Cyber security, and software development generally have one of the biggest collections of standards, frameworks, but recently MITRE released the ATT&CK knowledge base of Adversarial Techniques, Tactics and Common Knowledge that a malicious party might use. This is helpful in the following ways:
- It is a living document that records real-world observations on cyber attacks
- It provides a matrix model to arrange the stages of an attack into a structured layout
- It is open to any organization or individual (government, private, or other)
In short, the MITRE ATT&CK® framework tries to be a comprehensive catalog that can be used to establish taxonomy or vocabulary when discussing cybersecurity incidents or threats. And this is great, and better yet, its useful for researchers and professionals to categorize and unravel the various behaviors as an attack is executed (or after the fact).
The latter point though highlights one of the challenges that executives and risk management teams though may struggle with:
- How does the MITRE ATT&CK framework help me as an asset owner?
- What are the benefits and where do they apply?
- How does this tie into my existing cyber security frameworks (e.g., NIST CSF) and technology (e.g., Verve)?
What is the MITRE ATT&CK framework?
MITRE ATT&CK is a cyber security framework that has three matrices:
- Discusses the elements that can be used before an attack is executed or early on before the main attack occurs
- Discusses the elements that are present in traditional Information Technology (IT) attacks and scenarios. It is also broken down by operating system (e.g., Windows), and usage (e.g., Mobile)
- Discusses the elements that are present in Operational Technology (OT) attacks and scenarios. Unfortunately, it is separate from Enterprise’s ATT&CK framework, but because of the convergent nature of IT & OT, elements can and will overlap.
Figure 1: MITRE ATT&CK Enterprise framework available on mitre.org
The MITRE ATT&CK framework is quite exhaustive and will be most useful to those knowledgeable and well-versed in cyber security. Tying together applicable elements to your OT environment requires “tribal knowledge”, expertise and an existing framework such as the NIST CSF.
Within each listed section – such as External Remote Services – is a drill down option to learn more about:
- Variety of threats
- Groups known to exhibit specific behaviors
- Detection hints
- References to other information sources
- Related mitigations
Figure 2: External Remote Services ATT&CK element
Therefore, if there a cyber threat was identified, or an organization/team decomposed an attack (hypothesized, already occurred, or examines particular aspects), risk management and security teams could conceptually leverage the framework in the following way:
Figure 3: High-level conceptual usage of MITRE ATT&CK framework
The MITRE ATT&CK framework can be used to guide cyber security requirements in existing or new systems to provide instruction as to which types of security functionality or features can or should be used when creating a security solution. It may also guide the testing and validation of any related technical solution requirements.
Figure 4: ATT&CK ICS matrix from mitre.org
The MITRE ATT&CK ICS framework provides an overview of the tactics and techniques that are more likely to be present in OT/ICS environments, and attempts to tailor cyber security to communities with very different priorities than the audience intended for the Enterprise ATT&CK matrix.
However, while they are often seen as separate groups (IT vs. OT), they are often subject to IT OT convergence, and have overlap between the Enterprise and ICS matrices.
For example, an attacker may manage to gain access through a compromised VPN gateway, or RDP terminal server (initial access – external remote services/internet accessible device). From that position within the network, the attacker may traverse laterally* from one system to another after deriving privileged account credentials that are often reused (Lateral movement – default credentials).
Eventually, the attacker arrives at a control room network segment by means of compromising an operator’s workstation (Initial compromise – engineering workstation compromise). The attacker deploys ransomware to disrupt operations on all vulnerable systems (Inhibit Response Function – Denial of Service) and denies process visibility to the operators, and so the process is stopped (Impact – Denial of Control/View, Productivity and Revenue).
The MITRE ATT&CK framework is complementary to NIST CSF, but not a replacement
Unfortunately, there is another caveat when using the MITRE ATT&CK frameworks – it is not a replacement for people, process, and technology. It may provide hints to detect a threat, how an attacker may chain one technique to another for a specific purpose, or even suggest mitigations, but, it is not a replacement for organizational cyber security frameworks, vulnerability/risk management, adequately trained resources, effective security solution designs and configuration, incident handling processes/playbooks, and appropriate cybersecurity technology.
Figure 5: ICS Framework – System Firmware Wiki page from mitre.org
This example is not contrived and there is a high probability this exact scenario has played out for an industrial organization’s incident response and cyber security teams to manage. As illustrated, there are elements within that scenario that encompass the verticals seen in the table header in Figure 4, as well as techniques that may belong in both IT and OT environments.
Where * is denoted, the ICS ATT&CK framework does not have a specific technique outlined, but this is easily remedied using the Enterprise framework to fill in the gaps. In this scenario, ATT&CK works well to isolate key elements when detecting, triaging, isolating, and describing a cyber incident after it occurred. But had other cyber security capabilities been used and correctly operationalized, the framework elements could have been leveraged to help prevent the organization’s impact expansion.
How does MITRE ATT&CK help asset owners?
Referring back to Figure 3, this diagram illustrates how the framework is used to decompose an actual or hypothetical cyber security threat or broaden and/or verify current coverage against a threat/event. But keep in mind:
The MITRE ATT&CK framework is not a substitute for an organization to have an appropriate and mature cyber security policy. An organization must have the basic policy and procedures in place, but also relevant technologies that contribute to the identification, eradication, and recovery of a cyber security event.
ATT&CK is not a standalone savior, a silver bullet, or even a checkbox feature to be touted by vendors. If you are an executive, procurement or security team leader, it’s great that a technology may have out of the box framework support, but it doesn’t specifically lower Total Cost of Ownership (TCO) nor increase Return on Investment (ROI).
Your organization still needs to nail down the basics of people, process, and technology, and is required to align the framework to threats relevant to your organization (e.g., Safety vs. Information).
Assuming organizational environment factors are addressed, and basic governance frameworks are in place, examine the following NIST CSF aligned activities (note the combined usage of Identify/Detect, and the addition of the Document group):
Figure 6: Example usage of ATT&CK combined with NIST CSF
Combining ATT&CK with NIST CSF illustrated various components to demonstrate how ATT&CK could polish an organization’s security posture. For example, ABC Corporation has:
- An existing policy that uses the NIST Cyber Security Framework
- An incident response playbook for detecting, identifying and responding to a certain type of cyber incident
ABC Corporation would use the ATT&CK framework to standardize attack language and enhance workflow conditional attributes that could alter the security team’s flow execution.
The MITRE ATT&CK won’t invalidate or replace investment in other cyber security frameworks NIST CSF, ISO 27001, or any other security framework, but instead acts as a multiplier when tuning security technology, policies, and procedures – especially when you have a security team in-house, or external Security Operations Center. It is also useful as your organization prepares for the worst or is likely to be a frequent target, but it does not replace legislation and compliance requirements.
What are the MITRE ATT&CK benefits when combined with Verve?
In a mature environment, various capabilities are required for effective cyber security, but the ATT&CK framework still contributes to both policy and technology. If you are already monitoring for cyber threats, the ATT&CK framework improves detection accuracy and indicates where to add use cases or make alterations
For most cyber security investments, the ATT&CK framework may not generate the same benefits such as when mapping adversarial techniques for Red Teaming, but Verve Industrial contributes more benefits of the ATT&CK framework by applying additional capabilities beyond asset inventory management. The Verve platform supports SIEM functionality for logging and alerts (Signals) out of the box, and we support a variety of detection use cases aligned to ATT&CK.
Figure 7: Verve Platform, SIEM and Signals
Given the unique ability to install Verve on commodity systems, retrieve logs from applicable embedded OT systems, and ingest those logs, security teams generate alerts from OT systems, perform baseline analysis, and generate alerts into security incident response processes through the out-of-the-box ATT&CK detection.
Effectively, the Verve solution aids analysts, threat hunters, system maintainers, and responders with accurate, comprehensive asset information and abilities to:
- Activities to lock down and harden systems
- Remediate known vulnerabilities
- Apply policy and secure configurations
- Install patches and updates
- Alert on anomalous conditions
Figure 8: ATT&CK enhances detection and incident handling through existing functionality
Regardless of your method to handle cyber security incidents, whether that is through a third-party integration/SOAR, or even automated emails, combine Verve’s IT OT security platform with the MITRE ATT&CK framework with ease.
To get started quickly, Verve supports several detection use cases without additional configuration and maps directly to the framework. Given Verve’s flexibility to digest logs in any manner, including Syslog and Windows Event log format, a variety of other use cases are supported:
- Successful/failed logins
- Local service commands
- Scheduled local task completion
- New process creation
- Unauthorized connection attempts
- Performance baseline variations
- Compliance element tracking
Alternatively, if your organization or deployment has other requirements, such as NERC CIP, additional alerts, alarming criteria and integrations are easily accommodated within the Verve Security Center with or without ATT&CK framework elements.
For example, using the Verve Security Information and Event Management (SIEM) functionality, an asset owner forwards Windows event logs, and other syslog messages for analysis. Once forwarded logs are ingested, they are perused directly, or through technology. It assists automatically with minimal effort once configured if signals are chosen or by using baseline anomaly detection with machine learning to look for deviations.
Signals act as detection use cases that map to specific events or types of events for easy identification, alerts, triage, and investigation. Anomalies are routinely detected as part of a continuous and automated monitoring strategy that leverages past events as a baseline and forecasted variations.
Verve outlines the variety of signals and counts over time. This also includes automatic categorization and supplementary information such as the host and users associated with the event.
Figure 9: SIEM detections overview
By granting a high-level overview and specific host information, the SIEM functionality becomes invaluable for cyber security teams investigating an incident or for technology teams diagnosing an issue. This is especially true if an asset undergoes an active attack as those signals directly mapped to ATT&CK framework elements (and/or supplementary event playbooks).
Figure 10: SIEM event drilldown by host
Imagine an analyst from your organization examines the detection dashboards either from an investigative stance or from compliance perspective. They monitor the events as they continuously occur and drill into specific events. When the analyst selects an event of interest, there is a number of choices in front of them, but also, they clearly see the event is designated with a suggested severity and the appropriate MITRE ATT&CK element.
Figure 11: Local service commands event
Alternatively, the analyst has the option to create their own signal detection rules from scratch to improve monitoring and automation and tie those events into a timeline for investigation. This time series groups attack events into elements for investigation and aids in handling the incident by annotating alerts as part of the labeled timeline.
Figure 12: Event timeline attack on Verve managed host
Machine learning in the Verve Security Center schedules and configures anomaly detection to watch for specific patterns in the logs and events. This is customizable and useful for analysts for retrospective activities when engaging in a technology enhancement project or identifying potential incidents that has not yet raised a clear alarm.
Figure 13: Machine learning on events with Verve
Closing the loop
The MITRE ATT&CK framework is a great addition to the cyber security framework infosphere, but it is not a standalone option. It has different matrices to use alone or with overlapping use cases (e.g., Enterprise elements combined with ICS framework elements), but ultimately deconstruct incidents/threats, create security solution requirements, fine-tune detection use cases, and standardize cyber security terminology.
Verve’s asset management, detection, compliance, and protection capabilities create an infinite amount of detections tailored to your organization to monitor background event flows for anomalies without another tool. This happens within one platform, and useful in both IT and OT environments.