MITRE ATT&CK™

Using MITRE ATT&CK®-based analytics for threat detection: 5 principles

Howard Poston
November 11, 2020 by
Howard Poston

MITRE ATT&CK-based threat detection vs. conventional methods

A number of traditional methods for threat detection exist; however, cyber threat actors have developed methods for evading these, such as:

  • Tool Testing: Before using malware or other tools in an attack, threat actors will test it against known detection systems.  This ensures that, at least in initial campaigns, that the attack will not be detected.
  • Living off the Land: Threat actors will take advantage of functionality built into the target system to perform their attacks.  This reduces the need to use (potentially detectable) custom malware.
  • Encryption Use: Use of encryption for network traffic is growing for both legitimate and malicious use cases.  This makes network-based detection of malware based upon signatures and other indicators of compromise (IoCs) difficult or impossible.

MITRE ATT&CK ® takes a different approach to threat detection.  Instead of attempting to detect the specific tools used by cyber threat actors, the MITRE ATT&CK framework describes the behaviors and goals of attackers during a cybersecurity incident.

Benefits of using MITRE ATT&CK for threat detection

A threat detection approach based upon behavioral analytics provides a number of different benefits, such as:

  • Costlier Avoidance: It is relatively cheap and easy for an attacker to change malware or infrastructure to evade detection based upon a malware signature or other IoC.  The techniques and capabilities used to perform attacks, on the other hand, are costlier to develop and more difficult to change.
  • Wider Applicability: A signature or IoC applies to a specific piece of infrastructure used by one threat actor during a particular campaign.  A particular behavior or technique may be common across multiple campaigns or threat actors, enabling detection of a greater range of threats.
  • Increased Understanding: Detecting malware based off of a signature tells the defender that the attacker used a particular malware variant but not what it is or does.  Detection based upon behavioral analytics provides insight into what the attacker did, how they did it, and how to remediate the attack and prevent it from occurring again in the future.

5 principles of MITRE’s threat-based approach

MITRE ATT&CK takes an approach to threat detection based upon working in as realistic an environment as possible.  This approach is based upon five core principles.

Principle 1: Include Post-Compromise Detection

No cybersecurity defense is perfect.  A sufficiently skilled and motivated adversary will be able to gain access to any organization’s network and systems given sufficient time and resources.

As a result, relying on a prevention-based approach to security leaves an organization vulnerable.  While prevention is essential, it is also better to assume that an organization has been compromised and have procedures and solutions in place to detect and remediate the intrusion.

Principle 2: Focus on Behavior

Malware signatures and IoCs are transient detection tools.  For example, attempting to detect a malware variant based upon the IP address of its command and control infrastructure is a weak defense in the age of cloud computing.  Similarly, malware can be easily tweaked and recompiled to evade signature-based detection.

A cyber threat actors’ capabilities are what makes them capable of posing a threat to an organization, and these capabilities are difficult to build and to change.  Focusing on behavior makes detection capabilities more resilient and, if successful, could render an adversary incapable of achieving certain objectives in their attacks.

Principle 3: Use a Threat-based Model

The difference between theoretical and realistic cyber threats is significant.  A number of different attack vectors have been discovered in academia that are impractical in the real world.  In contrast, real-world attackers may use techniques that are “boring” or “outdated” from an academic perspective but still effective in the real world.

Cyber defenders are responsible for protecting against the threats that organizations will face rather than the ones that they could face.  For this reason, defensive and detective capabilities should be based upon an understanding of the real-world cyber threat landscape.

Principle 4: Iterate by Design

“Perfect is the enemy of good”, and attempting to build a cybersecurity solution that covers all attack vectors leaves an organization vulnerable while the tool is still in R&D.  Additionally, the cybersecurity threat landscape is constantly evolving, making previously state-of-the-art solutions obsolete or ineffective.

For this reason, an iterative approach to cybersecurity threat detection is best.  As new information is learned about attacker behaviors and new attack vectors are introduced, models, tools, and techniques can be updated to better detect and respond to the latest cyber threats.

Principle 5: Develop and Test in a Realistic Environment

Cybersecurity threat detection solutions can suffer from two types of errors.  False negatives occur when the tool misses real threats, and false negatives are when benign events are mislabeled as attacks.

Developing and testing a tool in an idealized or unrealistic environment results in a solution that can only operate effectively in such an environment.  When deployed under realistic circumstances, such a tool will suffer from high false positive and/or false negative rates.

For this reason, tools and techniques should be developed and tested in an environment that emulates the production environment as realistically as possible (i.e. the production environment is best).  This ensures that the noise of normal network activity does not degrade the tool or technique’s effectiveness and accuracy.

Conclusion

Cybersecurity threat detection solutions are only useful if they are effective.  MITRE ATT&CK’s core principles are designed to develop solutions that are accurate and effective at detecting and responding to real-world threats in realistic environments.

Sources

  1. https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf
  2. https://blog.minerva-labs.com/how-can-malware-authors-determine-whether-their-tools-will-be-detected-by-antivirus-solutions
  3. https://www.ciodive.com/news/why-living-off-the-land-has-become-a-preferred-method-of-cybercrime/548767/
Posted: November 11, 2020
Howard Poston
Howard Poston
View Profile

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.

Linkedin

In this Series

MITRE ATT&CK™

Advanced adversary tactics and defense evasion: Lab and walkthrough

MITRE ATT&CK™

Privilege escalation via cross-site scripting: Lab and walkthrough

MITRE ATT&CK™

Executing the Sandworm APT: Lab and walkthrough

MITRE ATT&CK™

Using persistence to maintain a foothold: Example and walkthrough