Table of Contents
What is ATT&CK MITRE?
ATT&CK MITRE (Adversarial Tactics, Techniques and Common Knowledge) methodology is a collection of knowledge about cybercriminal behaviour models that have been grouped in a matrix of tactics and techniques. This framework is useful for understanding an organisation’s security risks, methods used by cybercriminals and for planning improvement sand verifying that any defence mechanisms work as anticipated. The MITRE threat knowledge base was created mainly to improve the detection of security threatsand to therefore find gaps in an organisation’s defence systems. The organisation’s main idea was to create a guide that would detect advanced APT attacks faster than it is happening now. The time it takes to detect a targeted attack is measured in months, and the average time to recognise an enemy in an organisation is estimated to be five months. This is a long time for an attacker to thoroughly learn about the company under attack and even to gainillegal possession of sensitive information that could have an impact on the organisation’s future. It should be remembered that even if an organisation hasa perfect security patches programme and a compliance programme, the attacker can still succeed using zero-day exploits or social engineering methods.
Tactics, techniques…
Over two hundred ATT&CK MITRE techniques have been divided into twelve groups, the so-called tactics. Breaking down individual phases of attacks so meticulously gives a broad view of the techniques and capabilities of the attackers that we would like to detect as quickly and asprecisely as possible (without the so-called noise associated with FalsePositives). A cyber criminal carries out an advanced attack and hits the redflag that we have set. These flags are mechanisms for the detection and mitigation of threats implemented in the organisation’s security systems.
The MITRE threat database is not only a table of tactics and techniques, butalso a number of tips on the necessary data sources required for detecting suspicious activities, as well as numerous examples of actual attacks related to specific criminal groups.
Monitoring
In order to detect advanced attacks based on the behaviour of cyber criminals, the MITRE organisation recommends the analysis of suspicious activities by monitoring work stations, i.e. advanced monitoring of logs from operating systems (including Sysmon), network logs (including Netflow), logs from firewalls, applications, authentication systems, cloud node components, DNS, PowerShell and many other data sources.
Drawing on this wealth of knowledge about threats, the creators of Sycope system decided to implement it in their own productfor monitoring network flows. In addition to detecting DDoS attacks, Sycope system detects many types of security threats and network anomalies, including those from areas such as Initial Access, Credential Access, Discovery, C2, Lateral Movement, Exfiltration and Impact. More information about Sycope system can be found here.
Summary
The use of ATT&CK MITRE makes it easier for organisations to tighten their levels of security thanks to the very meticulous placing of traps on attackers, e.g. in the form of correlation rules in SIEM or other security systems. Due to the enormous amount of work involved in covering all the techniques, I encourage you to proceed in stages, so that less experienced specialists have the right amount of time to become familiar with this methodology and are not discouraged too quickly. Yet through this learning, security specialists improve the effectiveness of tools for detecting and analysing security threats.
