What is MITRE ATT&CK and How Can it Help Your Security?How MITRE's evaluation can help empower end-users, provide product transparency, and motivate enhanced capabilities. By: Paul Diorio and Lee Lawson
"Language shapes the way we think and determines what we can think about."
Benjamin Lee Whorf, Famed Linguist on the Sapir-Whorf Hypothesis
MITRE ATT&CK Shapes How Security Professionals Think About Security
While linguistic theory typically focuses on natural languages and their impact on human thought, a parallel can be drawn to how security professionals describe and share knowledge to combat adversary tactics, techniques, and procedures - the language of cybersecurity attacks. With this perspective, many practitioners within the security industry advocate for a common language to describe the cybersecurity threats faced by organizations every day. The language used to describe these threats would significantly shape the way we think and determine how we approach a holistic defense. In recent years, the MITRE ATT&CK framework has increasingly become that common language. It has gained significant influence over how modern security teams describe threat actor capabilities and subsequently translate defensive ideas into action. In our experience building Red Cloak™ TDR, we have found significant benefits leveraging the ATT&CK framework language to drive innovation and develop our security analytic platform. Participating in the 2019 MITRE ATT&CK Evaluation of Red Cloak TDR advanced that goal one step further by teasing out some additional opportunities that our platform could leverage to keep our customers more secure.
2019 MITRE ATT&CK Evaluation Shines a Light...
MITRE launched the framework for ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) in 2015 to codify a common language to describe adversary actions. Today, many organizations are adopting the ATT&CK framework to better understand their coverage and explain their security program strategy. Similarly, most commercial security product vendors have shifted towards using ATT&CK to describe how they might best fit within enterprise security programs. In response, MITRE created an evaluation program around security products focused on empowering end-users with insights on how to operationalize those products against known adversary attacks, provide independent transparency on the capabilities of security products, and motivate product vendors to enhance their capabilities against adversary behaviors. For the benefit of transparency to our customers, and our commitment to continually innovate against adversaries, the Red Cloak TDR team recently participated in the 2019 MITRE evaluation to showcase our capabilities.
In coming weeks, the MITRE ATT&CK evaluation findings will be available to help security professionals determine which products meet their needs. Undoubtedly, it will also serve as points for product marketing teams to tout new features and describe competitive differentiators. More importantly, the key insights from the evaluation should help security analysts better understand how to leverage specific products to combat real-world threats. Regarding 2019, the evaluation simulated IRON HEMLOCK (AKA APT-29, Cozy Bear) as the model threat actor. Security teams can leverage ATT&CK to think about key visibility points within their environment, as well as overall detection coverage and strategies. It is important to note that the 2019 MITRE ATT&CK evaluation is constrained to endpoint products only, and while these solutions play a critical role in defending against modern threats, they do not provide a total solution on their own. Red Cloak TDR acknowledges this reality by integrating data from a wide variety of sensors and visibility providers, including endpoint agents, network sensors, firewalls, proxies, public cloud provider APIs, and more.
While there will be more information available as MITRE finalizes their findings in the coming weeks, our team wanted to highlight some more immediate benefits for our product and customers. Through the preparation and execution of the evaluation, our team gleaned new insights on how to operationalize ATT&CK as a catalyst for enabling new capabilities.
… And Motivates Innovation
One of MITRE's stated goals in the creation of the framework and evaluation is to push the security vendor community to enhance their abilities to detect known adversary behaviors. For example, our team uncovered novel opportunities for detections with Red Cloak TDR while preparing for the evaluation through a close collaboration between our threat intelligence researchers, incident responders, penetration testers, countermeasure creators, data scientists, and big data engineers. In preparation, our interdisciplinary team was able to simulate live attacks based on our knowledge of the IRON HEMLOCK threat actor and rapidly work to generate insights and build new capabilities. Our purple team approach showcases our ability as a security leader to leverage that experience to empower your own security teams to protect your organization with Red Cloak TDR. As a specific example, the Red Cloak Agent can collect data from Event Tracing for Windows (ETW) on the endpoint and now applies Red Cloak TDR countermeasures to hunt for adversary activity within it (especially IRON HEMLOCK inspired attacks). Examples of these capabilities include:
- PowerShell Script Block Logging reconstruction allows for analysts to see the entire PowerShell script being executed by the adversary as well as which functions were executed.
- Windows Management Instrumentation (WMI) detections for malicious use of WMI, including collection of custom events.
In addition to empowering human analysis, these sources also enable automated detection techniques within our Red Cloak TDR platform. We have institutionalized our interdisciplinary process to continually push towards new data sources and creation of new analytic insights to deliver bleeding edge security value to our customers.
The Red Cloak TDR team joined the 2019 MITRE ATT&CK evaluation with the full intent of showcasing our approach to providing industry leading security value. Along the way, we joined an elite cadre of pressure-tested security vendors, delivered product improvements focused on APT-level TTPs, and we improved our understanding of how ATT&CK evaluation results can help security teams evaluate solutions for their organization. At the end of the day, MITRE's efforts are raising the collective security bar and we are proud to meet the challenge.