Intelligence, Modelling and Hunting Through an ATT&CKers Lens

Unless you’ve been asleep recently, you’ll probably be aware of MITRE’s ATT&CK framework. This is a game changer for defenders as it maps out the common threats that an enterprise will face. ATT&CK aligns this to protective and detective controls and allows everyone within the enterprise to speak a common language on how attackers might move through an infrastructure. As Cisco’s SOC and IR teams will tell you, ATT&CK works well to enable both blue and red teams to co-exist and work effectively together with common goals and KPIs to measure your enterprise architecture. However, what happens when it falls short and the threat intelligence and hypotheses don’t exist?

Intelligence analysts will often tell you: Understanding the threats you may come in to contact with comes down to harnessing the diamond model to help you to understand 4 aspects of threat – adversaries, infrastructure, capability and victims. However, in reality, this intelligence is often weighted towards the first three and that publicly available TI only tells an organisation part of the story. Don’t rely too much on DNS telemetry and file hashes, as you’re probably not getting the full picture. The big blind spot is that ATT&CK doesn’t necessarily tell you what is coming next once access to the enterprise, by an attacker, is secured. In particular, even using ATT&CK in a more holistic sense with more sophisticated enterprise monitoring, you may not have sufficient information for your security teams to understand the business systems where much of the value of an organisation may reside.

Putting all of this together, over the last 12 months or so, I have as a down time project been reviewing the anonymised data that we collect as part of CX’s assessment engagements. The aim was to see how and where Cisco could learn lessons and whether my team could use that data to shape Cisco’s understanding. As part of Cisco’s CX team, I have access to some pretty sophisticated tooling for reporting. We routinely ingest various classes of test data, normalise it, and use it to write reproducible reports. It already has the ability to aid in root cause analysis and definition of get well plans but I thought we could do more with it. As part of Def Con 28 Safe Mode, I delivered a session on day 2 of the Red Team village to share our progress.

In particular, in the session, I discussed our research on:

  • Analysing each of the MITRE ATT&CK matrices
  • Leveraging metrics such as CVSS, CWE, etc
  • Applying STIX to encode existing data
  • Applying new labels to aid in threat modelling
  • How Cisco are leveraging this analysis on real world scenarios for our customers to help defend against the threat groups they face
  • Aligning threat models to the business with FAIR for qualitative risk
  • Developing telemetry and building SOC and IR playbooks to cope with obscure platforms
  • Identifying tooling gaps where it’s not as simple as just another firewall, IDS or AV product but where a real understanding of the business is necessary
  • Some of the challenges we’ve hit and possible solutions

To aid in making this point, I visited the above topics looking at how they might apply to the topic of mid-tier server security. This is an area that is dear to my heart (not may Cisco folks have an IBM AIX and AS/400 server under the desk) and one that many organisations struggle with.

Whilst sharing my full set of conclusions is a bit beyond the scope of this post, a few samples to whet the appetite:

  • Automated extraction of hypotheses is possible
  • Vulnerability findings can be labelled with meta-data using standardised dictionaries
  • Visual representation of actual threat models and kill chains from penetration tests helps give situation awareness
  • Better analysis and communication of threats with our peers through richer exchange of meta-data will improve the situation further

The slides for the session (All of the threats – Intelligence, modelling, simulation and hunting through an ATT&CKers lens), can be found in the Cisco CX Security Labs on GitHub.

Hopefully, my ideas will give you some food for thought on how to approach and measure the security of your organisation. You can read more about Cisco Security solutions and our support for MITRE ATT&CK, visit our Cybersecurity Framework Guidance.