MITRE ATT&CK is the defacto standard for assessing modern behavioral detection against adversary tactics and techniques. Its power resides not just in providing a common language for attacker behaviors, but also as a historical anthology of what the security community has observed during attacks.
As with any framework, from Lockheed’s Cyber Kill Chain to David Bianco’s Pyramid of Pain, their power is sometimes matched by their misuse and misunderstanding by many organizations. With ATT&CK, the big blunder we continue to see is the unnecessary and unachievable need for FULL MITRE COVERAGE*.
*Not an actual trademark
We’re not immune at Infocyte either, our most recent product update (currently in EARLY ACCESS) has brought MITRE ATT&CK techniques and subtechniques mapping into our Behavioral Analytics Engine. Along the way, we had to make decisions about what techniques we would concentrate on and which to ignore. As most threat hunters have experienced, each “Bluebird” analytic written against a rarely seen technique dilutes the time & resources that could be going toward describing the more common behaviors that are seen in almost every attack, even the advanced ones.
Often, when an organization adopts MITRE ATT&CK as a framework, managers will predictably ask for a metric to grade against. The metric many in the industry have collectively choosen is “coverage” with the following definition:
Coverage = Number of techniques we can detect/mitigate divided by the total number of techniques described by MITRE ATT&CK
I argue that this metric will inevitably result inefficient and wasteful allocation of resources.
Why FULL MITRE ATT&CK Coverage Isn’t Necessary
There are a couple main problems to this coverage metric approach:
- ATT&CK techniques vary greatly in how often they are used.
- Some techniques are rarely used by adversaries.
- Some may have only been historically used once before the threat actors realized it was a poor technique.
- On the other hand, there are common techniques that are used in almost every breach of a Windows environment (e.g. PowerShell execution or credential dumps). Even if they use a novel entry method like SolarWinds SUNBURST (Solarigate) or Hafnium’s Exchange vulnerability, they still end up using these techniques along the way.
- Good detection requires good signal to noise ratios. ATT&CK provides no information or guidance on expected noise or quality.
- Some techniques are not possible to distinguish between normal network activity. For example, you may want to monitor for ATT&CK T1548.002 – UAC Bypass. There problem is: legitimate admins do this all the time (high noise) and the handful of really evil techniques you could build detection on are overly specific and change often. It can be a futile waste of time and resources to build robust detection coverage on a technique like this.
- Another example is environment specific: Attempting to implement alerting on suspicious PowerShell usage in an Azure DevOps environment where PowerShell is used all the time. Personally, this is not my idea of fun.
- Some techniques are harder to monitor than others.
- Infocyte and other behavior-based EDRs monitor for new process creation events (Execution Tactic) on Windows. On Windows this is easy (< 1000 new processes a day), on a database server or any Linux box this becomes harder (10k+ new processes per day).
- Monitoring new processes is also a lot more performant and achievable than hooking a lot of lower level API calls (T1106), which can happen millions of times per minute. Attempting too much of this is often a reason why your antivirus solution significantly slows your systems down.
- DFIR pros will tell you the hardest thing to determine in an investigation is what was exfiltrated. Collection (TA0009) and Exfiltration (TA0010) tactics have minimal visibility options in most environments–it’s just plain hard to implement practically for most environments.
If you need more evidence that full coverage is unnecessary for effectiveness, just take a look at the tests used to judge modern behavioral detection solutions by MITRE themselves. They don’t use a script that runs through every techniques, they use a few real-world adversaries, like APT29, that have demonstrated use of a cross section of key techniques common to other attackers:
Behavioral Monitoring for the Rest of Us
Unless you have a 24/7 SOC with a full time threat intel team, you’re really better off not trying to chase coverage of every attacker behavior possible. Instead, concentrate defenses against the most commonly observed ATT&CK techniques that are achievable to monitor. These are the ones that actually matter and the ones that will catch more malicious actors, more often.
Report after report on the latest attacks continues to confirm that monitoring all possible behaviors are necessary to detect attacks. Defense in Depth still works: every tactic and technique you have visibility on is a detection opportunity in the attack chain. We are all strapped for resources; I encourage you to stop chasing the highest coverage and focus on covering the most common ones. In a future post in this series, I will show you how if you have visibility on the Top 20 Endpoint Behaviors, there are exceedingly few attacks that could get past your notice. Additionally, I’ll dive into the details of how Infocyte defends against these techniques using our new Behavioral Analytics Engine and our unique historical forensic capabilities.
The post Why you’re going about MITRE ATT&CK coverage all wrong appeared first on Infocyte.
*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at: https://www.infocyte.com/blog/2021/03/26/why-youre-going-about-mitre-attck-coverage-all-wrong/