The purpose of this article is to present a method to enhance the detection capability using MITRE ATT&CK. By improving your visibility you can have a detection methodology that will help you catch the adversary. You might place number of technologies to prevent an adversary but they will find a workaround. So, having a detection capability is genuine need.
Security Operation Center Culture
Start preparing from now and make mistakes now, then fix them. Collecting events from data sources e.g. (Windows event, Sysmon, or Powershell) is useful WHEN you know what type of information you get from it. Reviewing your data sources and type of events you get, would help a lot in tuning the false positive (which is a tedious job) and create some sense of what is happening in your organization. Building this culture in your Security Operation Center would help in catching the real threats. What is MITRE ATT&CK
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. MITRE ATT&CK is known to be a valuable source for creating threat models and methodologies. How MITRE ATT&CK can benefit us?
MITRE ATT&CK is helpful and can tell you about your visibility which is very important to us. They provide us the tactics, techniques, and procedures (TTPs) of the most known (categorized) APTs and we will use them to enhance our detection capability. There are several challenges as per anomali which is when leveraging ATT&CK such as :
- Not all techniques are always malicious
- Not all techniques are easy to detect
- Some techniques have many possible methods of execution
- Some techniques are listed under multiple tactics
- Example: DLL Search Order Hijacking (T1038)
- Shows up under Persistence, Privilege Escalation, and Defense Evasion tactics
- Some techniques, such as this one, can be used for multiple use cases and are useful in multiple stages of attack
However, all of theses challenges can be overcome. Building the Detection Strategy
Creating a detection for the most dangerous adversaries won't be an easy task to do. So, this should be a long-term goal for SOC team. Using the MITRE ATT&CK module, we will build our detection based on multi factors.
Open the attack mitre
page that categorized the groups. Search for all the APT's that are either have interest to your business/sector or known to be attacking your region. You can start with a small list, or just put them all on page and you might find a lot of intersection between them (their techniques might be completely/partially the same). Keep in mind to be specific about your interest, since that MITRE is providing you with both (Enterprise and Mobile techniques)
For the simplicity, we will be focusing on adversary attacking the region, and techniques that are only apply to Windows Operating System.