Why should you care about MITRE?

How your defense teams can best make use of the MITRE ATT&CK framework

Posted on 31 July 2019 by Gayle Kennedy

We are sharing our best practice for how we use MITRE in our own defense techniques to make it easier for you to do the same with your own defense teams.

 

This article will tell you:

 

  • What is MITRE and why it’s important in cyber security
  • How MITRE helps you defend your organization against commonly used techniques

 

What is MITRE?

 

MITRE is a US-based not-for-profit company that has been providing engineering and technical guidance for over sixty years. Originally only serving the US government (as it is federally funded), it now provides “cutting-edge solutions to the globe’s most urgent problems.” This includes cyber security.

 

The MITRE ATT&CK Framework

 

MITRE ATT&CK is a globally-accessible, continually updated knowledge base of known state-sponsored and criminal groups, and the tactics, techniques, and procedures that they use. It enables organizations – whether public or private – to prioritize detection around the most persistent threats and threat groups. We at F-Secure Countercept use this in our own hunts.

 

How defense teams can use the MITRE ATT&CK Framework

 

Defensive teams – whether tactical, strategic or operational – can make good use of this information in hands-on approaches, such as creating prevention and detection rules or to guide architectural and policy decisions to protect your organization.

 

One of the biggest challenges with the framework in its current form is the sheer number of different techniques, making it potentially difficult for defensive teams to know which techniques to focus on first. The table below is just a snapshot of the hundreds of techniques listed:

 

Execution Persistence Privilege Escalation Defence Evasion
AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation
CMSTP Accessibility Features Accessibility Features BITS Jobs
Command-Line Interface Account Manipulation AppCert DLLs Binary Padding
Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control
Control Panel Item AppInit DLLs Application Shimming CMSTP
Dynamic Data Exchange Application Shimming Bypass User Account Control Clear Command History
Execution through API Authentication Package DLL Search Order Hijacking Code Signing

 

Figure 1 – With so many techniques it can be challenging to know where to start.

 

To get the most value out of MITRE ATT&CK it's important to focus on the items that can give your team the best possible chance of detecting real world attacks. The Countercept team tackles this problem by analyzing each technique in a number of ways:

 

Real world usage

In the majority of real-world attacks we see attackers repeatedly using only a subset of the MITRE techniques. For example, the framework contains 59 different persistence techniques – yet most attacks encountered by Countercept involve just seven of these. In an ideal world security teams would cover all techniques. However, with limited resources it’s important to prioritize the most commonly used techniques to increase your detection rates and overall effectiveness. Analysis of public breach reports can be a great way to learn more about which techniques attackers commonly use.

 

Signal to noise

As many of the MITRE techniques closely match real-world legitimate activity, they can be false-positive prone and not suitable for alert-based monitoring. For example, Rundll32 usage is common across many organizations making it a lower fidelity indicator, whereas Mshta is used less often making it a more reliable indicator. Focusing on low false positive events can improve your team’s efficiency.

 

Ease of collection and analysis

Each technique relies on capturing and analyzing different datasets. For some techniques it’s not possible to collect data, either because of technical or performance limitations. Confirming if you have the telemetry can be a quick way to include or exclude MITRE techniques. Also don’t forget the storage and analysis costs associated with each set of telemetry as this may be prohibitive. To give an example, process data is one of the most useful datasets as it can show you what an attacker has executed on a system; firewall logs on the other hand, while useful, can be significantly higher volume and provide only marginal value.

 

Quality not quantity across the killchain

 Using MITRE ATT&CK and testing MITRE techniques teams often focus on whether they “pass” or “fail” at detecting individual TTPs and forget that real world attacks span multiple phases and activities. For real world defensive teams, all it takes is for them to detect just one part of a multi-step killchain to then kick off an investigation and uncover all related activity. For example you might miss an attacker using a brand new browser exploit but then spot the service they drop for persistence alerting your team and triggering further investigation. Detection therefore becomes more effective if you select the most commonly used, high fidelity attacker activities across the killchain and ensure your team are confidently able to triage and respond when they occur.

 

Based on the above, some of the core use-cases we’d recommend focusing on are:

 

  • Reviewing user login activity, especially admin activity
  • Hunting for suspicious process usage (Rundll32, Powershell, Mshta, Regsvr32)
  • Aggregating persistence data (Services, Registry, Scheduled Tasks) to find anomalies
  • Memory anomalies, such as process injection
  • Known bad software flagged through antivirus or ML equivalents

 

The next logical question you might ask is: what tooling do I need to enable my team to hunt for these MITRE ATT&CK techniques? We will cover that in our next post where we’ll discuss MITRE ATT&CK Evaluation.