MITRE ATT&CK: Using Exabeam for Threat Hunting and Investigations

MITRE ATT&CK: Using Exabeam for Threat Hunting and Investigations

December 19, 2019

The MITRE ATT&CK knowledge base was created to help track threats and methodologies to give security practitioners a common vocabulary to tackle cybersecurity threats. By tracking the tactics, techniques, and procedures (TTPs) associated with today’s security risks, security analysts can better safeguard against them. Analysts use the information to learn more about attacks and develop strategies to battle them, while managers can compare the information to their security procedures and adjust accordingly.

Exabeam Product Manager Rocky Rashidi and Regional Sales Engineer Abel Morales recently spoke about the MITRE ATT&CK framework at Spotlight19 and described how it can be combined with analytics for more effective threat hunting. 

What is the MITRE ATT&CK framework?

Since the MITRE ATT&CK framework was released in 2015, interest in the knowledge base has grown rapidly. MITRE is a nonprofit, federally-funded organization that manages the Common Vulnerabilities and Exposures (CVE) database. ATT&CK, which pulls information from observations of actual attacks, stands for adversarial tactics, techniques, and common knowledge.

“For managers, MITRE makes it easier to efficiently assess coverage against certain specific attacks,” Rocky says. “For analysts, MITRE allows them to quickly identify threats and make better-informed decisions on how to remediate them.”

As he explained, ATT&CK is represented in a matrix, with tactics at the top. Tactics are the various approaches the attackers are taking, while techniques explain how these attacks are taking place.  

The MITRE framework creates a directory like Wikipedia that professionals can consult at any time. Threats are grouped by technique, making it easier for the security community to find exactly what they need at any given time.

Introducing IoCs and TTPs

Indicators of compromise (IoCs) are an important part of attack prevention. Known as the breadcrumbs attackers leave behind, IoCs have long been a preferred way to keep an eye on current threats. The many methods attackers use are given common names, which allows them to be grouped with similar threats, making it easier to monitor entire categories of threats.

 The problem with IoCs is that the definitions tend to remain stagnant. Something that was considered malicious four years ago may not continue to be seen as malicious today. That means information can easily become outdated. The shift to TTPs allows security professionals to look at a combination of features to improve the usefulness of the information.

“Trying to get initial access, for example, into a system could be done by having a specific exploit for a specific application,” Rocky says. “However, rather than chasing that specific application or that specific exploit or monitoring a hash, we can see the pattern here which is trying to find a way into a public-facing application.”

As valuable as IoCs are, though, they’re single dimensional in nature. The information needs to be supplemented with other artifacts to ensure analysts have the most useful information possible. Analytics can enrich the information being collected to ensure the security operations center has the best information available.

Integrating analytics with MITRE

If a new account is created on your network, you may want your security team to be immediately aware of it. But not every new account is an indication of a threat. Through advanced analytics, Exabeam combines the usefulness of a database with the advanced information that data science brings. 

“We take in all the account creation events,” Rocky says. “We analyze them based on our machine learning and our models, and we alert you only on the anomalous behavior. By doing so we eliminate alert fatigue.”

When an event does take place, security analysts can see not only the alert, but also what happened before, during, and after. 

Exabeam has taken it a step further, creating the mapping that can tag specific risk reasons within any timeline. You won’t have to waste time reading between the lines. With the information tied to the MITRE database you’ll know the risk category associated with each event. 

The future of MITRE analytics

With the first phase of Exabeam’s MITRE framework integration in progress, the team will continue to integrate more of MITRE’s information into the platform. Future enhancements include giving users information, detection tools, and advanced threat-hunting capabilities. These features will allow users to gauge how they are doing when it comes to protecting their organizations. 

Exabeam has contributed two techniques to support the MITRE ATT&CK knowledge base, T1483: Domain Generation Algorithm and T1503: Credentials from Web Browsers.

To see the Exabeam product demo by Abel Morales please view the full video.

Recent SIEM Articles
Exabeam Leverages the Power of SaaS to Proactively Improve Security Content and User Experience

Exabeam recently released i54, the latest version of Exabeam...

Recent Breaches Show Why Federal Agencies Need These 3 Requirements From Modern SIEMs

The SolarWinds compromise that affected multiple key federal...

New Features in Exabeam Content Library Now Available 

Exabeam recently released an update to its Content Library, ...

Escaping Dante’s SOC Inferno: Greed and the Gimme Mindset 

Let’s face it, we live in a mobile-first, always-on, data-...

Escaping Dante’s SOC Inferno: The Anger of Shattered Dreams  

What the…Hell? (An Open Letter) Cutting straight to th...

Recent Information Security Articles
Advanced Analytics Use Case: Detecting Compromised Credentials 

Stolen credentials have been a persistent problem, and organ...

Outcomes Above All: Helping Security Teams Outsmart the Odds

Author: Sherry Lowe, Chief Marketing Officer The world’s g...

Ethical Hacking: Why It’s Important & What Makes a Good Hacker

What Is ethical hacking? Ethical hacking is a practice where...

Understanding Cloud DLP: Key Features and Best Practices

Cloud DLP enables organizations to protect data residing in ...

How Lineas, Europe’s Largest Private Rail Freight Operator Found the Right Cybersecurity Tool

Vital infrastructure has become an area of concern for cyber...

What Is an Insider Threat? Understand the Problem and Discover 4 Defensive Strategies

Learn what an insider threat is and how they can hurt an org...