Q & A: How to Use the MITRE ATT&CK™ Framework to Mature Your Threat Hunting Program
You’ve heard the buzz around MITRE ATT&CK™ — but how do you apply this broad framework to your security program? We’re excited to kick off a three-part webinar series exploring how top security teams use ATT&CK as a roadmap to mature and expand their threat hunting programs.
The first session features John Wunder, MITRE Principal Cybersecurity Engineer, alongside two long-time threat hunting gurus: Phil Hagen, Red Canary DFIR Strategist & Sr. SANS Instructor, and Rick McElroy, Carbon Black Security Strategist. We sat down with John, Phil, and Rick to get their answers to the top questions on ATT&CK and threat hunting.
Q: ATT&CK has been a popular topic of discussion in the community. Why do you think it’s been gaining so much traction?
I think a few things have gone into making ATT&CK the success that it’s been. First, ATT&CK takes threat-informed defense and makes it a reality. It provides focus and grounding to our mission of defending against adversaries by taking real-world observations of what those adversaries are doing when they attack us and organizing that into an understandable knowledgebase.
Second, ATT&CK isn’t just valuable to your red team, or to your hunt team, or to your threat intel team; it’s a common lexicon that lets us all work together. Lastly, MITRE’s unique vantage point as a non-profit spanning industry and government allows us to collect all of this great knowledge from the community and provide ATT&CK freely and openly to everyone.
Q: Phil and Rick, you both have a long history with advising teams on threat hunting. How does ATT&CK fit in with traditional models and approaches? What are some examples of how threat hunting practices have evolved to incorporate ATT&CK?
For nearly two decades, our methods of detecting malicious behavior have centered on signatures of known-bad. That quickly became difficult because attackers could trivially modify their code or actions to avoid those specific signatures—creating the concept of IDS evasion. This kicked off an arms race of sorts, with defenders broadening their signatures to catch more and more variations of the known-bad behaviors. The unfortunate byproduct of this broadening was the massive increase in false positives—naturally the less specific a signature, the more likely an unrelated action will match.
ATT&CK enables a radically different approach to detection. Since ATT&CK classifies techniques rather than what generally amount to specific byte sequences, this allows a broadened scope of detection that can’t easily be changed. An attacker seeking user credentials will exhibit behaviors that are consistent with seeking user credentials—that will always be true. When pivoting this concept to threat hunting, we shift the benefit of behavioral detection in real time to a retrospective context. By seeking instances of the ATT&CK-defined behaviors in already-collected evidence, we can identify previously undetected suspicious behavior that warrants further investigation.
The speed to market in the vendor space has been amazing—seeing how fast ATT&CK has been built into not only the platforms defenders have, but also automated testing for them along the way. This should have a major impact on how security products are tested and evaluated. Teams are now tuning their defenses faster and automating the testing upfront. That moves the needle in a big way.
Q: How does ATT&CK help speed up the hunt cycle? What are some of the other benefits to using it in threat hunting?
One of the biggest problems in security today is that we don’t know what to focus on. We’re inundated with piles of threat reports and even tweets describing how we can be attacked, and somehow we’re expected to defend against all these different things. ATT&CK provides a foundation that brings some order to the chaos. You can use it to plan out what you want to hunt for and then dig into the details, references, and just use Google to understand how different folks are looking for those techniques. And when you see that new blog post that’s going to keep you up at night, you can tie it back to ATT&CK to understand what’s actually new and what you might already have covered.
Characterizing suspicious activities in the context of ATT&CK allows us to skip the long and frustrating process of broadening indicators to catch “slightly different patterns,” which attackers can continue to modify in an unwinnable arms race, and go straight to the meaningful stuff—the core and underlying techniques that will remain useful for a much longer time. This results in far more efficient detection development because the means of detection will be useful for a longer period of time. The faster we can get to that long-term usefulness, the more effective we can be in detecting and ultimately remediating attackers from the environment.
ATT&CK helps educate new team members faster. Teams are automating the detections and tuning faster. You are able to focus on the true threats and risks and ensure you have that visibility nailed.
Q: What are some of the top adversary tactics and techniques to begin hunting for?
Of course we’re all going to caveat this with every organization being different, and what makes sense to me might be wrong for you. But, in my opinion, some of the best things to look for off the bat are credential dumping and PowerShell. Getting access to credentials is critical to any adversary and there are some decent approaches for finding usages of tools like Mimikatz. On the execution side, PowerShell is such a powerful tool for attackers that it just makes sense to look for those instances where it just looks off. Obviously, for both of those you need to have good endpoint sensing, so have a plan for that if you don’t already!
As John mentioned, it’s hard to come up with a blanket statement on where to start because it really depends on your threats and your environment. But if I had to choose something, I’d say you should pay attention to the fileless attacks first. Attackers are increasingly using “living off the land” tactics and techniques. Understanding how to detect them is crucial.
I would suggest each organization really review the ATT&CK techniques and mark those that would severely jeopardize their business. There are some common threads like privilege escalation and credential harvesting, but the wide scope that ATT&CK provides means each organization will have a different interpretation of what is most important. This is part of the beauty of ATT&CK—it’s concise enough that we can customize its application without requiring a massive project to get there.
Q: How does using ATT&CK differ from other sources of threat hunting intelligence?
One great usage of ATT&CK is to learn. When I started working in this arena, like everyone, I didn’t know about these things and I’ve had to pick them up. The writeups on the ATT&CK pages are a great start because they describe what the functionality is and, more importantly, how it’s used against us. Then you can follow the links to see how it’s been used in the real world. And, once you have that foundation of knowledge, it can help give context to all these other great sources of threat intelligence and hunting techniques. You can use it to organize your thinking and connect the dots between hunting approaches and adversary techniques.
To me, ATT&CK becomes an overlay we can apply to all sorts of threat intelligence. It’s not so much a different source as a multiplier. If we were to receive threat intelligence suggesting a particular threat actor was known to survive reboots on macOS target systems, we could seek any (likely all) of the techniques that fall under Persistence in the macOS ATT&CK technique matrix to identify different ways that threat actor accomplishes their goals. This is obviously just one example among dozens. With ATT&CK as a component of threat hunting, we don’t so much gain a tool; rather, we gain an entirely new dimension to all existing and future tools.
It provides a way to communicate attacker behavior that goes beyond an IOC. This drives behavioral-based detection, which in and of itself does make it a bit different. I think it helps get to an answer faster when something strange is seen. Hunters and defenders can quickly pivot to ATT&CK and focus solely on the techniques seen for the cycle of the attack.
Q: What should attendees familiarize themselves with prior to the threat hunting webinar so they can immediately begin implementing what they learn?
Well, an obvious one is that you should poke around the ATT&CK site! If you want to get your hands dirty and you’re not already familiar with it, I’d also start to play around with a SIEM platform like the Elastic Stack (ELK) or Splunk (pick your favorite) and get a test VM to start collecting logs into it. Nothing is better than hands-on experience.
Spend some time getting lost in the ATT&CK framework for a bit. Come with questions! Map some of the things you have already seen to it. Start to think about how your program might change as a result.
Pick up your most recent threat intelligence report or pick a few items from your most recent indicator feed. After a read-through, look at the specific indicators included and start placing them on the ATT&CK matrix. This will really open your eyes to an entirely new way of classifying traditional indicators in ways that will allow you to apply that threat intelligence in ways that you had not previously thought. The sooner you start to think in terms of techniques instead of indicators, the sooner you’ll be able to take advantage of ATT&CK in your daily grind.
Receive access to this on-demand webinar and the full “Threat Hunting With ATT&CK” series.