Various organizations maintain public cybersecurity defense frameworks that anyone can use to benchmark and improve their cybersecurity posture. Examples include the Lockheed Martin Cyber Kill Chain® and the MITRE ATT&CK® framework. The latter is more widely known and goes into much more depth. Knowledge about the Mitre ATT&CK® framework is now built into the Flowmon Anomaly Detection System (ADS). We’ll discuss the wider framework and how ADS incorporates it in this article.
The MITRE Corporation is a not-for-profit federally-funded research and development organization tasked with devising solutions to keep the USA safe from various threats. Via their R&D centers and public-private partnerships, MITRE works across Government to tackle challenges to safety, stability, and well-being in many areas. One of which is the security of IT systems.
The MITRE ATT&CK® Framework is a knowledge base of threats and actions that the MITRE Corporation maintains with industry and other stakeholder’s input. The ATT&CK part of the name is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. The framework is open to anyone in the private sector, Governments, and cybersecurity solution vendors globally, and not just within the USA. The frameworks (yes plural – more on this later) Can be used as a foundation to identify and build protections against specific threats used by cybercriminals.
The MITRE ATT&CK® Framework has three top-level categories, within which there are matrices that outline tactics used by attackers, techniques that they use, and mitigations that organizations can take to guard against the attackers to increase cybersecurity. The top-level categories are Enterprise, Mobile, and ICS (Industrial Control Systems – often referred to as Operational Technology (OT)). These top-level categories are split into matrices that detail the tactics and techniques within the framework.
We won’t replicate the detailed information that is available on the MITRE ATT&CK® Framework website.
The Enterprise category has a top-level matrix that is available to view on the Enterprise Matrix page. It has 14 subcategories that include different numbers of techniques and tactics. They are:
See the Enterprise Matrix page for the entire matrix and details within each of these Enterprise subcategories. The Enterprise Matrix is the largest and the most mature. Within the Enterprise segment of the MITRE ATT&CK® Framework, there are seven sub-matrix levels. They are:
Complementing Enterprise are categories for Mobile and ICS. There is much overlap between the Enterprise matrices and the Mobile ones. The mobile category has two sub-matrices for Apple iOS and Google Android, the two leading mobile operating systems.
There are many ways that an organization can use the information within the MITRE ATT&CK® Framework to gauge and then improve its cybersecurity.
The tactics and techniques mean that an organization will know what attackers will likely do when thinking about their cybersecurity. Cybersecurity professionals can use the framework info to make simulated attacks against defenses to detect gaps or vulnerabilities.
How they do this will vary between organizations, based on their infrastructure and cyber defenses. It’s a good idea to use automation to check for the tactics and techniques outlined in the framework. The Kemp Flowmon Anomaly Detection System (ADS) release 11.3 supports MITRE ATT&CK® Framework reporting. It can identify and alert on cybercriminal activity with situational awareness based on the tactics and techniques in the framework.
ADS is a security solution that uses machine learning to detect anomalies hidden in network traffic. It complements other security tools and creates a multi-layered protection system capable of uncovering threats at every stage of compromise. Release 11.3 enhances contextual network understanding using built-in knowledge of the adversary tactics and techniques described in the MITRE ATT&CK framework.
ADS 11.3 now assigns ATT&CK® categories to detected events to provide an understanding of what the event could mean. Simply put, the system relates a discrete anomaly on the network with intelligence on globally observed adversary methods. The particular ATT&CK® category appears on the ADS dashboard for easy analysis and review. This capability provides full situational awareness and enables assessment of the stage of a breach, its scope, and the adversary’s next move.
Kemp Flowmon ADS performs a contextual analysis of network events and determines which category or categories it matches. This analysis considers several factors to assign the category correctly, as one event may indicate several different tactics or techniques.
For more details on how ADS 11.3 uses the MITRE ATT&CK framework categories, see our Boost Your Situational Awareness With Kemp Flowmon ADS 11.3 blog post. Please check out our ongoing weekly BrightTALK Webinar series also discussed ADS and the MITRE ATT&CK framework in August. You can view our 30-minute webinar titled Manage security threats with MITRE ATT&CK Framework on the BrightTALK site.
Organizations can use the MITRE ATT&CK® Framework to support a range of cybersecurity planning and testing activities. Given the detailed matrices, it should be possible to identify techniques and tactics that security professionals can use to structure defense planning. Some typical use cases for the framework include:
The integration of the framework’s reporting categories into Kemp Flowmon ADS makes it much easier to automate many of these use cases.
The MITRE ATT&CK framework is an excellent resource for learning about current cyberattack tactics and techniques.It’s also a great checklist when designing and implementing cybersecurity defenses. The integration with the comprehensive anomaly detection tools within Kemp Flowmon ADS means that everyone can see unusual network activity in an easily understood way. This makes it much more likely that any bad actors on a network will be detected, isolated, and then expelled before they can complete their attack plans.