As the Security threat landscape,
these days, changes and evolves on such a frequent basis, it has becomes
imperative to stay vigilant of the Cyber criminals and their ever changing tactics
and techniques in a continuous manner. Organizations traditionally invest
on keeping themselves updated/vigilant about the latest developments in the threat
landscape through the adoption of Cyber Threat Intelligence (CTI)
capabilities. Various information sources such as Blog posts, Tweets, Research
papers, White papers, Vendor reports, Threat reports, Organization’s own Telemetry
etc. are processed, analyzed using advance Machine Learning (ML) and Artificial
Intelligence (AI) algorithms to generate actionable intelligence such as
indicators of compromise (IOC), malware source IP addresses, domain names,
email addresses, malicious file hashes etc. for proactive defense against these
threat vectors. This traditional CTI approach to stay vigilant, however, is a
very daunting task as it definitely has some limitations and challenges, such
as –
·
Apart from the ML
and AI, it also requires a lot of manual time and effort to read and analyze Research
papers, White papers, Vendor reports, Threat reports etc. to understand the
context and generate actionable intelligence.
·
Validating the actionable
intelligence is also time and effort intensive and monotonous work, which
eventually could have significant false positives for Blue Teams and Operations
Teams.
·
Actionable
intelligence could be susceptible to changes as aspects like indicators of compromise
(IOC), malware source IP addresses, domain names, email addresses, malicious
file hashes etc. could change, rendering the proactive detection rules useless.
·
A major portion
of the CTI generated may not be relevant for the Organization’s technology
footprint.
·
A huge contribution
towards getting relevant real time threat intelligence is subscription based
and eventually it has cost implications.
In light of the above
limitations/challenges and David Bianco's Pyramid of Pain, adoption of MITRE ATT&CK Framework provides a structured
way to describe adversary Tactics, Techniques and Procedures (TTP) and behavior
and allows a more widespread alignment across multiple Cyber Security domains
viz. Threat Intelligence & Threat Hunting, Red Teaming, Risk Management, Intrusion
Detection & Response, Security Engineering, 3rd Party/Vendor Risk
Assessment etc.
The Pyramid of Pain – “shows the relationship between the
types of indicators you might use to detect an adversary's activities and how
much pain it will cause them when you are able to deny those indicators to them”.
This means, it is very easy for an adversary to change the malware source IP
addresses, domain names, email addresses, malicious file hashes etc. to make rendering
the proactive detection rules useless; however, it is very difficult for an
adversary to change the tactics, techniques and procedures.
Hence instead of depending on
just the IOCs and actionable intelligence to achieve resilience, adopting a TTP
based detection and alerting mechanism is preferred. This is where adoption of
MITRE ATT&CK Framework becomes the
need of the hour to create a more effective threat-based awareness of Security loopholes
that adversaries could exploit. This in turn improves the actionability of CTI
for effective defense against these threat vectors.
Additionally, this framework
could be leveraged to take strategic and tactical decisions around Vendor Partnership
or 3rd Party Security Software/Service investments. Plotting the
coverage of these Vendors/Products against the detection/alerting/remediation
capabilities against the ATT&CK TTPs and the Organization’s Security loopholes
can channelize the Vendor Partnership or 3rd Party Security
Software/Service investments in the most pragmatic manner.
