April 17, 2019 MITRE ATT&CK
Casey Smith Keith McCammon Michael Haag Kyle Rainey

Four tools to consider if you're adopting ATT&CK

PowerShell (T1086) has been the runaway leader among MITRE ATT&CK™ techniques used by adversaries in the environments we monitor. So when people ask us, “where or how can we get started with ATT&CK?” it’s been convenient for us to tell them that they should get started with PowerShell.

However, that’s admittedly a bit like telling someone that the first part of space travel is building a rocket ship—because it’s safe to assume that building a rocket, on its own, is something of a herculean task.

In order to be more specific on how you can start integrating ATT&CK into your organization, the researchers who wrote the 2019 Threat Detection Report are going to use the next 2,000 words (or so) to describe four tools that are easy to implement, compatible with ATT&CK, and, most importantly, free.

What tool do you recommend?

What is it?

Hartong’s threat hunting Splunk app comes with pre-built dashboards and saved searches that are all mapped to ATT&CK. It’s configured to work with Microsoft Sysmon, and security teams can use it to simulate adversary or threat behavior, all of which maps back to ATT&CK in Splunk. The most obvious use-case for this toolset is that it can help security teams identify coverage weaknesses and develop capabilities to fortify their coverage.

However, since Splunk isn’t free and not everyone uses it, I also recommend a tool called DetectionLab. DetectionLab is a readily deployable Windows lab environment that includes a Splunk server to get up and going quickly. The lab environment ships Sysmon data to Splunk by default, and you can run Hartong’s ThreatHunting app inside DetectionLab, providing red or blue teams a way to validate coverage in a controlled environment.

Why should I use it?

The ThreatHunting app is helpful for anyone seeking to observe endpoint telemetry mapped to ATT&CK in Splunk. It can be tedious to build out content like this, and Olaf has done all the heavy lifting for the community and uploaded it to a single place. Olaf has taken the time to match content to a large number of techniques, even enabling Atomic Red Team tests to start lighting up the dashboard.

This app helps in a few ways:

Use-case development

It can help teams come to understand where they ought to focus their attention in production and answer other important questions as well:

  • Is production logging correct?
  • Are the correct events being collected from critical assets to determine compromise?
  • What coverage gaps exist today when modeled against ATT&CK?

You can then take what you learn from these questions and use it to produce new detection capabilities—or to justify your case for building out new methodologies or making other security investments.

Experience

If a blue team has limited visibility with the data sources recommended by ATT&CK, DetectionLab and the ThreatHunting app provide an environment for teams to learn and become educated on Windows domain security and Splunk. In general, it’s just a great place to learn.

How long does it take to set up?

It only takes a few hours to build DetectionLab with the ThreatHunting App. After completion, the lab is ready to go with Windows Event Forwarding, Sysmon, MS ATA, Kolide, Splunk, Caldera, Bro, and a whole lot more.

What is it?

PoSh_ATTCK uses ATT&CK’s application programming interface (API) so that you can export ATT&CK data—like data sources, for example—and analyze it.

Why should I use it?

PoSh_ATTCK allows you to download the information associated with each ATT&CK technique. From there, you can start analyzing your level of visibility into individual techniques or your detection coverage across the entire matrix. For example, you can look at data sources to determine which you can access and which you can’t before figuring out what you can see and what you can detect. By extension, you’ll be able to start prioritizing strategies for improving visibility and detection coverage.

You can find some really basic examples of this sort of analysis on the PoSh_ATTCK GitHub page.

What can I learn from this data?

PoSh_ATTCK has helped us understand which techniques are observable in endpoint detection and response (EDR) telemetry. It can also help identify which techniques are mitigated by application whitelisting and other defensive measures. One particularly cool thing about PoSh_ATTCK is that you can use it to determine which data source provides the most visibility into all of the ATT&CK techniques collectively:

DATA SOURCE
NUMBER OF TECHNIQUES
Process monitoring 157
File monitoring 90
Process command-line parameters 87
API monitoring 41
Process use of network 37
Windows registry 34
Packet capture 32
Authentication logs 28
Netflow/enclave netflow 24
Windows event logs 19
Network protocol analysis 18
Binary file metadata 18
DLL monitoring 17
Loaded DLLs 12
System Calls 9
Malware reverse engineering 9
SSL/TLS inspection 8

 

The nice thing about this tool is that it dynamically reads ATT&CK, parses for any new techniques or other data that might have been added, and allows you to rank and stack the data to see interesting patterns.

What is it?

From ATT&CK Navigator:

“The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel. We’ve designed it to be simple and generic—you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques or anything else you want to do.”

Why should I use it?

There are a handful of very common ATT&CK use-cases, primarily related to intelligence and communication. From an operational standpoint, however, ATT&CK is useful to every organization in a slightly different manner. No two security programs are identical. Programs operate at different staffing levels, different levels of maturity, and they operate within threat models that are unique to each organization and its systems. Programs also consist of different teams, each of which may have its own very specific use-cases for the framework.

Like the ATT&CK framework itself, the ATT&CK Navigator does not aim to be a solution to any one problem. Instead, it is an accessible tool that can be used to visualize or codify ATT&CK-related data in any way that the operator finds useful.

Who is this most useful for?

The ATT&CK Navigator may be used by security architects to visualize coverage based on the data sources that underlie each technique. This is valuable for determining whether controls exist to feed other parts of the security program with the data required for detection, investigation, and incident response.

Detection engineering teams may use the Navigator to measure data related to coverage. For example, they may start by determining whether any analytic exists for those techniques where data is available. As the detection engineering program matures, this can be expanded out to measure things like depth of coverage or metadata related to coverage elements.

Closing this loop, incident response and threat intelligence teams can inform both of the above by tracking and visualizing the techniques that they see being used by adversaries, malware families, or other classes of threat.

What is it?

Since I’m technically talking about two somewhat distinct things, I’ll start by briefly explaining that, according to its documentation, “Atomic Red Team is a library of simple tests that every security team can execute to test their controls.” These tests “are focused, have few dependencies, and are defined in a structured format that can be” readily automated.

Atomic Red Team’s chain reactions are grounded in the concept that adversaries do not leverage attack techniques in isolation. In fact, adversaries generally chain a variety of techniques and tactics together in an effort to accomplish their goal, whatever it is. To these points, chain reactions are sequential combinations of Atomic Red Team tests that form more realistic execution and better simulate how an attack would unfold in the real world. Practically speaking, they offer security teams with at least an intermediate level of technical proficiency and maturity a place to begin their journey with end-to-end testing.

Why should I use it?

Security teams can benefit from using chain reactions because they will enable them to test their detection coverage against simulated attacks and also identify where opportunities for detection exist within a chain of attack techniques.

As we all know, very few (if any) detection techniques work perfectly in the real world, no matter how well they perform in a lab. This is because the actual context around an attack introduces unexpected variables that can cause detection rules to fall down, reducing their scope and effectiveness. When you test against individual techniques, you are testing without this critical context, and chain reactions are designed to provide some of that additional context.

Who is this for and how long will it take to set up?

Chain reactions are particularly helpful for offensive and defensive security practitioners who are looking to validate and improve visibility, detection, and response capabilities. Atomic Red Team has been mapped directly to ATT&CK since the very beginning, so running tests with the platform will make you and your team more familiar with the way these techniques manifest in actual attacks. In turn, this will help everyone start discovering opportunities for detection as they run tests.

Atomic Red Team was designed to be low drag, so that you just need to clone the repository down and begin executing tests!

 

Is there anything other than tools to help get started with ATT&CK?

Of course! We’re hosting a webinar this coming Tuesday, April 23 at 11 a.m. (MT). The authors of our 2019 Threat Detection Report will discuss prevalent ATT&CK techniques and how you can build out strategies for stopping the adversaries who leverage them. Click the link in the big red box beneath this text for more information and to register!

 

ATT&CK T1501: Understanding systemd service persistence

 

Debriefing ATT&CKcon 2.0: Five great talks at MITRE’s ATT&CK conference

 

Data sources, Linux detection, and more at ATT&CKcon 2.0

 

Advanced persistence threats: to be a cybercriminal, think like a sysadmin

Subscribe to our blog