The MITRE ATT&CK Framework [ML B-Side]

In some ways, cyber security is like Art - and that’s not a good thing… MITRE’s ATT&CK framework tries to make sense of the collective knowledge of the security community, and share that knowledge so that cyber defense becomes less an art form and more about using the correct tools and technique. Nate Nelson, our Sr. producer, talks with Israel Barak - Cybereason's CISO and a regular guest of our podcast - about MITRE ATT&CK, and how it can help your organization stay safe.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Israel Barak

CISO at Cybereason

Israel Barak, Cybereason’s CISO, is a cyber defense and warfare expert, with extensive background working for the government where he established and operated various cyber warfare teams. Israel spent years training, guiding and professionally mentoring new personnel, providing in-depth cyber expertise as it relates to cyber warfare, cyber security, and threat actor’s tactics and procedures. Israel is also a regular speaker at leading cyber security industry conferences and events.

The MITRE ATT&CK Framework

Transcription edited by Andrew Greene & Dick Curits

[Ran] Hi, and welcome back to Cybereason’s Malicious Life B-sides, I’m Ran Levi.

In some ways, cybersecurity is like art. There are so many techniques, type of vulnerabilities and tools, it’s easy to get lost if you don’t have enough experience to build a strong sense of intuition. And that’s, sadly, not a good thing. It might give the profession a romantic aura of sorts, you know, the grizzled security veteran who’s seen it all and such, but in practice, the lack of strong scientific-like basis often works against the defenders.
And that’s a part of what MITRE’s attack framework, spelled A-T-T ampersand C-K, tries to achieve. Make sense of the collective knowledge of the security community and share that knowledge so that cyber defense becomes less a form of art and more about using the correct tools and techniques. As MITRE writes on its website: “With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world by bringing communities together to develop more effective cybersecurity.”

In this B-side episode, Nate Nielsen, our senior producer, talks with Israel Barak, cyber reasons CISO and a regular guest of our podcast, about MITRE ATT&CK and how it can help your organization stay safe.

Enjoy the episode.


[Nate] Israel, what is MITRE?

[Israel] MITRE is a nonprofit organization that is primarily doing federal government contract work. But as part of their work for the benefit of the public, one of the things that they focus on is bringing innovative standardizations and creating publicly available knowledge bases, really for the benefit of the community. And one of the areas of focus for them in that last couple of years, as an example for that, has been creating the framework and body of knowledge called MITRE ATTACK.

[Nate] Right. So, tell me about the MITRE ATT&CK framework. What is it for people who don’t know?

[Israel] The first thing I think we should look at is what are some of the questions or the needs that MITRE ATT&CK sort of came to try to answer. Basically it tries to answer a couple of key questions for organizations. Those are, I think, security questions that organizations sort of repeatedly ask themselves. And we’ve always been looking for an effective framework to try to answer those questions.

So, the first question is how effective are my defenses? We are all investing significant time, effort, money in building defenses. The first question is how effective are they? The second question, will I be effective in detecting a specific threat actor? So if I’m operating a business that is in a specific industry, say hospitality or health care services, and I know that certain threat actors are known to target the industry that I’m operating in, then the question is, within the realm of threats in general, how effective will I be against threat actors that are known to target the industry that I’m operating in?

The third question is going to be about the data that I’m collecting as a defender. The question is, is the data that I’m collecting actually useful? So organizations spend time and money collecting and retaining logs and telemetry. And the question is, how does that help me be more secure, right?
Does that pay off? Do I need to change the way I’m collecting and retaining data? What is important data? What is maybe not important data or less important data? But that would be probably the third question.

The fourth and I would say probably the final question here that ATT&CK is trying to answers related to the products and tool sets that I’m using or  considering to use. The question is, is a particular product that I’m looking into going to really help me improve my defenses, right? Or when I’m looking at my current product set in my environment, do I have any overlapping tool coverage? So those are probably the key questions that ATT&CK came into our lives to try to answer.

[Nate] So those are the questions. How does ATT&CK propose to answer those questions?

[Israel] So ATT&CK is a knowledge base of adversary behavior, basically documenting different tactics, techniques, and procedures, in short, they’re referred to as TTPs, that cyber threat actors use throughout a lifecycle of an attack, starting from the preparation and reconnaissance work that adversaries do before the attack itself, all the way through getting initial access into a target’s environment and through the different stages of the attack when it’s
inside the target’s network until an impact on the target is achieved in forms like data theft or data destruction, denial of service, et cetera. So basically describing the behaviors, techniques, the tactics, the procedures that threat actors use to basically drive a malicious operation throughout its entire lifecycle from preparation to impact.

I see the goal of ATT&CK as a way to progress a field that was primarily a form of art, I would say, into a place where much of it can be considered more systematic or even scientific to a degree. I think some key things to mention about ATT&CK are that it’s, number one, based on real world observations.
So that means that the documented TTPs have been seen to be used by certain threat actors or red team groups, and the goal is to make sure the knowledge base is practical as possible.

The other thing that’s worth mentioning is that ATT&CK is free and open for the benefit of the security community. It’s also a common language to describe techniques and procedures used by threat actors so security practitioners can exchange information more effectively based on a common language to describe those threat actor behaviors. And lastly, it’s important to note that the process of maintaining ATT&CK as a knowledge base is very much community-driven. So when I say community, and when I say community those are security researchers, those are enterprise organizations, those are security vendors and subject matter experts, but the community in general can share information about threat actor behaviors and tools with MITRE that will get incorporated into the knowledge base and share it across the community.

[Nate] You know, I’m on their website now, and to be honest, to the untrained eye, it kind of just looks like an encyclopedia. So what is it that makes MITRE worth talking about? Why are we doing a podcast about it in the first place?

[Israel] I think there are a couple of things that make MITRE ATT&CK very unique. First of all, I think it’s surely not the first attempt, but I would say the most successful attempt that the community has experienced to date to map threat actor behaviors. I think it’s very successful in terms of its completeness.
Obviously, nothing is 100% complete, but I think it’s very broad in its ability to describe different ATT&CK behaviors. The level of completeness is  certainly much higher than what we’ve had, anything else that we’ve had in the past.

And the other thing is the actionability of the data, even though maybe at first glance it may appear to be an encyclopedic resource, it’s actually a very actionable data corpus because it allows us to connect every observation on a behavior exhibited by a threat actor to the threat actor that is known to be using this technique and to the type of defensive strategies that we can take to improve our abilities to defend against that technique and also to test our abilities to defend against these techniques. So every entry in that knowledge base is very actionable because it can be translated to improving security defensive fairly quickly.

[Nate] Yeah, I want to stay on the point of comparing with other frameworks because I imagine that some of our listeners out there will have some  xperience with things such as Lockheed’s kill chain. So how does MITRE stack up? Does it fall short in any number of ways? How can cybersecurity professionals use this along with the tools that maybe they’re a little bit more used to? What does the space look like overall?

[Israel] There are other frameworks that have developed over time that help us identify software vulnerabilities, help us identify indicators of compromise in the form of IP addresses, domain names, et cetera, that are being used by threat actors. But what’s very unique about MITRE ATT&CK is the type of data that it documents. And that’s primarily adversary TTPs. I think the first thing that really ATT&CK helps us with, and I think it’s interesting to explore that, is really how it enables defenders to improve their ability to detect threats and measure how comprehensive their detection capability is. And to be more specific, that’s very unique to ATT&CK compared to other frameworks. And I often reference David Bianco’s so-called The Pyramid of Pain. The idea behind the data that’s captured in ATT&CK is that certain things that threat actors do are more or less painful for them to change. So for example, changing a file hash for a threat actor is trivial and cheap. So any detection strategy that is based on detecting known hashes can be trivially bypassed
by threat actors.Same goes for IP addresses, domain names. Again, they’re very easy and cheap for the threat actors to change them. So repositories or frameworks that give us information that revolve around those so-called IOCs or indicators, they’re important.

But oftentimes, the value of their information doesn’t help us improve or significantly improve or methodically improve our defenses. But at the top of that pyramid of pain, the toughest thing and the most expensive things for threat actors to change are their tactics, their techniques and procedures. Those are the behavior that they have, right, that were developed and refined sometimes through months or years of effort, and they’ll take a threat actor a significant time to change them.

Now a detection strategy that is built on detecting these TTPs, and that’s the foundation of MITRE ATT&CK, describing, cataloging these TTPs, a detection strategy that’s built on detecting them, gives us probably the best chances of detecting these threat actors over time.

[Nate] All right. So Israel, you are a cybersecurity professional. In what ways does MITRE positively impact the work that you do?

[Israel] The benefits that we get from MITRE ATT&CK span a number of different areas in a security program. The first is the ability to improve our threat detection strategy. It’s basically about reviewing the different tactics, techniques, practices that are described in the ATT&CK framework and ensuring that our tool sets and processes are geared towards giving us the widest possible coverage across the set of adversarial TTPs. That means tuning our threat analytics and data analytics to ensure that we can detect these patterns of behaviors. This means improving our processes for threat hunting across our data to identify these behaviors as they’re happening. At the end of the day, it focuses, or the first thing is the focus on improving our detection coverage based on the understanding that threat actors leverage these different TTPs.

The other benefit is with improving the assessment process to identify security coverage gaps and basically prioritize engineering efforts to close these gaps. What we’re able to do is basically, as part of our assessment process, we can use the MITRE ATT&CK framework to understand which types of techniques, which type of tactics does our tool set and process currently give good coverage for and where are we lacking? Where do we have gaps in coverage? Then understand that we need to prioritize certain engineering efforts to close these gaps. We can then tie it to threat actors and say we might need to prioritize certain gaps over others because threat actors that are active in our industry are known to target those specific gaps.

Assessment processes to identify security gaps and prioritize engineering efforts is another benefit of using the ATT&CK matrix. On the threat intel side, ATT&CK allows us to ongoingly inform defenders on what specific threat actors are doing and how so they can take a more effective action to prepare against these types of adversarial behavior.

Lastly, ATT&CK allows us to improve the efficiency of adversary emulation processes by basically or in other terms, they’re referred to sometimes as pen tests or as red team activities. That’s basically by giving us more context on how to emulate specific threat actors that are known to be relevant to our specific industry and really directly map the results of that threat emulation to process or tooling improvements that need to be done to better detect and
defend against these threat actors.

[Nate] I’d like to get a little more specific here about how MITRE plays into your day-to-day work. Can you tell me, Israel Barak wakes up in the morning, has his coffee, goes into work, gets on his computer. How does MITRE fit in with the day-to-day task-to-task work of being a cyber analyst? Can you give me an example?

[Israel] We can look at an example that involves red team activity or a security assessment. One of the ways we do security assessments is by choosing to emulate a threat actor that is relevant to our industry. Say we open up the MITRE ATT&CK framework and we look at the list of threat actors that
are documented in that framework and we look at the ones that are known to target our industry. We say those are APT3 or FIN7 or APT29. We pick some of them that we haven’t emulated in the past and then we build an adversary emulation plan. We basically use MITRE ATT&CK to understand which tactics, techniques, and procedures, which tools these specific threat actors that we know are more important to us because they’re known to target our industry, which practices and procedures they’re using, and we build an adversary emulation plan based on that.

The emulation plan will basically create a simulated attack in our network that will use similar procedures, similar practices to what these selected threat actors will be using in an attack or at least known to be using in their attack. We will then ensure that we have our telemetry collection, our detection capabilities all set up and operational within the test environment or if it’s done in production that they’re already set up there. We will execute that emulation plan, essentially execute a simulated attack process that will progress and move through our test environment using these different procedures that are included in the emulation plan.

Once that procedure is done, we will review what we captured as alerts in our systems, what our security operations center was able to see and triage in those alerts. We would try to identify, since we know exactly the steps that the attacker took or the simulated attacker took in the test environment, we would compare our detections, our telemetry, our visibility into what the threat or that simulated, emulated threat did and identify areas where our alerting capability might be missing, a behavior that the attacker performed in the environment, but we did not get alerted on it. Or our telemetry might be missing, a behavior that the attacker performed in the environment, but we don’t have any data source that allows our defenders to understand that that’s what
they did.

We would then look at these gaps, all these areas where we had missing alerting or missing telemetry, and then use the MITRE ATT&CK framework to understand which data sources and which analytical capabilities are needed to close these gaps. For example, if a behavior that involves certain type of command and control communication was missing in our telemetry, then what type of data source do we need on our network or on our endpoints to make sure that we have visibility into this telemetry or to make sure that we have the ability to get alerted on that behavior? We would then prioritize engineering efforts to complete or address those gaps with process or tooling based on their prioritization.

Then you look at the bigger picture of all remaining gaps against that emulation plan. That would be a specific example of how we would use ATT&CK on an ongoing basis as part of a security program, in this case, as part of a closed-loop adversary emulation plan.

[Nate] Last question, when you were starting to get acquainted with the MITRE ATT&CK framework, did anything in there surprise you? Anything you haven’t seen before? Anything particularly unique?

[Israel] The content itself wasn’t a huge surprise to me. On a personal level, I come from an offensive security background, and I would say many of the different tactics and techniques I was familiar with. But I think what was primarily interesting for me to see is the completeness of the framework and how over time it stays current and keeps reflecting up-to-date information. So I think it’s primarily about the fact that the framework had started as very, very
valuable resources for defenders, and over the years, it keeps staying r elevant and becoming more and more relevant, and actually recently become, I would say, the gold standard, very likely in the field of post breach detection and invisibility.

So I think the fact that we are able as a community to keep this as the valuable resource over time, that to me, I didn’t and I still don’t see it as something that is simple or trivial to achieve. But I think it’s a major achievement of the community and a testament to MITRE’s ability to organize a community around standard work that is done for the benefit of the public.