Apr 09 2021

How do I select an attack detection solution for my business?

Category: Attack Matrix,Cyber Attack,DNS Attacks,MitM AttackDISC @ 8:33 am
How do I select an attack detection solution for my business?

When selecting an attack detection solution, no single product will provide the adequate detection needed that is required to detect and defend against the current advanced threat landscape. The holistic aspect of defending against threat actors requires technology, expertise, and intelligence.

The technology should be a platform of integrated technologies providing detection at each point of entry that a threat actor may use such as email, endpoint, network, and public cloud. These should not be disparate technologies that don’t work together to holistically defend the organization.

We must use technologies that can scale against threat actors that have a very large number of resources. The technology should also be driven by intelligence cultivated from the frontlines where incident responders have an unmatched advantage. It is also important to remember that post-exploitation, threat actors masquerade as your own employee’s making it difficult to know legitimate from non-legitimate activity occurring on the network or your endpoints.

This is where intelligence and expertise is extremely valuable to determine when a threat actor is operating within the organization. Being able to identify the threat actors “calling card” and potential next moves, is paramount. While many solutions will claim they defend against advanced threats, it is important to understand the experience that a vendor has and how that is included into their product offering.

How do I select an attack detection solution for my business?

Tags: attack detection solution

Mar 31 2021

Translating TTPs into Actionable Countermeasures | All-Around Defenders

Category: Attack MatrixDISC @ 11:02 am

Ismael Valenzuela (McAfee/SANS) and Vicente Diaz (Threat Intel Strategist at Virustotal)

SANS Institute‘s #SEC530 course co-authored by Ismael Valenzuela (@aboutsecurity), providing students access to VTIntelligence to help them make TTPs actionable.

MITRE Enterprise ATT&CK Framework

Comparing Layers in ATT&CK Navigator – MITRE ATT&CK®

Tags: MITRE Enterprise ATT&CK, TTPs into Actionable Countermeasures

Mar 23 2021

MITRE ATT&CK® Framework

Category: Attack MatrixDISC @ 10:56 am
What Is MITRE ATT&CK and How Is It Useful? | From Anomali

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Mar 22 2021

The MITRE Att&CK Framework

Category: Attack Matrix,Information SecurityDISC @ 3:55 pm

A recent article from Gartner states that, “Audit Chiefs Identify IT Governance as Top Risk for 2021.” I agree that IT governance is important but I question how much does the IT governance board understand about the day to day tactical risks such as the current threats and vulnerabilities against a companies attack surface? How are the tactical risks data being reported up to the board? Does the board understand the current state of threats and vulnerabilities or is this critical information being filtered on the way up?

If the concept of hierarchy of needs was extended to cyber security it may help business owners and risk management teams asses how to approach implementing a risk management approach for the business.

There are three key questions to ask:

  1. How confident are you in your organization’s ability to inventory and monitor IT assets? 
  2. How confident are you in your organization’s ability to “detect unauthorized activity”? 
  3. How confident are you in your organization’s ability to identify and respond to true positive incidents within a reasonable time to respond? 
No alt text provided for this image
Source: medium

Layers 1-2 – Inventory and Telemetry – The first two layers are related to asset inventory which is part of the CIS Controls 1-2. How can you defend the vulnerable Windows 2003 server that is still connected to your network at a remote site?

Layers 3-4 – Detection and Triage – These layers are related to a SOC/SIEM/SOAR program which will allow the cyber security team to begin to detect threats through logging and monitoring.

Layers 5-10 – Threats, Behaviors, Hunt, Track, Act – The final layers are threat hunting, tracking and incident response and this is where the MITRE framework is very helpful to identify threats, understand the data sources, build use cases and prepare the incident response playbooks based on real world threat intelligence.

To more about What is the MITRE’s Att&CK Framework? Source: The MITRE Att&CK Framework

Tags: MITRE Att&CK Framework

Mar 11 2021

Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

Category: Attack Matrix,NIST CSFDISC @ 11:13 pm
Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

MITRE ATT&CK matrices

MITRE ATT&CK is a tool to help cybersecurity teams get inside the minds of threat actors to anticipate their lines of attack and most effectively position defenses. MITRE ATT&CK works synergistically with FAIR to refine a risk scenario (“threat actor uses a method to attack an asset resulting in a loss”).

Enter an asset into the MITRE ATT&CK knowledge base and it returns a list of likely threat actors and their methods to inform a risk scenario statement. It also helps to fill in color and detail for the FAIR factors, such as the relative strength of threat actors likely to go after an asset or the resistance strength of the controls around the asset, as well as the frequency of attack one might expect from these actors, based on internal or industry data (housed in the Data Helpers and Loss Tables on the RiskLens platform). All these are ultimately fed into the Monte Carlo simulation engine to show probable loss exposure for the scenario. The data we collect on our assets and threat actors can be stored in libraries on the platform for repeat use.

MITRE ATT&CK also suggests controls for mitigation efforts specific to attacks. As with the controls suggested by NIST CSF, we can assess those in the platform for cost-effectiveness in risk reduction in financial terms.

Finally, RiskLens + MITRE ATT&CK can help refine tactics for the first line of defense. With a clear sense of top risk scenarios generated by RiskLens, and a clear sense of attack vectors for those scenarios, the SOC can better prioritize among the many incoming alerts based on potential bottom-line impact.

Tags: MITRE ATT&CK

Feb 02 2021

Attempted Attack Matrix

Category: Attack MatrixDISC @ 3:42 pm

Use ATT&CK to map defenses and understand gaps

The natural inclination of most security teams when looking at MITRE ATT&CK is to try and develop some kind of detection or prevention control for each technique in the enterprise matrix. While this isn’t a terrible idea, the nuances of ATT&CK make this approach a bit dangerous if certain caveats aren’t kept in mind. Techniques in the ATT&CK matrices can often be performed in a variety of ways. So blocking or detecting a single way to perform them doesn’t necessarily mean that there is coverage for every possible way to perform that technique. This can lead to a false sense of security thinking that because a tool blocks one form of employing a technique that the technique is properly covered for the organization. Yet attackers can still successfully employ other ways to employ that technique without any detection or prevention in place.

The way to address this is the following:

  • Always assume there is more than one way to perform an ATT&CK technique
  • Research and test known ways to perform specific techniques and measure the effectiveness of the tools and visibility in place
  • Carefully log the results of the tests to show where gaps exist for that technique and which ways of employing that technique can be prevented or detected
  • Note which tools prove to be effective at specific detections and note gaps where there is no coverage at all
  • Keep up with new ways to perform techniques and make sure to test them against the environment to measure coverage

For example, if antivirus detects the presence of Mimikatz, that doesn’t mean that Pass the Hash (T1075) and Pass the Ticket (T1097) are covered as there are still several other ways to perform these techniques that don’t involve the use of Mimikatz. Keep this in mind if trying to use ATT&CK to show defensive coverage in an organization.

Source: Use ATT&CK to map defenses and understand gaps

ATT&CK Enterprise Matrix

The new MITRE ATT&CK™ tool helps security practitioners to build an Attempted Attack Matrix —

  • Identify the most active threat actors targeting an environments
  • Understand techniques most commonly used by threat actors
  • Prioritize each technique based on probability and potential impact 
  • Assess current defenses, understand gaps, and plan improved defenses

To know more about MITRE Attack Metrics

SANS-Measuring-and-Improving-Cyber-Defense-MITRE-ATTCK-Anomali-Report

Tags: MITRE ATTACK MATRIX

« Previous Page