MITRE ATT&CK: Using Exabeam for Threat Hunting and Investigations
The MITRE ATT&CK knowledge base was created to help track threats and methodologies to give security practitioners a common vocabulary to tackle cybersecurity threats. By tracking the tactics, techniques, and procedures (TTPs) associated with today’s security risks, security analysts can better safeguard against them. Analysts use the information to learn more about attacks and develop strategies to battle them, while managers can compare the information to their security procedures and adjust accordingly.
Exabeam Product Manager Rocky Rashidi and Regional Sales Engineer Abel Morales recently spoke about the MITRE ATT&CK framework at Spotlight19 and described how it can be combined with analytics for more effective threat hunting.
What is the MITRE ATT&CK framework?
Since the MITRE ATT&CK framework was released in 2015, interest in the knowledge base has grown rapidly. MITRE is a nonprofit, federally-funded organization that manages the Common Vulnerabilities and Exposures (CVE) database. ATT&CK, which pulls information from observations of actual attacks, stands for adversarial tactics, techniques, and common knowledge.
“For managers, MITRE makes it easier to efficiently assess coverage against certain specific attacks,” Rocky says. “For analysts, MITRE allows them to quickly identify threats and make better-informed decisions on how to remediate them.”
As he explained, ATT&CK is represented in a matrix, with tactics at the top. Tactics are the various approaches the attackers are taking, while techniques explain how these attacks are taking place.
The MITRE framework creates a directory like Wikipedia that professionals can consult at any time. Threats are grouped by technique, making it easier for the security community to find exactly what they need at any given time.
Introducing IoCs and TTPs
Indicators of compromise (IoCs) are an important part of attack prevention. Known as the breadcrumbs attackers leave behind, IoCs have long been a preferred way to keep an eye on current threats. The many methods attackers use are given common names, which allows them to be grouped with similar threats, making it easier to monitor entire categories of threats.
The problem with IoCs is that the definitions tend to remain stagnant. Something that was considered malicious four years ago may not continue to be seen as malicious today. That means information can easily become outdated. The shift to TTPs allows security professionals to look at a combination of features to improve the usefulness of the information.
“Trying to get initial access, for example, into a system could be done by having a specific exploit for a specific application,” Rocky says. “However, rather than chasing that specific application or that specific exploit or monitoring a hash, we can see the pattern here which is trying to find a way into a public-facing application.”
As valuable as IoCs are, though, they’re single dimensional in nature. The information needs to be supplemented with other artifacts to ensure analysts have the most useful information possible. Analytics can enrich the information being collected to ensure the security operations center has the best information available.
Integrating analytics with MITRE
If a new account is created on your network, you may want your security team to be immediately aware of it. But not every new account is an indication of a threat. Through advanced analytics, Exabeam combines the usefulness of a database with the advanced information that data science brings.
“We take in all the account creation events,” Rocky says. “We analyze them based on our machine learning and our models, and we alert you only on the anomalous behavior. By doing so we eliminate alert fatigue.”
When an event does take place, security analysts can see not only the alert, but also what happened before, during, and after.
Exabeam has taken it a step further, creating the mapping that can tag specific risk reasons within any timeline. You won’t have to waste time reading between the lines. With the information tied to the MITRE database you’ll know the risk category associated with each event.
The future of MITRE analytics
With the first phase of Exabeam’s MITRE framework integration in progress, the team will continue to integrate more of MITRE’s information into the platform. Future enhancements include giving users information, detection tools, and advanced threat-hunting capabilities. These features will allow users to gauge how they are doing when it comes to protecting their organizations.
To see the Exabeam product demo by Abel Morales please view the full video.