversary emulation that you could be looking into, analytics development, in terms of behavioural techniques, doing maturity assessments for your SOC, defence gap assessments in terms of understanding what protection elements and what detection elements you've got across your business to look at some of these attacks, and also red teaming.
I think for me, the one key thing that sticks out there is the MITRE ATT&CK, have really been able to look at the emulation side and use that as part of their wider evaluations. Over the last three years, we've seen APT 3, APT 29, Carbanak, and FIN7 all adopted into the evaluation assessments, where they able to look at some of the technologies in place and really test some of the capabilities in real-life scenarios.
And that touches on red teaming. Pawan, I know you've got an interest in this specific use case. How do you think that fits in that scenario from your perspective?
Pawan Yeah. Like of all the use cases that you mentioned there, I particularly liked the adversary simulation and the red teaming, especially the red teaming part, because it's like being prepared for disaster recovery and how it actually would span out when there a real disaster, like, as you've seen in the past. How Texas reacted to the Southern snow storm by how prepared were we there, right? So talking about red teaming, it really highlights how well our defences working in place. It's not just the security product investments that you've made, it's about how quickly you're in server response, how the human element of this whole, response part is working to red team and literally get in a bunch of folks who are going to simulate/emulate. It's literally like an attack So, how prepared are your teams? How well are you defences in place? Like do people really respond to their duty calls at time. How quickly does it do it? I'm really a big fan of the red teaming use case in of all these.
Ian And yeah, like you say, I think it comes down to those three principles that we talked so much about, across cybersecurity; the people process and technology, all combining those together to really have an impact.
And just one more question for you, Pawan, is how could this be used, that in terms of the MITRE ATT&CK framework to optimise incident response across organisations, talk about some of the things that you could think about that.
Pawan Yeah. Interesting, because, I see these things from a very, a lot of different perspectives. One is coming from a security vendor and a defence perspective, like particularly. So they'd been part of building protection on the defence, building virtual patches for 15 years now. And how does a SOC consume, how does our end user and the end customer is consuming these events?
Literally, when are coming from a defence mindset, you write a bunch of rules and name them in plain English, pretty much explaining, “yeah, PowerShell was used to execute them the command on system” versus literally tagging it down with a specific ID and it simplifies, the SOC person's life when they are looking at the events, they're able to correlate events from one vendor or multiple vendors and something that we call a root cause analysis, like when you're really digging into an incident, you actually can correlate, you can string things together and it really tells you the story, which are the systems that were infected, how much is the current exposure at the moment, are any other systems, like, for example, a ransomware situation? You can actually even get to the extent of like how many systems are about to explode? Whether the ransomware is probably going to trigger and start infecting.
So, very seamless. It really simplifies the whole pipeline of the conveyor belt of sorts that everybody's talking the same language, there's a common denominator here. So whether it's the security vendors creating the protection, whether it's the incident response folks, or even reporting things like, for example, the team writes a lot of blogs about threat research that they conduct, they even share IoCs there. Along with the IoCs, what techniques are the attackers using? They go ahead and publish those too. So it's so easy to correlate when see Alfredo talking about a particular threat that he observed in his honeypots in the wild. And what exactly did he observe, then you as a reader/an enterprise security architect, you want check, like, “do I have defences against these? You find out what other latest protections are in place or not. So it's really is a very, common denominator or common language that everybody in this chain can benefit from.
Ian Yeah, awesome. Great explanation. And you talked about Alfredo and some of the work that he's doing, I know Alfredo and I had a conversation previous. And that links onto the new attack for containers framework or matrix that that's now available. Alfredo, can you just sort of touch on that, your experience there and contributions to that community effort?
Alfredo So, first of all, I would like to bring a different perspective from a product or a SOC. And if you'll allow me, I'm going to digress to the beginning of this team, right? So a few years back, we assembled this team with the purpose of targeting research on at first containers, then that evolved to cloud services as well, right? So, and something that was fundamental and it still holds true to this day is we love to work based on threat modelling.
Right. So we have a service or we have a product that we want to research about, let's say a container service. And then we start looking what could go wrong here? So what are the entry points, and valid and the militias ones, and how can we get in? How can we break it up?
And then we build this threat model. With this tread model, we can do several things. So we can kind of, between multiple quotes here, we can predict the future threats, not only by breaking out, but also comparing to other services that that might not be related to the service we are working on for example.
And then it gives us a certain predictability on what's going to happen, what are the steps from the entry point to the end goal? So we can map everything out or at least we can infer what can go wrong, but so throughout the whole process. And that section had been paid off for, for this long time, we've been working on this way, because several things that we, again, between quotes predicted in the past for the past few years actually happened. And that's why we took the step of reaching out MITRE to close up this partnership and offer them a little bit of the intelligence we could gather. And more than we could gather, we could prove that was true. Like everything we've been saying for the past years actually happened. And then we started to thinking, “so let's give back to the community” and we've reached out to MITRE and we are sharing some of our findings with them.
And those findings, they were gotten from either our proactive work or on honeypots and such, right? We have few labs throughout the world where we can get different attacks and we can prove against our threat model or data model, we see something that we haven't predicted. Combining those data, we could provide something back to the community.
Ian Yeah and, I think it's such a great community effort that where we're able to package that intelligence both within our products, but also expand it out to a public community, I guess, for the greater good of protecting organisations out there who are using the latest and greatest containers. Because I think it's worth saying that the MITRE ATT&CK framework, for the enterprise at least, has been focused on the Windows side, Mac, and Linux, but this is really focusing on that cloud-native piece that we're seeing adopted widely amongst those organisations.
We've nearly run out of time, so I just want one sort of last closing thing. What would be that number one takeaway that you would say to customers about how they can embrace MITRE ATT&CK for their business or their organisation in moving forwards today? So, Pawan, if I could just start with you, if possible.
Pawan The biggest takeaway from my perspective would be, keep in mind that this MITRE ATT&CK framework is evidence-based and it's useful. It obviously proves value because it's evidence-based, but at the same time, and when I say evidence-based, it mean it has been observed in the wild and, some attacker adversary has actually used in a campaign or some kind of attack. Now that actually leaves some open questions there that is it everything like, does it cover everything? But it doesn't.
So it's not all inclusive. I highly recommend and suggest and encourage that this framework is used in all kinds of threat modelling and planning at all different stages. And the vendors are already using it. I expect, soon everybody would be using it, but the biggest take of it, there is that keep in mind when you're doing this threat modelling and using this framework, it's not complete. There is more scenarios that could be specific to you. There's probably more exposures specific to your organisation that can be there that are plausible attacks that can happen. It's just that nobody has seen them yet. They just waiting to happen. Like, as Alfredo said, we sit down, we predict things and we wait for them to happen, you look for evidence. There's still a lot of scenarios we created in the lab. They haven't happened. So, expect the framework itself, but it covers quite a lot of ground, but there's still more to it.
Ian Yeah. Awesome. Thanks. Thanks a lot for that. And I'm afraid that if I could just leave you with the same question, what's that number one takeaway?
Alfredo So the number one takeaway for me is, it can help you to connect apparently disconnected dots, right? So if you see something, a malware doesn't just pop up on your environment, right? So there's story behind it. Using the framework like this, you can tell the whole story. Like you can have the whole chain of events that led to something bad happened from the entry point to the end goal.
Ian Yeah. And I think, with everything MITRE ATT&CK, it's what we've talked about today is just a dip in the ocean, right? We've got some evaluation results of our latest, MITRE ATT&CK, Engenuity evaluation. I just want to thank you both for your time.