The non-profit organization MITRE has been documenting Tactics, Techniques and Procedures (TTPs) used by known Advanced Persistent Threats (ATPs) since 2013. The result is the MITRE ATT&CK® Framework. ATT&CK stands for “Adversarial Tactics, Techniques & Common Knowledge”.
In our Oneconsult blog article “How the MITRE ATT&CK Framework Helps You Make Your Business More Secure“, we presented the MITRE ATT&CK Framework in detail and explained various use cases. The sheer size of the knowledge base may appear daunting at first glance. Where should you start and how can the framework be used effectively without wasting resources unnecessarily? It is understandable that there are certain inhibitions about familiarizing yourself with ATT&CK. To enhance accessibility and ease the initial steps, this blog article takes a closer look at the case of a vulnerability analysis.
Table of contents
Getting Started With MITRE ATT&CK
To make it easier to get started, MITRE itself provides a rudimentary guide to simplify the use of ATT&CK. The MITRE Guide examines a number of use cases at different maturity levels. These gradations make it possible to gain useful insights even with limited information. It is strongly discouraged to expect a comprehensive analysis right from the beginning. It is much more important to get to grips with the topic and initially use the most obvious findings to improve your own defense.
The complete guide is available as an eBook at the following link: Getting Started with ATT&CK
MITRE ATT&CK Navigator
In simple terms, the MITRE ATT&CK Navigator, developed and open-sourced software by MITRE, is an interactive version of the ATT&CK matrices. Using the web GUI, it is possible to enter comments, assign scores or perform manual colorizations for each technique or even sub-techniques. The adjustments can then be exported as “ATT&CK layers” and combined with other layers. This makes it very easy to create heat maps that can be used, for example, to highlight weak points in your own security system. The additional coloring can also be used to visually indicate the urgency.
The following introductory video from MITRE provides a good overview of the capabilities of the MITRE ATT&CK Navigator.
Vulnerability Analysis With MITRE ATT&CK Demonstrated by an Example
As the MITRE guide does not contain any rigid specifications, a possible procedure is explained below using a fictitious example analysis.
A company would like to carry out a vulnerability analysis on a threat intelligence basis. The existing detection measures are to be checked against the notorious “Wizard Spider” threat group. A possible approach is explained below in four steps.
1. Selecting the Scope of the Vulnerability Analysis
First, a clearly defined scope is defined. This is precisely defined on the basis of the assignment. Only reactive detection measures are included as protection mechanisms, while mitigations are left out for the time being. For the comparison, only TTPs of the “Wizard Spider” threat actor that are already documented in ATT&CK are taken into account. Additional research is disregarded at this stage. The comparison is made at the level of technique, whereby sub-techniques are disregarded.
2. Mapping of Detection Measures Onto ATT&CK Techniques
Mapping the existing detection measures onto ATT&CK techniques is probably the most laborious part of the analysis. With the help of a documentation study of the detection systems used, a mapping to suitable techniques is carried out. Many manufacturers of Endpoint Detection & Response (EDR) or Network Detection & Response (NDR) systems already specify which MITRE ATT&CK techniques their products cover in their documentation. This can only be summarised and documented in an ATT&CK Navigator Layer.
3. Evaluating the Level of Protection per Technique
In order to avoid going beyond the scope of the evaluation, it is advisable to define three categories for the coverage levels of techniques. In our example, these are the three levels:
- high confidence of detection
- some confidence of detection
- low confidence of detection.
The following is also defined:
- Techniques without documented coverage by a detection mechanism are assigned to the “low” category and receive a score of 0.
- Techniques with partial coverage are assigned to the “some” category with a score of 1.
- Techniques that are covered by several detection mechanisms are assigned the category “high” with a score of 2.
A heat map can already be created that provides a rough overview of the overall coverage. However, as can easily be seen in the figure below, techniques with the category “low” (not colored) are strongly predominant. It is therefore still difficult to prioritize where resources should be allocated. To make this clearer, this layer is compared with known techniques from the selected threat group in the next step.
4. Comparison With Relevant Attack Vectors
The next step is to compare the documented detection methods with the selected threat actor. As defined in the first step, only techniques in the “Wizard Spider” group that have already been documented in ATT&CK are considered in the first phase. A layer for the selected threat actor can be created with just a few clicks using the ATT&CK Navigator. At the time of writing, this layer looks as follows:
The attacker’s layer is then compared with that of the protective cover. The “Create layer from other layers” function in the ATT&CK Navigator is used for this. The scores of the resulting layer, which should visualize the result of the comparison, are calculated by simple subtraction. The score of the coverage category minus the number of threat actors per technique gives the score of the technique in the result layer. With one threat actor and two detection systems, this results in a value range of -1 to 2. This value range can now be configured in the color setup of the results layer. This results in:
- Techniques that are not covered by any detection mechanism, but have been used by Wizard Spider in the past, appear in red.
- Techniques that have been used by “Wizard Spider”, but can be detected by at least one detection system, appear in yellow.
- Techniques that are covered by multiple detection systems, but have not been used by Wizard Spider, appear in green.
The result is a heat map that clearly visualizes where significant gaps still exist and where the focus should be for further development. Of course, this heat map only shows the priority based on the selected threat actor and is not suitable for determining the overall security posture. The primary purpose of the analysis is to show where the highest priority vulnerabilities exist. If the prioritization is still unclear, additional threat actors can be included in the analysis. It would also be possible to adjust the score calculation in the form of a weighting.
Conclusion
The vulnerability analysis using MITRE ATT&CK can be a good introduction to the framework. Even rudimentary use of the framework is likely to provide new insights into where to focus your efforts in developing defenses. After all, it allows security measures to be compared against real threats. Regular assessments should, of course, build on the analyses already conducted to ensure that security maturity continues to increase. Both changes in the threat environment and internal changes in security measures should be taken into account. This is the only way to actively adapt to the threat landscape and effectively deploy your resources.
We offer various services to test your defense and detection measures not only in theory, but also in practice. It is important to scrutinize the expected level of protection and put it to the test. The Oneconsult Red Teaming Assessments in conjunction with customizable attack scenarios can provide valuable insights into the interaction of the defense and detection measures in place and provide you with additional valuable input for the further development of your security measures. We look forward to hearing from you: