Oct 29 2021

CVE + MITRE ATT&CKĀ® to Understand Vulnerability Impact

Category: Attack Matrix,Information SecurityDISC @ 8:56 am

Historically, vulnerability management and threat management have been separate disciplines, but in a risk-focused world, they need to be brought together. Defenders struggle to integrate vulnerability and threat information and lack a consistent view of how adversaries use vulnerabilities to achieve their goals. Without this context, it is difficult to appropriately prioritize vulnerabilities.

To bridge vulnerability management and threat management, the Center for Threat-Informed Defense, with support from participants including AttackIQ and JP Morgan Chase, developed a methodology to use the adversary behaviors described in MITRE ATT&CKĀ® to characterize the impact of vulnerabilities from CVEĀ®. Vulnerability reporters and researchers can use the methodology to describe the impact of vulnerabilities more clearly and consistently. When used in a vulnerability report, ATT&CKā€™s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls.

This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls. CVEs linked to ATT&CK techniques can empower defenders to better assess the true risk posed by specific vulnerabilities in their environment. We have applied the methodology and mapped several hundred CVEs to ATT&CK to validate the model and demonstrated its value. To fully realize our goal, we need community support to apply the methodology at scale.

Mapping CVE-2018ā€“17900

Mitre Att&ck Framework: Everything you need to know by Peter Buttler

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: MITRE ATT&CK

Oct 25 2021

Released: MITRE ATT&CK v10

Category: Attack MatrixDISC @ 7:14 am
Released: MITRE ATT&CK v10

MITRE Corporation has released the tenth version of ATT&CK, its globally accessible (and free!) knowledge base of cyber adversary tactics and techniques based on real-world observations.

Version ten comes with new Data Source objects, new and changed techniques in its various matrices, key changes to facilitate hunting in ICS environments, and more.

MITRE ATT&CK v10

MITRE ATT&CK v10

The most prominent change in this newest version of the framework is new objects with aggregated information about data sources.

ā€œThe data source object features the name of the data source as well as key details and metadata, including an ID, a definition, where it can be collected (collection layer), what platform(s) it can be found on, and the data components highlighting relevant values/properties that comprise the data source,ā€ MITRE ATT&CK Content Lead Amy L. Robertson and cybersecurity engineers Alexia Crumpton and Chris AnteĀ explained.

ā€œThese data sources are available for all platforms of Enterprise ATT&CK, including our newest additions that cover OSINT-related data sources mapped toĀ PRE platform techniques.ā€

Changes inĀ ATT&CK for ICSĀ and theĀ Mobile matricesĀ are focused on providing all the features currently provided in the Enterprise matrices.

ā€œv10 also includes cross-domain mappings of Enterprise techniques to software that were previously only represented in the ICS Matrix, including Stuxnet, Industroyer, and several others. The fact that adversaries donā€™t respect theoretical boundaries is something weā€™ve consistently emphasized, and we think itā€™s crucial to feature Enterprise-centric mappings for more comprehensive coverage of all the behaviors exhibited by the software,ā€ they added.

The complete release notes for MITRE ATT&CK v10 can be foundĀ here.

Tags: cyber attack, MITRE ATT&CK, MITRE ATT&CK v10

Jun 23 2021

New tool allows organizations to customize their ATT&CK database

Category: Attack MatrixDISC @ 2:53 pm
New tool allows organizations to customize their ATT&CK database

MITRE Engenuity has releasedĀ ATT&CK Workbench, an open source tool that allows organizations to customize their local instance of theĀ MITRE ATT&CK databaseĀ of cyber adversary behavior.

customize ATT&CK

The tool allows users to add notes, and create new or extend existing objects ā€“ matrices,Ā techniques, tactics, mitigations, groups, and software ā€“ with new content. It also allows them to share these insights with other organizations.

Tags: ATT&CK database, ATT&CK Workbench

Apr 29 2021

ATT&CKĀ® for Containers now available!

Category: Attack MatrixDISC @ 10:26 am

Weā€™re excited to announce the official release ofĀ ATT&CK for Containers! This release marks the culmination of aĀ Center for Threat-Informed Defense (Center)Ā research project sponsored by Citigroup, JPMorgan Chase, and Microsoft that investigatedĀ the viability of adding container-related techniques into ATT&CK. This investigation led to developing a draft of an ATT&CK for Containers matrix, which we contributed to ATT&CK. Our contribution was accepted and is now live inĀ ATT&CK version 9.0! We want to give a special thank you to the community for all of your feedback and help in developing this content. Creating ATT&CK for Containers has been a fun journey for us, with a lot of new faces and names along the way. Youā€™ll notice a lot of newĀ contributorsĀ in ATT&CK with this release, which is in part a testament to how many folks helped us scope and create this new platform in ATT&CK!

For more on: Why did container-related techniques get added to ATT&CK?

Apr 09 2021

How do I select an attack detection solution for my business?

Category: Attack Matrix,Cyber Attack,DNS Attacks,MitM AttackDISC @ 8:33 am
How do I select an attack detection solution for my business?

When selecting an attack detection solution, no single product will provide the adequate detection needed that is required to detect and defend against the current advanced threat landscape. The holistic aspect of defending against threat actors requires technology, expertise, and intelligence.

The technology should be a platform of integrated technologies providing detection at each point of entry that a threat actor may use such as email, endpoint, network, and public cloud. These should not be disparate technologies that donā€™t work together to holistically defend the organization.

We must use technologies that can scale against threat actors that have a very large number of resources. The technology should also be driven by intelligence cultivated from the frontlines where incident responders have an unmatched advantage. It is also important to remember that post-exploitation, threat actors masquerade as your own employeeā€™s making it difficult to know legitimate from non-legitimate activity occurring on the network or your endpoints.

This is where intelligence and expertise is extremely valuable to determine when a threat actor is operating within the organization. Being able to identify the threat actors ā€œcalling cardā€ and potential next moves, is paramount. While many solutions will claim they defend against advanced threats, it is important to understand the experience that a vendor has and how that is included into their product offering.

How do I select an attack detection solution for my business?

Tags: attack detection solution

Mar 31 2021

Translating TTPs into Actionable Countermeasures | All-Around Defenders

Category: Attack MatrixDISC @ 11:02 am

Ismael Valenzuela (McAfee/SANS) and Vicente Diaz (Threat Intel Strategist at Virustotal)

SANS Institute‘s #SEC530 course co-authored by Ismael Valenzuela (@aboutsecurity), providing students access to VTIntelligence to help them make TTPs actionable.

MITRE Enterprise ATT&CK Framework

Comparing Layers in ATT&CK Navigator – MITRE ATT&CKĀ®

Tags: MITRE Enterprise ATT&CK, TTPs into Actionable Countermeasures

Mar 23 2021

MITRE ATT&CKĀ® Framework

Category: Attack MatrixDISC @ 10:56 am
What Is MITRE ATT&CK and How Is It Useful? | From Anomali

MITRE ATT&CKĀ® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world ā€” by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Mar 22 2021

The MITRE Att&CK Framework

Category: Attack Matrix,Information SecurityDISC @ 3:55 pm

A recent article from Gartner states that, “Audit Chiefs Identify IT Governance as Top Risk for 2021.” I agree that IT governance is important but I question how much does the IT governance board understand about the day to day tactical risks such as the current threats and vulnerabilities against a companies attack surface? How are the tactical risks data being reported up to the board? Does the board understand the current state of threats and vulnerabilities or is this critical information being filtered on the way up?

If the concept of hierarchy of needs was extended to cyber security it may help business owners and risk management teams asses how to approach implementing a risk management approach for the business.

There are three key questions to ask:

  1. How confident are you in your organizationā€™s ability to inventory and monitor IT assets?Ā 
  2. How confident are you in your organizationā€™s ability to ā€œdetect unauthorized activityā€?Ā 
  3. How confident are you in your organizationā€™s ability to identify and respond to true positive incidents within a reasonable time to respond?Ā 
No alt text provided for this image
Source: medium

Layers 1-2 – Inventory and Telemetry – The first two layers are related to asset inventory which is part of the CIS Controls 1-2. How can you defend the vulnerable Windows 2003 server that is still connected to your network at a remote site?

Layers 3-4 – Detection and Triage – These layers are related to a SOC/SIEM/SOAR program which will allow the cyber security team to begin to detect threats through logging and monitoring.

Layers 5-10 – Threats, Behaviors, Hunt, Track, Act – The final layers are threat hunting, tracking and incident response and this is where the MITRE framework is very helpful to identify threats, understand the data sources, build use cases and prepare the incident response playbooks based on real world threat intelligence.

To more about What is the MITREā€™s Att&CK Framework? Source: The MITRE Att&CK Framework

Tags: MITRE Att&CK Framework

Mar 11 2021

Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

Category: Attack Matrix,NIST CSFDISC @ 11:13 pm
Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

MITRE ATT&CK matrices

MITRE ATT&CK is a tool to help cybersecurity teams get inside the minds of threat actors to anticipate their lines of attack and most effectively position defenses. MITRE ATT&CK works synergistically with FAIR to refine a risk scenario (ā€œthreat actor uses a method to attack an asset resulting in a lossā€).

Enter an asset into the MITRE ATT&CK knowledge base and it returns a list of likely threat actors and their methods to inform a risk scenario statement. It also helps to fill in color and detail for the FAIR factors, such as the relative strength of threat actors likely to go after an asset or the resistance strength of the controls around the asset, as well as the frequency of attack one might expect from these actors, based on internal or industry data (housed in the Data Helpers and Loss Tables on the RiskLens platform). All these are ultimately fed into the Monte Carlo simulation engine to show probable loss exposure for the scenario. The data we collect on our assets and threat actors can be stored in libraries on the platform for repeat use.

MITRE ATT&CK also suggests controls for mitigation efforts specific to attacks. As with the controls suggested by NIST CSF, we can assess those in the platform for cost-effectiveness in risk reduction in financial terms.

Finally, RiskLens + MITRE ATT&CK can help refine tactics for the first line of defense. With a clear sense of top risk scenarios generated by RiskLens, and a clear sense of attack vectors for those scenarios, the SOC can better prioritize among the many incoming alerts based on potential bottom-line impact.

Tags: MITRE ATT&CK

Feb 02 2021

Attempted Attack Matrix

Category: Attack MatrixDISC @ 3:42 pm

Use ATT&CK to map defenses and understand gaps

The natural inclination of most security teams when looking at MITRE ATT&CK is to try and develop some kind of detection or prevention control for each technique in the enterprise matrix. While this isnā€™t a terrible idea, the nuances of ATT&CK make this approach a bit dangerous if certain caveats arenā€™t kept in mind. Techniques in the ATT&CK matrices can often be performed in a variety of ways. So blocking or detecting a single way to perform them doesnā€™t necessarily mean that there is coverage for every possible way to perform that technique. This can lead to a false sense of security thinking that because a tool blocks one form of employing a technique that the technique is properly covered for the organization. Yet attackers can still successfully employ other ways to employ that technique without any detection or prevention in place.

The way to address this is the following:

  • Always assume there is more than one way to perform an ATT&CK technique
  • Research and test known ways to perform specific techniques and measure the effectiveness of the tools and visibility in place
  • Carefully log the results of the tests to show where gaps exist for that technique and which ways of employing that technique can be prevented or detected
  • Note which tools prove to be effective at specific detections and note gaps where there is no coverage at all
  • Keep up with new ways to perform techniques and make sure to test them against the environment to measure coverage

For example, if antivirus detects the presence of Mimikatz, that doesnā€™t mean that Pass the Hash (T1075) and Pass the Ticket (T1097) are covered as there are still several other ways to perform these techniques that donā€™t involve the use of Mimikatz. Keep this in mind if trying to use ATT&CK to show defensive coverage in an organization.

Source: Use ATT&CK to map defenses and understand gaps

ATT&CK Enterprise Matrix

The new MITRE ATT&CK™ tool helps security practitioners to build an Attempted Attack Matrix ā€”

  • Identify the most active threat actors targeting an environments
  • Understand techniques most commonly used by threat actors
  • Prioritize each technique based on probability and potential impact 
  • Assess current defenses, understand gaps, and plan improved defenses

To know more about MITRE Attack Metrics

SANS-Measuring-and-Improving-Cyber-Defense-MITRE-ATTCK-Anomali-Report

Tags: MITRE ATTACK MATRIX

« Previous Page