Leveraging MITRE ATT&CK and the Verve Security Center

The purpose of the MITRE ATT&CK Framework is NOT only to detect threats in your environment in real-time. The real purpose of ATT&CK is to support defending teams to understand adversary behavior, develop potential attack scenarios, evaluate their defenses, create prioritized gaps to close, and eventually accelerate incident response with improved threat intelligence. This is NOT to say that ATT&CK does not assist in threat detection. It provides specific behaviors to look for and detections that immediately raise an alarm of a technique in process or a series of techniques used that indicate a similar pattern of an adversary’s behavior.

However, used just as a detection tool, MITRE ATT&CK loses its real strength.

What is the MITRE ATT&CK framework?

The MITRE ATT&CK® framework is a publicly available knowledge base of observed adversary behaviors categorized into specific tactics and techniques across an adversary’s attack lifecycle. It provides a taxonomy or vocabulary when discussing cybersecurity incidents or threats.  And most importantly it is an evolving knowledge base that gathers the latest intelligence from the community and updates its models over time.

The framework consists of Tactics and Techniques across the lifecycle of an attack.

Tactics: These correspond to an adversary’s goals throughout an attack and form a sequence almost as a movie would play out. Each Tactic is an “end” that leads to the next “end”.

Techniques: The “means” to the “end”. The specific tools, processes, and steps that the adversary takes to achieve a specific Tactic.

This is probably best explained with a couple of examples. In the MITRE ATT&CK for Enterprise framework, the “Persistence” tactic refers to the adversary’s goal of maintaining access to a system across restarts, changed credentials, and other interruptions. There are currently 19 techniques that adversaries have used to accomplish this objective – from Account Manipulation to Shortcut Modification. These are ways to uphold that connectivity in the system.

The image below shows the matrix of tactics and techniques of the MITRE ATT&CK for Enterprise framework.

The MITRE ATT&CK framework breaks down the tactics that adversaries use to attack organizations. We will not repeat all of the details of what it is here, but in summary, ATT&CK documents the real-world tactics that adversaries use. Each of these tactics is broken down into a series of techniques that adversaries have used to complete those tactics. The framework has multiple use cases around developing red-team scenarios, understanding current defensive posture, to evaluating incidents to detect threats and adversary actions.

Although many look at ATT&CK as a detection tool, it has a much broader set of use cases, and most are not about real-time monitoring and detection. There are eight broad use cases:

1. Adversary emulation scenario development.

This enables a company to develop potential scenarios of how an adversary may seek to impair and affect their systems.

2. Gap assessment of current controls.

An organization familiar with the scenarios can forecast how its existing systems would protect against the techniques portrayed in the adversary scenarios developed. Furthermore, this use case pertains to far more than just detection: backup and restore, vulnerability and patch management, updated Anti-malware tools, etc.

3. Red-team or table-top planning

The scenarios can help table-top planning teams to construct real-world attack patterns for the blue team to defend against. Additionally, this may involve an evaluation of the company SOC’s maturity – based on if they can determine the techniques being used.

4. Threat detection and monitoring

Threat hunting teams may utilize the framework to reassure that they can recognize the various techniques and how they connect.

5. Incident response

By supplying real-world models and intelligence regarding tactics and techniques, MITRE empowers incident response teams to work through techniques once an event is reported. While attackers may use novel techniques, the foundation of those detailed in the framework can expedite response and remediation.

6. Current security tool integrations

Protecting against the range of techniques in the MITRE ATT&CK framework demands a variety of instrumentation and assessment. The key to effective defense, however, is integrating this security intelligence into a common knowledge base so that organization can determine its effectiveness across the range of tactics the attacker may use.

7. Threat intelligence enrichment

The depth of information included as part of the framework content can significantly assist threat intelligence teams by providing depth and context of how that intel may display in the real-world environment.

8. Improve communication

The framework provides a common taxonomy to defenders across an organization as well as a way to describe threats to other stakeholders. This common taxonomy is enabled by the widespread awareness of the framework.

MITRE ATT&CK and Verve Industrial

The techniques described in ATT&CK (whether Enterprise or ICS) take advantage of a range of risks, vulnerabilities, and lack of defenses in the environment. This includes software vulnerabilities, lack of anti-malware signatures, misconfigured devices, compromised accounts and credentials, lack of visibility and detection, etc. ATT&CK can be used to define scenarios based on adversary behavior. To understand its defenses, an organization needs to have a comprehensive, real-time view of each of those defenses in context with others.

The Verve Security Center was designed to do just this. It begins with the most advanced asset inventory of OT assets available. This asset inventory is the central engine that drives the rest of the defensive applications. Each of these elements of defense then improves the overall protection and detection in the environment. For instance, by having an integrated view of software vulnerabilities and patches as well as configurations, anti-malware status, backups, and asset criticality, Verve identifies where the gaps may be in this overall defensive structure and where an adversary could execute a successful technique.

Verve Security Center Platform

For instance, the MITRE ATT&CK tactic regarding lateral movement has a technique called “Exploitation of Remote Services”. This technique leverages software vulnerabilities to move across a network such as SMB. Through Verve’s view of the patch status of each endpoint, the operator understands how effective its defenses would be against such a technique. Or in that same tactic, the Remote Services technique can use valid accounts for lateral movement. Verve allows the defenders to identify such valid accounts that may be at risk either due to older passwords, dormant usage, previously compromised users, or the presence of administrator accounts where they are unnecessary.

MITRE ATT&CK, in use with Verve, allows the defender to define a set of reasonable scenarios and then compare the defense data available in Verve with the techniques used in those scenarios.

MITRE ATT&CK Detection with the Verve Security Center

One way organizations use MITRE ATT&CK is to define a set of detections that identify the techniques in use by adversaries. This is often referenced as whether a threat detection tool ties to the MITRE ATT&CK framework. Verve’s unique approach to its threat detection enables this integration between the MITRE ATT&CK for Enterprise with MITRE ATT&CK for ICS.

As mentioned above, these two frameworks are complementary, not alternates. The ICS framework specifically focuses on those ICS systems mostly in the Levels 0-2 of the Purdue model. Enterprise focuses on the Windows/Linux and other systems that operate at Level 3 (and some at Level 2) as well at the perimeter of IT and OT. It is imperative that industrial organizations integrate these two frameworks rather than just rely on ICS when considering their operational environments.

To bring together these two frameworks in the OT environment, Verve developed a comprehensive detection platform based on its unique architecture which gathers information directly from OT endpoints. It then creates an “XDR” bringing in a range of telemetry against the full range of MITRE ATT&CK techniques.

This allows Verve to identify techniques as they occur in the environment.

To get started quickly, Verve supports several detection use cases without additional configuration and maps directly to the framework. Given Verve’s flexibility to digest logs in any manner, including Syslog and Windows Event log format, a variety of other use cases are supported:

• Successful/failed logins
• Local service commands
• Scheduled local task completion
• New process creation
• Unauthorized connection attempts
• Performance baseline variations
• Compliance element tracking

Alternatively, if your organization or deployment has other requirements such as NERC CIP, additional alerts, alarming criteria, and integrations are easily accommodated within the Verve Security Center with or without ATT&CK framework elements.

For example, using the Verve Security Threat Detection functionality, Verve collects the range of telemetry above and then creates baselines and identifies potential anomalous behaviors aligned to the MITRE ATT&CK framework.

Signals act as detection use cases that map to specific events or types of events for easy identification, alerts, triage, and investigation.

Verve outlines the variety of signals and counts over time. This also includes automatic categorization and supplementary information such as the host and users associated with the event.

This is especially true if an asset undergoes an active attack as those signals are directly mapped to ATT&CK framework elements (and/or supplementary event playbooks).

Imagine an analyst from your organization examines the detection dashboards either from an investigative stance or from a compliance perspective. They monitor the events as they continuously occur and drill into specific events. When the analyst selects an event of interest, there is a number of potential possibilities that may have caused it, but also, they can clearly see the event is designated with a suggested severity and the appropriate MITRE ATT&CK element.

Alternatively, the analyst has the option to create their own signal detection rules from scratch to improve monitoring and automation and tie those events into a timeline for the investigation. This time series groups attack events into elements for investigation and aids in handling the incident by annotating alerts as part of the labeled timeline.

Machine learning in the Verve Security Center schedules and configures anomaly detection to watch for specific patterns in the logs and events. This is customizable and useful for analysts for retrospective activities when engaging in a technology enhancement project or identifying potential incidents that have not yet raised a clear alarm.

Respond and Remediate Using MITRE and Verve

The Verve Security Center also allows an organization to remediate its risks once it uses the ATT&CK framework to define its gaps. Verve’s architecture allows threat hunters, system maintainers, and responders with accurate, comprehensive asset information and abilities to:

• Activities to lock down and harden systems
• Remediate known vulnerabilities
• Apply policy and secure configurations
• Install patches and updates
• Respond with “Least Disruptive response” based on knowledge of the specific endpoints impacted.

Closing the loop on the MITRE framework

The MITRE ATT&CK framework is a great addition to the cyber security framework infosphere, but it is not a standalone option. It has different matrices to use alone or with overlapping use cases (e.g., Enterprise elements combined with ICS framework elements), but ultimately deconstruct incidents/threats, create security solution requirements, fine-tune detection use cases, and standardize cyber security terminology.

Verve’s asset management, detection, compliance, and protection capabilities create an infinite amount of detections tailored to your organization to monitor background event flows for anomalies without another tool. This occurs within one platform and is useful in both IT and OT environments.

Quick Verve background:

Verve works with industrial organizations to secure their most critical assets – their control systems and operating technology. For 30 years, we have enabled these helped these companies to through our software and professional services achieve improved cyber security posture against the growing threats. Our focus is on providing what our clients need at that point in their maturity to take the next step to continue a journey to continuous improvement in their maturity.

The MITRE ATT&CK framework is an incredibly valuable tool in that organizational maturity – not, as many think, as a detection framework, but instead as a methodology to evaluate defenses against real-world adversary behavior.

Verve built the Verve Security Center software with a comprehensive view of protection, detection, and response for industrial organizations. It certainly includes detections tied specifically to the MITRE ATT&CK framework tactics and& techniques. Still, more importantly, it provides comprehensive visibility to the protections in place to defend against the techniques, and the response and recovery capabilities necessary to react in case of adversary tactical success.

As we discussed in our ATT&CK framework whitepaper, MITRE ATT&CK enables organizations to look across their IT and OT environments. MITRE ATT&CK for Enterprise provides the tactics and techniques adversaries may use to attack the IT estate and the “IT-type” systems (HMIs, Servers, Historians, etc.) in the OT estate. MITRE ATT&CK for ICS covers the embedded controls equipment which exists at Layers 0-2 of the Purdue model. Together the two frameworks allow for comprehensive threat scenarios.