Latest episodes 
Subscribe 
Season 3 / Episode 135
In some ways, cyber security is like Art - and that’s not a good thing… MITRE’s ATT&CK framework tries to make sense of the collective knowledge of the security community, and share that knowledge so that cyber defense becomes less an art form and more about using the correct tools and technique. Nate Nelson, our Sr. producer, talks with Israel Barak - Cybereason's CISO and a regular guest of our podcast - about MITRE ATT&CK, and how it can help your organization stay safe.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
Hosted By
Ran Levi
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Israel Barak
CISO at Cybereason
Israel Barak, Cybereason’s CISO, is a cyber defense and warfare expert, with extensive background working for the government where he established and operated various cyber warfare teams. Israel spent years training, guiding and professionally mentoring new personnel, providing in-depth cyber expertise as it relates to cyber warfare, cyber security, and threat actor’s tactics and procedures. Israel is also a regular speaker at leading cyber security industry conferences and events.
The MITRE ATT&CK Framework
Transcription edited by Andrew Greene & Dick Curits
[Ran] Hi, and welcome back to Cybereason’s Malicious Life B-sides, I’m Ran Levi.
In some ways, cybersecurity is like art. There are so many techniques, type of vulnerabilities and tools, it’s easy to get lost if you don’t have enough experience to build a strong sense of intuition. And that’s, sadly, not a good thing. It might give the profession a romantic aura of sorts, you know, the grizzled security veteran who’s seen it all and such, but in practice, the lack of strong scientific-like basis often works against the defenders.
And that’s a part of what MITRE’s attack framework, spelled A-T-T ampersand C-K, tries to achieve. Make sense of the collective knowledge of the security community and share that knowledge so that cyber defense becomes less a form of art and more about using the correct tools and techniques. As MITRE writes on its website: “With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world by bringing communities together to develop more effective cybersecurity.”
In this B-side episode, Nate Nielsen, our senior producer, talks with Israel Barak, cyber reasons CISO and a regular guest of our podcast, about MITRE ATT&CK and how it can help your organization stay safe.
Enjoy the episode.
——
[Nate] Israel, what is MITRE?
[Israel] MITRE is a nonprofit organization that is primarily doing federal government contract work. But as part of their work for the benefit of the public, one of the things that they focus on is bringing innovative standardizations and creating publicly available knowledge bases, really for the benefit of the community. And one of the areas of focus for them in that last couple of years, as an example for that, has been creating the framework and body of knowledge called MITRE ATTACK.
[Nate] Right. So, tell me about the MITRE ATT&CK framework. What is it for people who don’t know?
[Israel] The first thing I think we should look at is what are some of the questions or the needs that MITRE ATT&CK sort of came to try to answer. Basically it tries to answer a couple of key questions for organizations. Those are, I think, security questions that organizations sort of repeatedly ask themselves. And we’ve always been looking for an effective framework to try to answer those questions.
So, the first question is how effective are my defenses? We are all investing significant time, effort, money in building defenses. The first question is how effective are they? The second question, will I be effective in detecting a specific threat actor? So if I’m operating a business that is in a specific industry, say hospitality or health care services, and I know that certain threat actors are known to target the industry that I’m operating in, then the question is, within the realm of threats in general, how effective will I be against threat actors that are known to target the industry that I’m operating in?
The third question is going to be about the data that I’m collecting as a defender. The question is, is the data that I’m collecting actually useful? So organizations spend time and money collecting and retaining logs and telemetry. And the question is, how does that help me be more secure, right?
Does that pay off? Do I need to change the way I’m collecting and retaining data? What is important data? What is maybe not important data or less important data? But that would be probably the third question.
The fourth and I would say probably the final question here that ATT&CK is trying to answers related to the products and tool sets that I’m using or considering to use. The question is, is a particular product that I’m looking into going to really help me improve my defenses, right? Or when I’m looking at my current product set in my environment, do I have any overlapping tool coverage? So those are probably the key questions that ATT&CK came into our lives to try to answer.
[Nate] So those are the questions. How does ATT&CK propose to answer those questions?
[Israel] So ATT&CK is a knowledge base of adversary behavior, basically documenting different tactics, techniques, and procedures, in short, they’re referred to as TTPs, that cyber threat actors use throughout a lifecycle of an attack, starting from the preparation and reconnaissance work that adversaries do before the attack itself, all the way through getting initial access into a target’s environment and through the different stages of the attack when it’s
inside the target’s network until an impact on the target is achieved in forms like data theft or data destruction, denial of service, et cetera. So basically describing the behaviors, techniques, the tactics, the procedures that threat actors use to basically drive a malicious operation throughout its entire lifecycle from preparation to impact.
I see the goal of ATT&CK as a way to progress a field that was primarily a form of art, I would say, into a place where much of it can be considered more systematic or even scientific to a degree. I think some key things to mention about ATT&CK are that it’s, number one, based on real world observations.
So that means that the documented TTPs have been seen to be used by certain threat actors or red team groups, and the goal is to make sure the knowledge base is practical as possible.
The other thing that’s worth mentioning is that ATT&CK is free and open for the benefit of the security community. It’s also a common language to describe techniques and procedures used by threat actors so security practitioners can exchange information more effectively based on a common language to describe those threat actor behaviors. And lastly, it’s important to note that the process of maintaining ATT&CK as a knowledge base is very much community-driven. So when I say community, and when I say community those are security researchers, those are enterprise organizations, those are security vendors and subject matter experts, but the community in general can share information about threat actor behaviors and tools with MITRE that will get incorporated into the knowledge base and share it across the community.
[Nate] You know, I’m on their website now, and to be honest, to the untrained eye, it kind of just looks like an encyclopedia. So what is it that makes MITRE worth talking about? Why are we doing a podcast about it in the first place?
[Israel] I think there are a couple of things that make MITRE ATT&CK very unique. First of all, I think it’s surely not the first attempt, but I would say the most successful attempt that the community has experienced to date to map threat actor behaviors. I think it’s very successful in terms of its completeness.
Obviously, nothing is 100% complete, but I think it’s very broad in its ability to describe different ATT&CK behaviors. The level of completeness is certainly much higher than what we’ve had, anything else that we’ve had in the past.
And the other thing is the actionability of the data, even though maybe at first glance it may appear to be an encyclopedic resource, it’s actually a very actionable data corpus because it allows us to connect every observation on a behavior exhibited by a threat actor to the threat actor that is known to be using this technique and to the type of defensive strategies that we can take to improve our abilities to defend against that technique and also to test our abilities to defend against these techniques. So every entry in that knowledge base is very actionable because it can be translated to improving security defensive fairly quickly.
[Nate] Yeah, I want to stay on the point of comparing with other frameworks because I imagine that some of our listeners out there will have some xperience with things such as Lockheed’s kill chain. So how does MITRE stack up? Does it fall short in any number of ways? How can cybersecurity professionals use this along with the tools that maybe they’re a little bit more used to? What does the space look like overall?
[Israel] There are other frameworks that have developed over time that help us identify software vulnerabilities, help us identify indicators of compromise in the form of IP addresses, domain names, et cetera, that are being used by threat actors. But what’s very unique about MITRE ATT&CK is the type of data that it documents. And that’s primarily adversary TTPs. I think the first thing that really ATT&CK helps us with, and I think it’s interesting to explore that, is really how it enables defenders to improve their ability to detect threats and measure how comprehensive their detection capability is. And to be more specific, that’s very unique to ATT&CK compared to other frameworks. And I often reference David Bianco’s so-called The Pyramid of Pain. The idea behind the data that’s captured in ATT&CK is that certain things that threat actors do are more or less painful for them to change. So for example, changing a file hash for a threat actor is trivial and cheap. So any detection strategy that is based on detecting known hashes can be trivially bypassed
by threat actors.Same goes for IP addresses, domain names. Again, they’re very easy and cheap for the threat actors to change them. So repositories or frameworks that give us information that revolve around those so-called IOCs or indicators, they’re important.
But oftentimes, the value of their information doesn’t help us improve or significantly improve or methodically improve our defenses. But at the top of that pyramid of pain, the toughest thing and the most expensive things for threat actors to change are their tactics, their techniques and procedures. Those are the behavior that they have, right, that were developed and refined sometimes through months or years of effort, and they’ll take a threat actor a significant time to change them.
Now a detection strategy that is built on detecting these TTPs, and that’s the foundation of MITRE ATT&CK, describing, cataloging these TTPs, a detection strategy that’s built on detecting them, gives us probably the best chances of detecting these threat actors over time.
[Nate] All right. So Israel, you are a cybersecurity professional. In what ways does MITRE positively impact the work that you do?
[Israel] The benefits that we get from MITRE ATT&CK span a number of different areas in a security program. The first is the ability to improve our threat detection strategy. It’s basically about reviewing the different tactics, techniques, practices that are described in the ATT&CK framework and ensuring that our tool sets and processes are geared towards giving us the widest possible coverage across the set of adversarial TTPs. That means tuning our threat analytics and data analytics to ensure that we can detect these patterns of behaviors. This means improving our processes for threat hunting across our data to identify these behaviors as they’re happening. At the end of the day, it focuses, or the first thing is the focus on improving our detection coverage based on the understanding that threat actors leverage these different TTPs.
The other benefit is with improving the assessment process to identify security coverage gaps and basically prioritize engineering efforts to close these gaps. What we’re able to do is basically, as part of our assessment process, we can use the MITRE ATT&CK framework to understand which types of techniques, which type of tactics does our tool set and process currently give good coverage for and where are we lacking? Where do we have gaps in coverage? Then understand that we need to prioritize certain engineering efforts to close these gaps. We can then tie it to threat actors and say we might need to prioritize certain gaps over others because threat actors that are active in our industry are known to target those specific gaps.
Assessment processes to identify security gaps and prioritize engineering efforts is another benefit of using the ATT&CK matrix. On the threat intel side, ATT&CK allows us to ongoingly inform defenders on what specific threat actors are doing and how so they can take a more effective action to prepare against these types of adversarial behavior.
Lastly, ATT&CK allows us to improve the efficiency of adversary emulation processes by basically or in other terms, they’re referred to sometimes as pen tests or as red team activities. That’s basically by giving us more context on how to emulate specific threat actors that are known to be relevant to our specific industry and really directly map the results of that threat emulation to process or tooling improvements that need to be done to better detect and
defend against these threat actors.
[Nate] I’d like to get a little more specific here about how MITRE plays into your day-to-day work. Can you tell me, Israel Barak wakes up in the morning, has his coffee, goes into work, gets on his computer. How does MITRE fit in with the day-to-day task-to-task work of being a cyber analyst? Can you give me an example?
[Israel] We can look at an example that involves red team activity or a security assessment. One of the ways we do security assessments is by choosing to emulate a threat actor that is relevant to our industry. Say we open up the MITRE ATT&CK framework and we look at the list of threat actors that
are documented in that framework and we look at the ones that are known to target our industry. We say those are APT3 or FIN7 or APT29. We pick some of them that we haven’t emulated in the past and then we build an adversary emulation plan. We basically use MITRE ATT&CK to understand which tactics, techniques, and procedures, which tools these specific threat actors that we know are more important to us because they’re known to target our industry, which practices and procedures they’re using, and we build an adversary emulation plan based on that.
The emulation plan will basically create a simulated attack in our network that will use similar procedures, similar practices to what these selected threat actors will be using in an attack or at least known to be using in their attack. We will then ensure that we have our telemetry collection, our detection capabilities all set up and operational within the test environment or if it’s done in production that they’re already set up there. We will execute that emulation plan, essentially execute a simulated attack process that will progress and move through our test environment using these different procedures that are included in the emulation plan.
Once that procedure is done, we will review what we captured as alerts in our systems, what our security operations center was able to see and triage in those alerts. We would try to identify, since we know exactly the steps that the attacker took or the simulated attacker took in the test environment, we would compare our detections, our telemetry, our visibility into what the threat or that simulated, emulated threat did and identify areas where our alerting capability might be missing, a behavior that the attacker performed in the environment, but we did not get alerted on it. Or our telemetry might be missing, a behavior that the attacker performed in the environment, but we don’t have any data source that allows our defenders to understand that that’s what
they did.
We would then look at these gaps, all these areas where we had missing alerting or missing telemetry, and then use the MITRE ATT&CK framework to understand which data sources and which analytical capabilities are needed to close these gaps. For example, if a behavior that involves certain type of command and control communication was missing in our telemetry, then what type of data source do we need on our network or on our endpoints to make sure that we have visibility into this telemetry or to make sure that we have the ability to get alerted on that behavior? We would then prioritize engineering efforts to complete or address those gaps with process or tooling based on their prioritization.
Then you look at the bigger picture of all remaining gaps against that emulation plan. That would be a specific example of how we would use ATT&CK on an ongoing basis as part of a security program, in this case, as part of a closed-loop adversary emulation plan.
[Nate] Last question, when you were starting to get acquainted with the MITRE ATT&CK framework, did anything in there surprise you? Anything you haven’t seen before? Anything particularly unique?
[Israel] The content itself wasn’t a huge surprise to me. On a personal level, I come from an offensive security background, and I would say many of the different tactics and techniques I was familiar with. But I think what was primarily interesting for me to see is the completeness of the framework and how over time it stays current and keeps reflecting up-to-date information. So I think it’s primarily about the fact that the framework had started as very, very
valuable resources for defenders, and over the years, it keeps staying r elevant and becoming more and more relevant, and actually recently become, I would say, the gold standard, very likely in the field of post breach detection and invisibility.
So I think the fact that we are able as a community to keep this as the valuable resource over time, that to me, I didn’t and I still don’t see it as something that is simple or trivial to achieve. But I think it’s a major achievement of the community and a testament to MITRE’s ability to organize a community around standard work that is done for the benefit of the public.