Posted by Idan Bellayev, Head of Security Research on Feb 19, 2020 7:52:05 AM
Idan Bellayev, Head of Security Research
Find me on:

When open source parsers utilize the MITRE ATT&CK Framework, security analysts can use their time much more effectively - investigating the nature of threats instead of sifting through endless logs.

Inception of MITRE ATT&CK: From Dream to Reality

Conflicts between nations have always been catalysts of technology. In 1958, as the cold war was escalating, the world witnessed the birth of “MITRE” - a non-profit organization in America, entrusted with the mission of “solving problems for a safer world, through federally funded R&D centers and public-private partnerships” (http://www.mitre.org/about/corporate-overview).

Decades later, the cold war is no more, but other threats are always in play - and in late 2014, the organization launched the “MITRE ATT&CK” project, a globally accessible framework that details tactics and techniques of attack, in an endeavor to promote cybersecurity defense methods. A recent use-case, firmly tied to recent news, is a document titled “Alert (AA20-006A): Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad”, which employs the ATT&CK framework to unravel possible Iranian cyber threat profiles.

Information security resembles physical security, and the two walk hand in hand. That’s why the term “Killchain”, originally a military concept, was naturally adopted into the cyber world, describing an attack structure built in phases, that’s as relevant to conventional military tactics as it is to the virtual domain. In 2011, it was a world-class defense contractor that set the new standard: Lockheed-Martin defined “the cyber kill chain” - a model to defend computer networks, to be widely adopted by data security organizations.

Both MITRE and Lockheed-Martin’s models (as well as others) strive to describe the potential measures an attacker may take. But while the cyber kill chain presents an ordered set of stages that would be carried one after the other, ATT&CK stands for “Adversarial Tactics, Techniques & Common Knowledge” - a more general, low-level description of adversary behavior, divided into Tactics and Techniques that may be used to achieve those tactics. Time to plug into the matrix:

matrix-356024

Part of the MITRE ATT&CK matrix. The column headers represent tactics, whereas the table body presents techniques that could be employed to achieve those tactics.

For instance, in regards to the “Brute Force” technique - a well known practice in hacking, used to achieve the “Credential Access” tactic - ATT&CK describes common ways to “systematically guess the passwords used to compute hashes”. It goes on to state that “the adversary may use a precomputed rainbow table to crack hashes”.

 

To Normalize & Enrich

In my previous blog I described how log analysis is typically a long and tedious process, prone to many errors and requiring a high level of expertise and knowledge. To mitigate this problem, empow maintains open source parsers for free use on its GitHub repository, with each security product having its own parser pipeline that extracts relevant information using various Logstash filter plugins.

Except for normalization to ECS - the Elastic Common Schema - these opensource parsers are also entrusted with the task of enrichment, according to the MITRE ATT&CK matrix described above. The parsers identify techniques and tactics employed by the attacker using specific data points contained in the log, and add this valuable information to the normalized output in the Elasticsearch database.

Along with other enrichments, this provides a great starting point for analysts who perform threat hunting, since all the data is properly organized and enriched, and can be easily processed regardless of its source (be it IDS, Anti Virus, mail security or other).

 

Enrichment example

Consider the following piece of log:

Apr 17 12:22:44 April 17 2019 09:22:40 172.16.1.95 CEF:0|TrapX|TSOC|6.3|ID:4|Malware Trap - Connection Event|1|rt=Apr 17 2019 09:22:18 src=172.16.1.226 deviceNtDomain=a99v6312t95_MT deviceFacility=a99v6312t95 cs5Label=company cs5=NTD proto=RDP deviceExternalId=1 cs8Label=OS Version cs8=Microsoft Windows Server 2008 R2 cs7Label=Emulation Type cs7=Windows Server cat=Connection cs3Label=Commands Used cs3=Establish Connection:  from port 33774>Disconnected dpt=443 externalId=74 dst=172.16.1.99 cs4Label=PCAP cs4=YES

Now, using the following code, the parser enriches the information by adding the threat technique “Remote Desktop Protocol” - based on the values  cat=Connection  and  proto=RDP:

else if [category] == “Connection” {

     if [proto] == “RDP” {

         mutate { add_field => {“[threat][technique]” => “Remote Desktop Protocol” } }

The analysts using the output data for threat hunting wouldn’t have to work their way through the log, and could immediately move on to inspect the “Remote Desktop Protocol” technique described in the MITRE ATT&CK matrix. Performing threat-hunting based on tactics and techniques may require a level of proficiency, but analyzing every single log to extract the exact techniques behind it is an even more convoluted affair. With the open source parsers utilizing the ATT&CK Framework, the analysts’ time can be used much more effectively - investigating the nature of threats instead of sifting through endless logs!

I’d love to hear from you with any questions or comments at idanb@empow.co. If you’d like to learn about more of our open-source tools for the Elastic community, visit our website at https://empow.co/opensource/.

Topics: MITRE, elastic, misconfiguration, opensource, MITRE ATT&CK