Since its first days, cyber security developed in a patchwork fashion. A security need came up, a product was developed to address it. After many years of this, the whole contraption reflects the ad-hoc way in which it was formed, like a kid’s tower of blocks about to topple over.
SIEM came on the scene to try to put order in the mess, and “orchestrate” the different products into a coherent whole. It hasn’t been easy. One of the things that have complicated this task is the fact that different security products use different terms – essentially different languages – to communicate the same things. While one product can supply information about a brute force attack using the event type “Brute Force”, other products can provide different names to the same type of event such as “Too many failed login attempts”.
The SOC analyst, sitting at his or her computer and having to generate endless rules to navigate the network, trying to bridge the gap between the different terms makes the work exponentially more difficult, even impossible.
MITRE ATT&CK's role in SIEM
Enter MITRE. The non-profit organization originally developing solutions to support US government agencies, developed ATT&CK. MITRE ATT&CK™ is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
This curated knowledge base and model for cyber adversary behavior reflects the various phases of an adversary’s attack lifecycle. It enumerates and categorizes post-compromise adversary tactics, techniques and procedures (AKA TTPs). This ongoing project is dedicated to bringing communities together to develop more effective cybersecurity.
The vision behind MITRE ATT&CK™ served us at empow from the very beginning for analyzing and defining an “attack”. First, the focus on the adversary’s perspective. Many threat models focus on the defensive point of view, which is like trying to solve a problem knowing only one of the possible answers. The motive of an action is crucial for selecting which alerts should get more attention, which alerts should be correlated according to the context and which appropriate investigation and response procedures should be applied. Security alerts can be difficult to understand when lacking context, looking at the broad picture can help to connect the dots of a potential threat from different domains.
Another MITRE concept that is crucial for improving events correlation for identifying threats is the level of abstraction. Understanding the processes and the adversary’s goals is an important step towards building an attack “story”. Using a threat model can help us to define how one action can relate to another, how sequences of actions relate to achieving certain strategical objectives, and how this information can be correlated with events that have no security context.
There are many threat models out there that can be used to achieve the above goals, yet MITRE’s ATT&CK model has a few unique features that are uniquely suited to the needs of SIEM. An integral part of using a threat model is defining the logic that ties all the events together. Every attacker step can be followed by or preceded by certain steps. For example, an attacker probably won’t try to get initial access after he already has a foothold in the target network. This is a simple example for how logically, many patterns can be discarded from consideration, only by using cause and effect relations. This is especially important for SIEM, which main goal is to avoid false positives.
MITRE ATT&CK™ is constantly evolving and welcomes contributions. In this way it is deeply seated in the “zeitgeist” of the cyber security community.
ATT&CK 101 Blog Post