Getting started with MITRE ATT&CK in Enterprise Security and Security Essentials
Many security teams want to find the right context in which to view security detection coverage. The MITRE ATT&CK framework and its application to existing SIEM deployments, particularly Splunk Enterprise Security, helps security teams understand where they have threats covered and where they do not. It’s important for businesses and security professionals alike to take advantage of the benefits this framework has to offer and to explore how MITRE ATT&CK implemented on Splunk Enterprise Security or in Splunk Security Essentials can help you grow your security maturity.
This article introduces you to the basics of the MITRE ATT&CK framework and the different ways it can be used. If you're an Splunk Enterprise Security user already familiar with the framework and you want to understand how to assess and expand your MITRE ATT&CK coverage, see Assessing and expanding MITRE ATT&CK coverage in Splunk Enterprise Security.
This article is part of Splunk's Use Case Explorer for Security, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. In the Security maturity journey described in the Use Case Explorer, this article is part of Threat hunting.
What is MITRE ATT&CK?
From the official website, “MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”
ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge. The framework documents common tactics, techniques, and procedures (TTPs) that cyber criminals employ when attacking networks, and outlines adversarial behaviors specific to Windows, Linux, Mac, cloud-based and mobile environments.
Organizations rely on the MITRE ATT&CK knowledge base to implement offensive and defensive measures to strengthen their overall security posture. The MITRE ATT&CK framework can help threat hunters and other cyber defenders better classify attacks, understand adversary behavior, and assess an organization's risk. Security teams can also use the framework to gain insight into how adversaries might operate in various scenarios so they can create informed strategies on how to detect and prevent those behaviors from affecting the security of their organization. The MITRE ATT&CK framework’s unique ability to provide insights into adversaries’ behaviors, as well as its ability to provide a standardized, easily accessible global threat language, has led to its growing popularity for organizations looking to share threat intelligence and bolster their security posture.
The MITRE ATT&CK framework provides guidance on how to approach cyber security related issues based on four use-cases:
- Threat intelligence
- Detection and analytics
- Adversary emulation and red teaming
- Assessment and engineering
Why use MITRE ATT&CK with Splunk Enterprise Security and Splunk Security Essentials?
The MITRE ATT&CK framework evolves as new threats emerge. Security operations teams must continue to update their methodologies as fast as adversaries adapt to detect new threats and prevent breaches. Splunk Enterprise Security, along with the Splunk Security Essentials application, provides a set of use cases that teams can use to assess their security program coverage and gaps, so they can prepare for future threats that leverage similar exploits. Integrating MITRE ATT&CK into your environment can provide the following benefits:
- Helps you identify your top risks, control gaps, and risk appetite.
- Helps you map threats to identify the controls and processes you need to mitigate top risks, while providing a framework for security governance and maturity.
- Helps you identify, recommend, and choose new data sources based on quantifiable risk reduction aligned with your MITRE ATT&CK coverage.
- Sharpens your view of attack paths, improving your team’s knowledge and skills.
- Informs your SOC on how to prioritize alerts and detections for their quickest impact and remediation.
How is the MITRE ATT&CK framework used?
The MITRE ATT&CK framework is used by security teams in everyday defense activities, particularly those that look to address threat actors and their attack methods. MITRE ATT&CK is used in a variety of activities by both red (offensive) and blue (defensive) teams, providing both types of security professionals a common language and frame of reference around adversarial behaviors based on real attacks.
- Red teams (pen testers and offensive security professionals who regularly test and break into cyber defenses) can follow MITRE's ATT&CK framework to test network security defenses by modeling MITRE ATT&CK’s documented adversary behavior. Using MITRE ATT&CK as an enhancement to existing methodology for predictive campaigns can make it easier for red teams to anticipate threats, detect patterns, and assess the effectiveness of defensive controls in their environment.
- Blue teams (defensive security professionals who oversee internal network security protections and defend against cyber threats) can use the MITRE ATT&CK framework to better understand what adversaries are doing, as well as prioritize the most severe threats and ensure the appropriate security controls are in place and working effectively.
Below are various ways in which MITRE ATT&CK’s taxonomy can be applied:
- Mapping defense controls. Security teams can have a clear understanding of defense tools, systems, and strategies when they’re referenced against the MITRE ATT&CK tactics and techniques and their associated threats. MITRE ATT&CK tags are easily applied to Splunk Enterprise Security correlation searches to annotate and provide deeper understanding of the events.
- Threat hunting. Security teams can map defenses to MITRE ATT&CK to identify critical gaps in security infrastructure, which can help them detect previously overlooked threat activity. Using Splunk Security Essentials and the MITRE ATT&CK map, threat hunters can identify gaps in coverage and can then drive further development for detections or generate ideas about new searches or use cases that might fill the gaps.
- Investigating. Incident response and blue teams can refer to MITRE ATT&CK techniques and tactics to understand the strengths and weaknesses in their security infrastructure, validating effective measures while also giving them the ability to detect misconfigurations and other operational flaws.
- Identifying actors and groups. Security teams can align specific malicious actors and groups with associated documented behaviors.
- Integrating solutions. Organizations that have a wide range of disparate tools and solutions can categorize and standardize their solutions according to the MITRE ATT&CK framework, hardening their overall defense strategy.
How do I get started using the MITRE ATT&CK framework?
MITRE ATT&CK can be useful for any organization that wants to elevate threat knowledge and build a more informed defensive posture, regardless of how big or sophisticated the security team. While MITRE provides its materials at no cost for use, organizations can employ a myriad of MITRE ATT&CK integrations in Splunk Enterprise Security and Splunk Security Essentials to apply the framework to meet the specific needs of the organization.
- Small or beginner teams. If you’re an organization with a small security team and want to expand your threat intelligence capabilities, you can focus on a relevant threat actor and their sets of intrusion activity, and look at the related attack behaviors as defined in ATT&CK matrix relevant to your organization. If you have Splunk Enterprise Security in your environment, Splunk Security Essentials can push MITRE ATT&CK and Cyber Kill Chain attributions to the Incident Review dashboard, along with raw searches of
index=notable. Just configure the Splunk Enterprise Security integration in the system configuration menu.
- Mid-level teams. If you’re an organization that has a team of dedicated security professionals that regularly analyze threat information, you can get started by mapping intelligence to the MITRE ATT&CK framework yourself, as opposed to relying on what others have previously mapped. The Analytics Advisor dashboards are designed to help you understand what content you might want to deploy inside of Splunk based on the content you already have and the data that's present in your environment. The MITRE ATT&CK Overview dashboard also includes a customized MITRE ATT&CK Matrix that shows your level of coverage on MITRE ATT&CK while letting you filter for the data you have in the environment, or the threat groups that target you.
- Large or advanced teams. If your team is more advanced, you can map more information to MITRE ATT&CK, using it to guide how you build out your cyber defenses. You can map both internal and external information to MITRE ATT&CK, including incident response, real-time alerts and your company’s historic data. After this data is mapped, you can compare groups, prioritize commonly used techniques, and more. With an understanding of what data you have, you can specify the types of security concerns you're facing and then use MITRE ATT&CK to filter for the Splunk Enterprise Security content related to MITRE ATT&CK techniques that are associated with many different threat groups.
The end goal of using MITRE ATT&CK in your Splunk Enterprise Security environment is to provide further insight and value to your existing deployment against the backdrop of the MITRE ATT&CK framework. Building this framework helps in the constantly changing world of security needs and detections by basing current and future work on relevant, real-world applications.
These resources might help you understand and implement this guidance:
- Use case: Assessing and expanding MITRE ATT&CK coverage in Splunk Enterprise Security
- .Conf Talk: ATT&CK™ Yourself Before Someone Else Does
- Blog: Answered: Your Most Burning Questions About Planning and Operationalizing MITRE ATT&CK
- Docs: Operationalize MITRE ATT&CK
Still having trouble? Splunk has many resources available to help get you back on track. We recommend the following:
- Splunk OnDemand Services: Credit-based services that allow direct access to Splunk technical consultants for a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.
com if you require assistance.
- Splunk Answers: Ask your question to the Splunk Community, which has provided over 50,000 user solutions to date.
- Splunk Customer Support: Contact Splunk to discuss your environment and receive customer support