Mitre ATT&CK and XDR: A Perfect Match?

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is a carefully selected knowledge base documenting network attack strategies and techniques throughout the attack lifecycle. The framework is intended not only for data collection, but also for use as a tool that can strengthen security processes in organizations.

Because MITRE ATT&CK sees cyberattacks from the opponent's point of view, it makes it easier possible for security operations teams to infer the motivation of specific actions that make up an attack, understand the relationship between these actions, and apply the appropriate level of defenses.

MITRE ATT&CK data is primarily obtained through public threat intelligence and incident reports, as well as research by network security analysts and threat hunters. Security teams can use it to better understand the different ways malicious actors work, and to detect and stop hostile behavior.

Using the MITRE ATT&CK Framework

The MITRE ATT&CK framework can have several important benefits for security organizations:

• Red teaming—demonstrates how a breach may impact an organization by acting as an adversary. You can use ATT&CK to create plans for red teaming and to organize operations.
• Adversary emulation—emulates an adversary to identify how they might operate and assess how security might handle the threat. You can use ATT&CK to create attack scenarios so you can test your defenses.
• Behavioral analytics—monitors malicious activity by identifying suspicious behavioral patterns. ATT&CK can help simplify the process of organizing patterns of malicious or suspicious activity.
• SOC maturity model—assesses the effectiveness of the security operations center (SOC). ATT&CK can help identify how well the SOC detects, analyzes and responds to breaches.
• Defensive gap discovery—similar to SOC maturity assessment, this involves identifying areas with inadequate defenses or poor visibility. You can use ATT&CK to assess your security coverage and the effectiveness of tools already in use, to test new tools before you buy them, and to prioritize investment.
• Threat intelligence enrichment—augments information about malicious actors and cyber threats. You can use ATT&CK to evaluate whether you can defend against a particular Advanced Persistent Threat (ATP (News - Alert)) or a common pattern of malicious behavior.

To implement MITRE ATT&CK, organizations typically integrate with security tools or perform manual mapping. The following are cybersecurity tools that are commonly integrated with MITRE ATT&CK data:

• Security Information and Event Management (SIEM)—performs collation and aggregation of logs from networks, cloud services and endpoints. You can configure rules that map threats to MITRE ATT&CK tactics, and adjust your security posture using security tools like EDR and CASB.
• Endpoint security—endpoint security technology can map events as observed by an agent deployed on the endpoint to known attack patterns. Security teams can use these events to identify an attack, understand in which phase attackers are currently operating, and plan and execute their response accordingly.
• Cloud Access Security Broker (CASB)—filters out suspicious behaviour from a large volume of cloud event data. Behavioral analysis based on machine learning algorithms can be used to detect anomalous behaviour, and CASB solutions can combine it with inputs from Data Loss Prevention (DLP) systems, as well as cloud misconfigurations and vulnerabilities. All this data can be mapped to MITRE ATT&CK, and you can use the CASB solution to adjust security policies to block the malicious behavior.

What is XDR?

Enhanced Detection and Response (XDR) solutions are used to automatically detect and repair security issues in hybrid systems. XDR tools analyze data and manage responses to attacks on networks, endpoints, cloud services and applications. The main advantage of XDR is that it can protect complex mixed environments, while existing detection and response solutions are limited to a single layer of the IT environment, such as endpoint security or network security.

XDR solutions provide a single system for managing any security issue, regardless of its source. It can also be used to simplify detection and remediation for security teams by merging multiple alerts from different detection technologies into one, coherent attack story.

Endpoint Detection and Response (EDR) software and Network Detection and Response (NDR) software work the same way as XDR, but are limited to specific systems. For example, many NDR solutions can analyze and troubleshoot local networks, but cannot support the detection and response of cloud workloads or remote endpoints. XDR can extend security across all these environments and provide visibility using a single, unified interface.

Mitre ATT&CK and XDR: Mapping TTPs to Live Security Events

According to Gartner (News - Alert), one of the biggest problems with XDR platforms is the fact that it does not have sufficiently diverse threat intelligence sources. Integrating XDR with MITRE data can resolve this problem, providing several benefits:

• MITRE ATT&CK provides XDR solutions with a knowledge base that maps paths, processes and targets of potential attackers. The XDR solutions can use it to identify prioritized attack campaigns waged against your organization, and map specific security events to each campaign.
• XDR can use data from MITRE ATT&CK to prioritize subsequent steps for an attack campaign, such as indicating critical incidents and providing the forensic data needed to investigate them.
• XDR can help tie new security events to prior, known attack campaigns. If a new event is related to a known campaign, security teams can understand the context of the threat and respond to it much faster.
• MITRE ATT&CK can help XDR solutions improve data quality. XDR can sort and filter data using ATT&CK criteria, quickly identify relevant incidents, and help operationalize the response.
• XDR can use MITRE ATT&CK patterns to discover root causes and reduce attacker dwell time. When an attack is discovered that matches a MITRE ATT&CK technique,  XDR goes beyond attack analysis and validation, to provide specific prevention and remediation actions across all vectors—endpoints, networks and clouds.

Putting the MITRE ATT&CK framework into the hands of an incident response team provides a clear, standardized, reliable methodology for identifying hostile behavior. Combining this with XDR, MITRE ATT&CK can integrate with automated SOC workflows, helping XDR solutions determine what constitutes an attack and how to mitigate specific attacker tactics and techniques.

XDR also facilitates the direct mapping and correlation of ATT&CK tactics, skills and procedures with live security events, to improve situational awareness. XDR provides visualizations, reducing the burden on analysts to identify patterns and evaluate recommended preventive measures.

I hope this will be of help as you implement more advanced threat intelligence, detection and response solutions in your organization.