Utilizing MITRE ATT&CK Navigator to Visualize and Improve Detection Capabilities
Detection engineers or anyone responsible for creating detection rules sometimes can suffer from what to detect and prioritization of the detections. In a fast-changing environment like cyber security, it is important to prioritize our detections. New attack campaigns, new versions of frameworks like MITRE ATT&CK, new zero days which spread like wildfire… It is important to stay on track and prioritize the detections to detect possible threats.
Cyber threat intelligence (CTI) is a good tool in our arsenal to guide us on what to detect. CTI enables us to see the current threat landscape, identify possible adversaries, and make prioritization for the threats. To create use cases for detecting adversaries, sometimes SOC operations need the help of CTI teams that gather intelligence from premium resources, dig into darkweb to gather intelligence, watch fancy Kaspersky[1] style graphics to see ongoing attacks, or sometimes don’t. Especially in immature environments or in environments that are reactive rather than proactive, simple steps or tools may have a great effect on understanding the current threat landscape of an organization.
MITRE ATT&CK Navigator[2] is a tool that we can utilize to simply visualize and prioritize our current possible threat and the outcomes can guide detection engineers while creating new rules. This writing will discuss how to use navigator to create heat-map of possible threats. Hence, detection engineers can utilize this heat map to decide what to include and/or prioritize in their detection programs. The best thing is, the reader doesn’t need to know any details about the CTI lifecycle nor have state-of-art CTI feeds to create the heat-map. Basic knowledge of MITRE ATT&CK framework and a little bit of googling will help the reader to create the heat map.
Without any introduction or warm-up, I assume the reader is already familiar with the concepts, I can start with the heat-map. First thing, the person who is responsible for creating a detection logic, let’s call it a detection engineer, needs to identify current threats to the organization (lets call it ACME Corp.). This identification process can include many things (political, geographical, financial, etc.). Besides the details, for a starting point, engineer can just look easily at APTs that target organizations industry, country, and technologies that are actively used. Let’s assume that the engineer identifies APT28, APT32 and FIN7 targets the country that organization operating. Also engineer identifies Magic Hound and Wizard Spiders groups are targeting sector that organization operating. Finally, five possible APT’s identified by engineer, which makes a total of five pillars that need to be considered.
MITRE ATT&CK Navigator Selection
At the Navigator page, the detection engineer needs to create five different layers for each threat group. These layers consist of TTP used by each threat group. If the engineer is lucky enough, navigator already has the Threat Group — TTP pair in its database. If engineer can’t find the Threat Group — TTP pair, then TTPs need to be researched. Threat Group can be searched simply by clicking “search & multiselect” button (1), then name of the Threat Group needs to be searched (2). Hopefully, under the Threat Groups tab engineer can find the Threat Group and click select (3).
Next, the engineer needs to assign a score to highlighted techniques that are used by the Threat Group. This will be done by clicking the “Scoring” button and choosing a score (4). The score needs to be set to 1. The engineer needs to perform these four steps for each Threat Group.
The final stage will be adding 5 Threat Group — TTP pairs in a single layer. To do this detection engineer needs to open a new layer, but this time “Create Layer from other layers” needs to be selected instead of clicking “Create New Layer”
You should expect to see heat-map which consists of different colors for different techniques as can be seen below. More intense/darker techniques indicates more APT’s are using it. For instance, green indicates only one APT is using the technique and red indicates all five APT’s are leveraging this technique. You need to give more importance to the color of the techniques as more intense/darker it gets.
CONCLUSION
How heat-map can be utilized? What can be achieved with this resource? There are three different ways to utilize the outcome of this work.
*Creating detection rules or hunting queries to address the high-risk threats
Heat-map illustrates potential adversaries and their TTPs. Therefore, it shows what risks we need to address to be able to be proactive and be ahead of the game rather than waiting for adversaries to target the organization. Give more importance and prioritize the techniques utilized by more adversaries.
*Prioritizing detection backlog
Detection engineer may have lots of rules to implement and lots of threat vectors to address. Heat-map can help detection engineer to prioritize his/her tasks. Rather than blindly creating rules and aiming for quantity, engineers will have another data point for prioritizing use case backlog and aiming for quality of the detections.
*Visualize threats for different stakeholders, both technical and non-technical.
Heat-map gives an illustration of high-risk and possible threats for the organization. This input can be useful for many stakeholders. It can be an additional data point for the hunting team, intelligence team, vulnerability management team, etc. Also, illustration can be useful for non-technical stakeholders to help them understand the current threat landscape and possible risks.
References
[1] https://cybermap.kaspersky.com/
[2] https://mitre-attack.github.io/attack-navigator/v2/enterprise/
