Excerpts from: Using the ATT&CK™ Framework to Mature Your Threat Hunting Program

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Every threat hunt starts with intelligence. As one of the industry’s most comprehensive knowledge bases for adversary behavior, ATT&CK provides a structure for hunters to build their hypotheses and search for threats.  Recently Carbon Black, Red Canary and MITRE teamed up for the webinar, Using the ATT&CK Framework to Mature Your Threat Hunting Program. Below is an excerpt of the Q&A section.

Speakers for the webinar included:

Rick McElroy, Security Strategist at Carbon Black. Carbon Black is a leading provider of next-generation endpoint security. Carbon Black solutions enable customers to defend against the most advanced cyber threats, including malware, ransomware, and non-malware attacks.  Deployed via the cloud, on premise, or as a managed service, customers use Carbon Black solutions to lock down critical systems, hunt threats, and replace legacy antivirus.

John Wunder, Principal Cybersecurity Engineer at MITRE.  MITRE is a not-for-profit organization that operates research and development centers sponsored by the federal government.  MITRE is dedicated to solving problems for a safer world. They work in the public interest to discover new possibilities, create unexpected opportunities, and lead by pioneering together for the public good to bring innovative ideas into existence.

Phil Hagen, Sr. SANS instructor and DFIR Strategist at Red Canary.  Red Canary’s goal is to improve security for organizations of all sizes.  They defend hundreds of customers around the world, ranging from global Fortune 100s to 100-endpoint organizations. Their goal is to level the playing field by empowering every defender to win against rapidly evolving adversaries.

Question: ATT&CK has been a popular topic of discussion in the community. Why do you think it’s been gaining so much traction?

John: I think a few things have gone into making ATT&CK the success that it’s been. First, ATT&CK takes threat-informed defense and makes it a reality. It provides focus and grounding to our mission of defending against adversaries by taking real-world observations of what those adversaries are doing when they attack us and organizing that into an understandable knowledgebase.  Second, ATT&CK isn’t just valuable to your red team, or to your hunt team, or to your threat intel team; it’s a common lexicon that lets us all work together. Lastly, MITRE’s unique vantage point as a non-profit spanning industry and government allows us to collect all of this great knowledge from the community and provide ATT&CK freely and openly to everyone.

Question: How does ATT&CK fit in with traditional models and approaches? What are some examples of how threat hunting practices have evolved to incorporate ATT&CK?

Rick: The speed to market in the vendor space has been amazing—seeing how fast ATT&CK has been built into not only the platforms defenders have, but also automated testing for them along the way. This should have a major impact on how security products are tested and evaluated. Teams are now tuning their defenses faster and automating the testing upfront. That moves the needle in a big way.

Q: How does ATT&CK help speed up the hunt cycle? What are some of the other benefits to using it in threat hunting?

John: One of the biggest problems in security today is that we don’t know what to focus on. We’re inundated with piles of threat reports and even tweets describing how we can be attacked, and somehow we’re expected to defend against all these different things. ATT&CK provides a foundation that brings some order to the chaos. You can use it to plan out what you want to hunt for and then dig into the details, references, and just use Google to understand how different folks are looking for those techniques. And when you see that new blog post that’s going to keep you up at night, you can tie it back to ATT&CK to understand what’s actually new and what you might already have covered.

Rick: ATT&CK helps educate new team members faster. Teams are automating the detections and tuning faster. You are able to focus on the true threats and risks and ensure you have that visibility nailed.

Q: What are some of the top adversary tactics and techniques to begin hunting for?

John: Of course we’re all going to caveat this with every organization being different, and what makes sense to me might be wrong for you. But, in my opinion, some of the best things to look for off the bat are credential dumping and PowerShell. Getting access to credentials is critical to any adversary and there are some decent approaches for finding usages of tools like Mimikatz. On the execution side, PowerShell is such a powerful tool for attackers that it just makes sense to look for those instances where it just looks off. Obviously, for both of those you need to have good endpoint sensing, so have a plan for that if you don’t already!

Rick: As John mentioned, it’s hard to come up with a blanket statement on where to start because it really depends on your threats and your environment. But if I had to choose something, I’d say you should pay attention to the fileless attacks first. Attackers are increasingly using “living off the land” tactics and techniques. Understanding how to detect them is crucial.

Q: How does using ATT&CK differ from other sources of threat hunting intelligence?

John: One great usage of ATT&CK is to learn. When I started working in this arena, like everyone, I didn’t know about these things and I’ve had to pick them up. The writeups on the ATT&CK pages are a great start because they describe what the functionality is and, more importantly, how it’s used against us. Then you can follow the links to see how it’s been used in the real world. And, once you have that foundation of knowledge, it can help give context to all these other great sources of threat intelligence and hunting techniques. You can use it to organize your thinking and connect the dots between hunting approaches and adversary techniques.

Rick: It provides a way to communicate attacker behavior that goes beyond an IOC. This drives behavioral-based detection, which in and of itself does make it a bit different. I think it helps get to an answer faster when something strange is seen. Hunters and defenders can quickly pivot to ATT&CK and focus solely on the techniques seen for the cycle of the attack.

Q: What should attendees familiarize themselves with prior to the threat hunting webinar so they can immediately begin implementing what they learn?

John: Well, an obvious one is that you should poke around the ATT&CK site! If you want to get your hands dirty and you’re not already familiar with it, I’d also start to play around with a SIEM platform like the Elastic Stack (ELK) or Splunk (pick your favorite) and get a test VM to start collecting logs into it. Nothing is better than hands-on experience.

Rick: Spend some time getting lost in the ATT&CK framework for a bit. Come with questions! Map some of the things you have already seen to it. Start to think about how your program might change as a result.

If you want to learn more, register for part two of the webinar.

Save Your Seat

The post Excerpts from: Using the ATT&CK™ Framework to Mature Your Threat Hunting Program appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?