Daily Archives: March 7, 2019

Deriving value from the MITRE ATT&CK Threat Model

The MITRE ATT&CK knowledge base continues to gain traction as the defacto source for supporting business threat assessing, developing proactive cybersecurity and cyber resilience strategies. ATT&CK provides a defined understanding of the adversaries, their associated tactics, their techniques and procedures (TTPs). The ATT&CK comprehensive knowledge base of adversary tactics and techniques has been built up using real-world observations and is freely available to use. 
There are many ways in which organisations can benefit from ATT&CK, often dependant on an organisation's security capabilities and the general security maturity. Steve Rivers, Technical Director International at ThreatQuotient has written guidance on the MITRE ATT&CK stages of maturity, so that any organisation can derive value from it.

MITRE ATT&CK Framework: Keep your friends close, but your enemies even closer

Steve Rivers, Technical Director International at ThreatQuotient

So, how can you get started and use the framework? Nearly every organisation is interested in using MITRE ATT&CK, but they have different views on how it should be adopted based the capabilities of their security operations. We need to make sure that the MITRE ATT&CK framework doesn’t become another source of threat data that is not fully utilised, or a passing fad, or a tool that only the most sophisticated security operations teams can apply effectively. To avoid this fate, we must look at ways to map the framework to stages of maturity so that every organisation can derive value. Here are a few examples of how to use the framework with appropriate use cases as maturity levels evolve.

Stage 1: Reference and Data Enrichment

The MITRE ATT&CK framework contains a tremendous amount of data that could potentially be valuable to any organisation. The MITRE ATT&CK Navigator provides a matrix view of all the techniques so that security analysts can see what techniques an adversary might apply to infiltrate their organisation. To more easily consume this data, a good place to start is with tools that make that data easy to access and share across teams. This may be through an enrichment tool or a platform with a centralised threat library that allows a user to aggregate the data and easily search for adversary profiles to get answers to questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply? Security analysts can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment.

Stage 2: Indicator or Event-driven Response

Building on the ability to reference and understand MITRE ATT&CK data, in Stage 2 security teams incorporate capabilities in the platform within their operational workflows that allow them to apply a degree of action to the data more effectively. For example, with the data ingested in a centralised threat library, they can build relationships between that data automatically without having to form those relationships manually. By automatically correlating events and associated indicators from inside the environment (from sources including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) with indicators from the MITRE ATT&CK framework, they gain the context to immediately understand the who, what, where, when, why and how of an attack. They can then automatically prioritise based on relevance to their organisation and determine high-risk indicators of compromise (IOCs) to investigate within their environment. With the ability to use ATT&CK data in a more simple and automated manner, security teams can investigate and respond to incidents and push threat intelligence to sensors for detection and hunt for threats more effectively.

Stage 3: Proactive Tactic or Technique-driven Threat Hunting
At this stage, threat hunting teams can pivot from searching for indicators to taking advantage of the full breadth of ATT&CK data. Instead of narrowly focusing on more targeted pieces of data that appear to be suspicious, threat hunting teams can use the platform to start from a higher vantage point with information on adversaries and associated TTPs. They can take a proactive approach, beginning with the organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if related data have been identified in the environment. For example, they may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential IOCs or possible related system events in my organisation? Are my endpoint technologies detecting those techniques?

The success of MITRE ATT&CK will depend on how easy it is to apply effectively. With an understanding of maturity levels and use cases, and the ability for technologies to support security operations teams at whatever stage they are in, organisations will be able to use the framework to their advantage. As their desire and capabilities to use the data evolve and grow, they’ll be able to dig deeper into the MITRE ATT&CK framework and gain even greater value.

A Simple Trillion$ Cyber Security Question for the Entire RSA Conference

Folks,

This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -


Image Courtesy RSA Conference. Source: https://www.rsaconference.com/

If that's the case, let's talk -  I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -

Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?

For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.



For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -


  • Q 1.  Should your organization's foundational Active Directory be compromised, what could be its impact?
  • Q 2.  Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
  • Q 3.  If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
  • Q 4.  If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!

You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!


Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.


Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.

Best wishes,
Sanjay


PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.

PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?