MAGNIFY CYBER SECURITY BLOG

Getting Security Smart With MITRE ATT&CK Framework

 March 2020

Secrutiny is all about helping organisations effectively determine their risk appetite and define cyber risk remediation priority based-on evidence. Through research and exploration, Secrutiny has identified the MITRE ATT&CK Framework as a tool to help cyber security professionals mature, secure and assure their organisations.

Late in February, Simon Crumplin, Founder of Secrutiny, sat down with MITRE expert, Jared Phipps, as they compared best-practices and discussed how the MITRE ATT&CK Framework can help organisations develop cyber risk remediation programmes.

What is the MITRE ATT&CK Framework?

MITRE is a not-for-profit organisation, which started in World War II when the Army Air Force corps needed to figure out how to detect incoming aircraft.

“Within the Department of Defense and within the military, we’ve always built these knowledge bases of how our adversaries conduct their military,” commented former United States Air Force officer and MITRE Engineer, Jared Phipps.

At its core, MITRE is a knowledge base of tactics, techniques and procedures (TTP’s) that you see used by threat actors in the real world. Jared, who lived and breathed TTP methodologies for many years, noted that the goal is to be able to take those TTP’s and reassemble them into a methodology that replicates or emulates an adversary threat attack. 

“There’s an unofficial rumour that MITRE stands for MIT Research Engineering. The story is that a couple of professors and students that peeled away and built this organisation to support the Department of Defense during the World War II. MITRE was officially formulated as a non-profit in 1953 to provide technical guidance to the Department of Defense and have always maintained their non-profit status, operating several Federally Funded Research and Development Centers,” added Jared.

How Do You Apply MITRE and Use It as an Anchor to Determine Risk Appetite? 

Secrutiny has developed a method of operationalising the MITRE ATT&CK Framework into an organisation as a programmatic and prioritised approach to risk remediation. Not only do we determine risk, we determine the exploitability of that risk to inform us of the control and the mitigation; providing an anchor to drive appetite to the Executive and action back into the operational run. By using this methodology, organisations can balance the seesaw and get to a position where they have a prioritised maturity plan that you can assure and prove. 

The image below is a traditional threat model which shows intent versus capability and the different styles of attack. At Secrutiny, we use this to determine risk tolerance. Through workshops, with security, operations and executive stakeholders, we can evaluate the risk appetite of an organisation, to further understand their tolerance and what actions are needed to assure them. Add frequency to the mix, and you have your ‘Embarrassment Zone’.

Secrutiny’s Threat Model.

Secrutiny’s Embarrassment Zone.

During our webinar, Simon expanded on the problem that when you talk to risk people you end up with a conversation around probability and likelihood, so we needed to bring some science into it.

“We must be able to demonstrate to Executives, to the business and its shareholders that we can mitigate a potential threat from affecting and disrupting the organisation,” continued Simon.

So, we map the MITRE ATT&CK Framework, and all the techniques to our anchor; the NCSC’s 10 Steps to Cyber Security framework (it could be Cyber Essentials, CIS, NIST, etc.). Then we determine how often they occur by applying threat intelligence (i.e. VirusTotal). This gives us a priority heat map with spear-phishing at the top.

NCSC 10 Steps vs MITRE ATT&CK Top 25 Threats.

“Now we have a standard that says ‘if we want to mitigate these TTP’s with these mitigations, here’s what we need to be looking at in an investment cycle. Now we have something the Executive understands that can drive an investment plan and an assurance plan,” said Simon.

We’ve found that if you try to eat the whole elephant you will fail, you need to eat it one bit at a time. This too, works in cyber security. We start with Initial Access and remediate the highest frequency techniques first. This populates circa 55% of the rest of the MITRE techniques through to Data Exfiltration because the same controls affect mitigations for other techniques. 

Pick Your Battles: Initial Access.

The program hardens and harmonises the estate, making organisations more capable of defending against, and detecting, the more advanced attacks because we’ve proven we’ve dealt with the risk and evidenced that:

  • Our SOC is optimum, and we can detect that more advanced activity.
  • We’re collecting the right pieces of data, and we’ve got the correct correlations.
  • Our cyber security maturity is determinable.
  • Our investments make sense.
  • Business risk, and business appetite to risk, is proven so that the board takes responsibility.
MITRE ATT&CK Applied to Security Technologies

In the last 6-12 months, we have seen more and more vendors building the MITRE ATT&CK Framework into their solutions. Jared, who is Vice President of Sales at SentinelOne, sheds insight into how the autonomous endpoint protection company deploys the framework:

“Firstly, technology in and of itself is never a ‘silver bullet’. We’ve made a concerted effort over the past 18-months to implement MITRE into the product in a way that’s universal and easy to adopt into security programs,” explained Jared.

Through integrating the MITRE ATT&CK Framework with its ActiveEDR and Ranger IoT capabilities and making the framework the new language of threat hunting, SentinelOne allows users to have a product that adheres entirely to the MITRE indicator workflows.

In other words, any security program that’s going to be leveraging ATT&CK means that users can run their entire investigations, including their threat hunt discovery methods, by searching for MITRE indicators.

“Ultimately, our goal is to shorten the attack defence cycle as much as possible and automate away as much initial response as possible. Attacks occur at machine speed, defence must as well. Waiting an hour to have resolution on incident is too long,” concluded Jared.

Want to Hear Jared and Simon’s Discussion on the MITRE ATT&CK Framework in Full?

Strengthen your cyber security posture with MITRE and learn how to analyse and prevent attacks by listening to the recording of our webinar, Develop a Cyber Risk Remediation Programme with the MITRE ATT&CK Framework.

Domain Impersonation: The Popular New Tactic for Phishing Attacks

Domain Impersonation: The Popular New Tactic for Phishing Attacks

Domain impersonation is increasingly becoming a problem which targets businesses and their customers. Phishing attackers are now advancing their level of sophistication by utilising domain impersonation as part of BEC scams that can result in CEO fraud, malware infection, or ransom.