CSO Perspectives (Pro) 8.28.23
Ep 110 | 8.28.23

Best practices for MITRE ATT&CK(R) mapping.


Rick Howard: At the beginning of 2023, Sharon Barrio and Stacey Marie Ishmael from Bloomberg News said that the hackers behind the Lazarus Group managed to steal approximately $1.7 billion in 2022, up from $400 million in the previous year, mostly from crypto companies like Ronin, and Harmony Horizon, just to name two. And it occurred to me that if there was ever a black and white case for using the MITRE ATT&CK wiki to inform the controls of your internally deployed security stack, this was it. In other words, the intrusion Kill Chain prevention strategy that I've been yammering on about in this podcast for over two years now is such an obvious choice here.

"Home Improvement" soundbite: Oh yeah.

Rick Howard: Deploy prevention and detection controls across the intrusion Kill Chain designed to defeat as many of the known tactics, techniques and procedures that the InfoSec community has associated with the Lazarus Group campaigns. We've been tracking this campaign for a long time, and the community knows a metric ton about it. I'm an advisor to a company called Tidal Cyber. They're trying to operationalize the MITRE ATT&CK wiki. They list 116 techniques and 25 different pieces of software associated with the Lazarus Group campaign. The open source MITRE ATT&CK wiki lists 227 techniques associated with the group. I mean, I don't know who the Ronin CISO is or even if the company has one. The company's webpage doesn't even list the leadership team. But if I was the Ronin CISO, I would spend a lot of time designing prevention and detection controls for these known TTPs. I'm just saying. The InfoSec community's consensus attribution for the Lazarus Group campaigns is that the hackers are sponsored by North Korea. They do some traditional cyber espionage operations typical of other nation states like the US, Russia, Iran, Israel, and China. But what they are infamous for is running cyber crime operations to provide a revenue stream for the North Korean government. With all the sanctions the West has placed against North Korea, you can make the case that the efforts by the Lazarus Group hackers might be one of the largest revenue sources coming into the country. To recap then, we have a group of hackers who target a niche part of the business community, the crypto communities, and we have MITRE, TIDAL, and others with an exhaustive list of every TTP the hacker group has deployed from the past. If you're a security leader in a crypto company, isn't it a no-brainer that you buy down risk considerably if you robustly deploy the intrusion Kill Chain strategy, at least for this Lazarus Group campaign? I think so, but I'm willing to bet that most of the just under 1,000 crypto companies that exist in the world today don't do that, because most of the rest of us don't either. I get to talk to a lot of CISOs on this job, and it's anecdotal for sure, but I have yet to run into more than one or two who have even halfway deployed this strategy. Even with the hash table experts who regularly come on this show to explain things, when I asked them about their intrusion Kill Chain prevention strategy deployments, I got crickets. And there's lots of reasons for this, but probably the two most significant are, it's hard to do, and it can be really expensive. So hold on to your butts.

"Jurassic Park" soundbite: Hold onto your butts.

Rick Howard: For this "Rick the Toolman" episode, I went looking for ways to make deploying the intrusion Kill Chain prevention strategy easier. My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater, somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A. And you're listening to "CSO Perspectives", my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. In January of 2023, the U.S. Cybersecurity and Infrastructure Security Agency, CISA, published a white paper called "Best Practices for MITRE ATT&CK Mapping." And that's what I'm going to focus on today, how do intelligence analysts map observations from their own internal collected telemetry, and from externally produced intelligence reports to the TTPs that we know in the MITRE ATT&CK Framework. For those that don't know, MITRE released their first version of the ATT&CK Framework in 2013, three years after the original Lockheed Martin intrusion Kill Chain paper.

Steve Winterfeld: Really? More history, Rick?

Rick Howard: The MITRE ATT&CK acronym stands for Adversarial Tactics, Techniques, and Common Knowledge. At first glance, the casual reader would assume that the framework is a slight improvement on the original Lockheed Martin model. The framework extends the original phases and corrects some of the limitations. It eliminates the recon phase and expands the actions on the objective phase with more clarity and detail. That's all true. But the framework's significant innovation is an extension to the list of information requirements intelligence analysts collect for adversary playbooks. They added tactics, techniques, and procedures, TTPs. Before the framework, we would all collect indicators of compromise, like bad IP addresses or URLs, without connecting them to known adversary behavior. They would just be lists of bad things. The lists are not useless, per se, but they are ephemeral, and hackers can easily change them at the drop of a hat. By the time InfoSec teams deployed countermeasures, the bad guys had likely already changed their behavior. According to the 2023 CISA paper, MITRE's extension of the Kill Chain model defines TTPs this way. Tactics, the what and why of a technique. Techniques and sub-techniques, the how an adversary achieves a tactical goal by performing an action. And finally, procedures, particular instances on how a technique or sub-technique has been used. That intelligence isn't as ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures. Where the Lockheed Martin Kill Chain model is conceptual, the MITRE ATT&CK framework is operational. Network defenders can use the provided TTPs to design detection and prevention controls for their internal security stack for real-world cyber campaigns that InfoSec practitioners have observed in the wild. But as I said at the top of the show, most of us aren't doing that. I asked my good friend Steve Winterfeld, the Akamai Field CSO, why he thought that was so. He said that it wasn't until recently when he and I were working on the "Cybersecurity First Principles" book that he realized that the MITRE ATT&CK framework was much more than just a reference source like Wikipedia. It should be used as an operational construct, but it's so vast, it's hard to know where to start. Here's Steve.

Steve Winterfeld: Originally, I just put it in a box over here as a reference, not an operational tool, and I think that was a huge handicap, and I personally have changed that, and I use it operationally now. So if you have a team with, you know, a Tier 2 SOC, or a Threat Intelligence Team, or a Red Team, then this can be a tool that you actually use. First of all, the scope is huge. You have 14 phases, over 200 techniques, and how do you go through and measure all that? You know, first of all, I would sit down and say, okay, what's the subset? Of these 200 plus, which ones apply to what the SOC would own? Maybe that's 71. Okay, 71 is a little bit better number to deal with. And then you say, okay, so, you know, I'm going to train my SOC Tier 1 analyst. They should know these 71 techniques. They should know how to investigate and what tools, what processes we use to find those different techniques. And then the Tier 2 should be able to say, okay, if I see this set of techniques that indicates a specific threat actor. Same with threat intelligence, which one of our capabilities are best designed to, of these, you know, 14 phases, do I have security controls in each phase that are likely to catch them? It's kind of that cyber Kill Chain. I have 14 opportunities to interdict and disrupt their attack mechanism. I could go to the Red Team and I could say, hey, listen, Red Team, I want you to go take this attack group and use, you know, ATP, pick a number, and use their attack methodology to attack us. And this is nice because then I can do more of a Purple Team exercise. Did our security controls detect that? Did those controls alert into the SOC? Did the SOC notice them and react to them and launch proper mitigation techniques? And so all this I think is an integrated opportunity to just take this and use it in a very useful way. But yeah, a tremendous resource and something I think can and should be operationalized on a more normal basis.

James Stanley: James Stanley from the Product Development Team inside of JCDC and CISA. So I've been within CISA for about five years now, and I've been leading the Product Development Team for about three years.

Rick Howard: JCDC stands for the Joint Cyber Defense Collaborative, and CISA stands for the Cybersecurity and Infrastructure Security Agency. James is one of the CISA people who produced the January report on best practices for MITRE ATT&CK mapping, the intelligence analyst process to accurately and consistently map adversary behaviors to the relevant ATT&CK techniques for reporting purposes or to develop updates to the deployed security stack. In 2023, we have no shortage of cyber threat intelligence reports from security vendors seeking to make a name for themselves, from government agencies like the FBI and CISA trying to share actionable intelligence to the InfoSec community, and from internal intelligence teams trying to make sense of collected telemetry. Mapping MITRE ATT&CK is one of the first steps in all of those tasks. Here's James.

James Stanley: The January report is essentially, it's an update to the best practices on how to map to the MITRE ATT&CK matrix. We originally released it, I think it was December of 2020, so it's been a little over two years now, and the inspiration for that initial release was just because us, as far as CISA was concerned, we put a huge emphasis on mapping to ATT&CK. We had just started to incorporate it into our cybersecurity advisories whenever we wrote them. We were essentially huge fans, found it to be very impactful. After the initial release, a few years had passed, obviously things had grown quite a bit. So we circled back with John and team to discuss how there were potentially a lot of value add as far as new sections to include. So we included a lot, we included emphasis on ICS and mapping to ICS specific. We included some common mismapping mistakes, so analysts could understand when they're trying to map to specifically sub-techniques, which can get a lot trickier, some of the common missteps when it comes to that and how they can fix those, and just kind of adding out the content as far as how much more developed the ATT&CK matrix has become over the last couple of years.

Rick Howard: So who's the target audience here? Are these SOC analysts, are they CISOs, who's it for?

James Stanley: We are pointing towards SOC analysts and, you know, threat intel folks, the ones kind of the working level people that are on the ground doing the work, because as we produce products, we as CISA produce products to give to the general audience -- this guide also helps, you know, internal organizations map their own adversary behavior that they're seeing on their network and leverage it that way as well.

Rick Howard: James, so what's new in this report that wasn't in the previous one?

James Stanley: We added an appendix that highlights ICS specific mapping and the importance of that and kind of some of the missteps that are around that, but just highlighting that this is no longer for enterprise networks, that this is now for ICS specific, this is for mobile. So kind of as the scope broadens, we wanted to alert readers to that, and then we really wanted to highlight for analysts using it that there are a lot of common ways that this matrix is misused or mismapped in the reporting, and so kind of highlighting that concern and how you can fix that.

Rick Howard: James, you mentioned that people make mistakes mapping. What are typical mistakes that people have been making up to this point?

James Stanley: Missed opportunities is a big one. I think people will stick to just the surface techniques, so they won't actually dig down into the weeds and get into the sub-techniques, and those sub-techniques are much more specific to the actual behavior, especially once they're on the network and they're digging around. So I think missed opportunities is a key highlight just for analysts that just because you identified a technique, you're not just supposed to move on and move along the attack life cycle, but stick to that area and find out what specifically that adversary did, that behavior that they had, so you can really drill down and protect better against it.

John Wunder: All right, I'm John Wunder. I'm the Senior Manager for Cyber Threat Intelligence and Adversary Emulation at MITRE, and I lead this work for CISA with the Homeland Security Systems Engineering and Design Institute, a DHS FFRDC operated by MITRE. I've been at MITRE about 12, 13 years, and working the CISA project for five or six years.

Rick Howard: John is also one of the folks that helped CISA write the MITRE Mappings paper, but in conjunction with that, the CISA MITRE team also released an open-source tool that intelligence analysts can use to make their jobs easier with this work. It's called the Decider Tool.

John Wunder: So the Decider Tool is something that we developed after working on the first version of the Best Practices Guide, where we talked a lot about how to help people map to attack better, like the tips and tricks that you can use to go from some set of observed activity on a network to the attack technique that best describes that. One of the things we noticed was that it's still really hard. We can write all the help guides that we want, and ATT&CK is still really hard to map to because ATT&CK is this very technical thing, because it needs to be. It describes the things that adversaries do when they attack us, and so you need to get that right. If getting ATT&CK right is important, then we want to make it as easy as possible to do that. And so what the Decider Tool does is it takes a step back and says, okay, a lot of the people doing these mappings are probably not experts in MITRE ATT&CK. They are cyber security analysts, so they're experts in cyber security, but they don't know the intricacies of why this technique is that way or why that technique is this way or whatever it is. So why don't we, instead of having folks look at the ATT&CK website to map all of the time, why don't we develop a tool that will ask them a series of questions about what they saw? How did the adversary get in? What did they do? What aspects of the operating systems did they use to move laterally? Things along those lines. So instead of doing that by searching the ATT&CK website and looking for it line by line down the matrix, instead it'll ask you these questions, and it'll take you from top to bottom. You know, what was the tactic to the technique to the sub-technique? It uses simplified language, and there's some search capabilities built in, and eventually the goal though is that, you know, you're getting to that ATT&CK mapping. So it's trying to make the process of mapping to ATT&CK easier than like staring at the ATT&CK website and kind of hoping for the best, I guess.

Rick Howard: So it's a focus tool for analysts who are not familiar with ATT&CK as much as you guys are, but who understands what happened to them, and you can walk them through to get to the correct or the most appropriate category of things that you're trying to map to.

John Wunder: Yeah. I would add one more thing is that it's definitely useful for folks that are less familiar with ATT&CK, but when I go through and I do mappings, I still use the decider because, you know, all of us still have more to learn, but also, you know, this is just to my mind at least a more natural way to think about mapping to ATT&CK. And I often use both the -- you know, it asks me questions, and I also use the search capabilities that are a little bit more advanced than what's in the ATT&CK website. So I would say anybody mapping to ATT&CK should take a look, and hopefully you'll find some value in it.

Rick Howard: You know, we're all talking about ChatGPT and AI and all that this year. Is that on the roadmap, we're going to have a command interface to do that for us as opposed to a web app that you guys have already -- this director program? Is that somewhere down the line?

John Wunder: Yeah, it's funny you say ChatGPT, because I actually just saw Microsoft release a tool that was supposed to do some of this automatically using natural language processing.

Rick Howard: Yeah.

John Wunder: MITRE also had a tool called Trim where we were looking at whether that was doable. And, you know, unfortunately at this point, that technology is still a little bit farther out to be accurate enough to really work for defensive purposes. You know, I talked to some analysts at CISA actually about like, how often does the technology need to get it right or it's just wasting your time? And they were like 95% of the time or more, because if it's missing more than that, I'm just second guessing everything it gave back to me. And that, you know, just isn't quite what we need.

Rick Howard: So one of the questions I have about the MITRE ATT&CK framework, John, is there's giant confusion in the industry about naming adversary groups. And I think we're down the wrong path on this. And I wanted you to have some insight about this. We tend to say threat actor group X, like Wicked Panda, is the one attacking us. And it implies that we know who the people are behind the attacks. But that's not the case, right? What we are tracking in the MITRE ATT&CK framework is the attack sequence, right, from across the intrusion Kill Chain. Am I wrong about that?

John Wunder: Yeah, I think one of the, I guess, useful things about the MITRE ATT&CK knowledge base is that I think it can get us out of that rabbit hole a little bit. And that if, you know, if you're a defender, so you're a SOC manager or something like that, you know, often you don't care about necessarily who's attacking you. You just want to stop it. And so there's, I know, a big debate in the cyber threat intelligence community around like how do we name groups and can you overlap groups and if you can overlap groups when you do that. But from another perspective, you know, for a lot of defenders, it may not matter at all. And one of the nice things that ATT&CK allows you to do is say, okay, well, I don't really care who's doing this. I care what they are doing. What are the things that they're doing when they're attacking us? And so ATT&CK as a knowledge base describes those things. It describes like the sets of things that adversaries can do when they attack us, how they do those things in different ways of detecting or preventing those things. So in that way, it can kind of spin things around and say, you know, let's focus a little bit less on who's doing it and focus a little bit more on how do we stop it regardless of who it is.

Rick Howard: So is it fair to say then that when we label an attack, we label this set of activity like Wicked Spider or, you know, pick one that you like. I just love the colorful names -- it's the reason I'm a security guy.

John Wunder: They are fun.

Rick Howard: But when we label them with those colorful names, it is really, we think, a set of activity that some group, maybe more than one group, has seen in the wild across the intrusion Kill Chain. And we're going to give it this name so we can remember what it is and distinguish it from another one, say Panda Bear, that's a little bit different. Is that fair to say?

John Wunder: Yeah, yeah. So I think you can think about this as, you know, it's a set of activity that's associated with itself in some way. You know, a lot of the times organizations might do that because they think it's the same people behind it. In other cases, it may be because it was observed as part of the same campaign or something like that. But again, like for most folks, like looking at, you know, who are the actual people on the keyboard behind it may not be the most important thing to them day to day.

Rick Howard: Well, tell me if I got this wrong, James, maybe you want to jump in here too, is that here's my thought process on this. If I'm deploying prevention or detection controls for everything I can possibly do that's listed in the MITRE ATT&CK framework for Wicked Panda, it doesn't matter if Wicked Panda changes one of those things because I've blocked everything else. They may have success with this new zero-day exploit they just found, but since I've blocked them at all the other places, they're not going to be able to succeed in their mission. That is the genius of the intrusion Kill Chain model. Is that true, James?

James Stanley: Yeah, I would agree. I think what you just highlighted is exactly why we're encouraging people to leverage this, right? So instead of the more traditional reactive behavior of going after, you know, IOCs and indicators of compromise and blindly blocking, whether it's domains or hashes or IP addresses and not really hardening your network, what you just described is the whole goal, right? So just to track the adversary behavior and if you're worried about one group or if you're worried about something specific like ransomware, I think you can find through ATT&CK and the matrix that generally they're going to leverage, whether it's exploiting public-facing devices, but you can focus on whatever your weakness is. So you can focus on initial intrusion or if you're hardened on the exterior, maybe you can focus on the top ways of lateral movement to avoid that impact. So I think, yeah, the way you described it is exactly why we want to push it.

Rick Howard: I think our focus has been wrong for the last 10, 15 years, right? We try to block technical things like a piece of malware or an exploit or a phishing attack. And what I want to do is, you know, block adversary activity, right? I want to prevent that adversary from being successful. And so we need to elevate our game a little bit and the MITRE ATT&CK framework lets us do that. One of the criticisms of the MITRE ATT&CK framework is that it's hard to work with. I mean, it's really good intelligence, but it's very difficult to use without a lot of manual grunt work. From my perspective, in my fantasy world, what I need is an ability to monitor a collection of open-source intelligence organized around the MITRE ATT&CK framework idea, automatically collect changes and updates as they happen, alert the SOC to these new TTPs, have the intel team develop countermeasures for my internally deployed security stack, and then push a button that deploys the countermeasures to the appropriate systems. And I want to do all of that in real time.

"Home Improvement" soundbite: Oh yeah.

Rick Howard: As a community, we are a long way from this fantasy.

"Home Improvement" soundbite: Oh no.

Rick Howard: But we are inching towards building the tools that will help us get there. According to the staff over at the Greylog blog, detection engineer Florian Roth and open-source security tool developer Thomas Patsky introduced SIGMA in 2017, a text-based human-readable open-source signature format that analysts can use to detect adversary behavior in SIEM telemetry. It's similar to how analysts build YARA rules, yet another recursive acronym, on indicators of compromise to help identify and classify malware files. Analysts write SIGMA rules in YAML, yet another markup language, not to be confused with YARA.

"Home Improvement" soundbite: Huh?

Rick Howard: That formats data in a natural, easy-to-read, and concise manner. SIGMA rules can contain fields like title, description of what it detects, log source, and tags, including MITRE ATT&CK mapping.

John Wunder: James actually shared a really good example of this with me a couple days ago, where CISA releases these reports that include ATT&CK mappings, and so they released a report that included a mapping to a particular technique, and James saw a post on LinkedIn describing how a SOC manager was able to take that mapping and go look for an analytic to detect that adversary technique in SIGMA, I believe, and then bring that back into their organization to implement it. It lined it up and was able to detect that attack moving forward. SIGMA is an open-source repository of detection rules for perceived tools, so they have a bunch of rules in there that are finding adversary behavior and event logs and things like that, and in this case, they align them to ATT&CK. And so what you can do is you can say, okay, the threat report mentions these ATT&CK techniques, the SIGMA rule says it finds that ATT&CK technique, let me pull that rule in. I would really caution everybody to do double checks when they do that, as we know, there's a lot of variety.

Rick Howard: What are you saying exactly? Yeah, I agree.

John Wunder: Yeah. Well, there's a lot of variety in ATT&CK techniques, right? So there's certain ways you can dump credentials from LSAS, for example, and some analytics will detect those ways, and others won't. So just because you have a rule that finds a particular ATT&CK technique doesn't mean it's going to find every single variety of that technique. That's why in the best practices guide, for example, we really encourage everyone producing Intel to include not just the ATT&CK technique, but also what's the technical context for that. What was the behavior that was observed, a command line, a registry key, because then you can really go that extra step and say not just this technique matches, but this analytic actually would have detected the real observed behavior there.

Rick Howard: I want to thank CISA's James Stanley, MITRE's John Wunder, and Akamai's Steve Winterfeld for helping with this "Rick the Toolman" episode. Like I said at the top of the show, I'm a huge fan of the MITRE ATT&CK framework. I've made the case on this podcast many times, and in my book, "Cybersecurity First Principles: A Reboot Of Strategy And Tactics", that intrusion Kill Chain prevention is a key and essential strategy that logically flows out of the absolute cybersecurity first principle, reduce the probability of material impact due to a cyber event in the next few years. As a community, we can't pursue that strategy unless something like the MITRE ATT&CK framework exists. Since it does, we are well begun, but it's clear to me that we are years away from realizing my fantasy world that I outlined in this show. Actually, I published a journal article with my good friend and colleague, Ryan Olson, just before the COVID lockdown about a first draft architecture that we all should be driving toward. The paper is called "Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks", published by the Cyber Defense Review up at West Point. The link is in the show notes. The MITRE ATT&CK framework, as I said, came out in 2013, and as far as I know, Gartner hasn't created a lifecycle chart for the idea, but from my own observations, it quickly hit the peak of inflated expectations, probably around 2015, and has been traveling down the trough of disillusionment ever since. Not because it wasn't a good idea, but because implementing something useful with it, something that can actually buy down risk for your organization with it, is years away. In terms of the hype chart, we probably haven't hit bottom yet. I'm guessing that it's a couple of years before we start up the slope of enlightenment, and five to ten years before we reach the plateau of productivity, but we are on our way. The CISA guide that we talked about today, Best Practices for MITRE ATT&CK Mapping, MITRE's tool called the Decider, and the open source rules repository called Sigma, are the next steps in the journey, and as my favorite author of all time says, "So be your name Buxbaum or Bixby or Bray or Mordecai Ali Van Allen O'Shea, you're off to great places. Today is your day. Your mountain is waiting, so get on your way." And that's a wrap, not only for this show, but for the entire "CSO Perspective" season, season 13. Don't forget, you can buy copies of my book, "Cybersecurity First Principles: A Reboot Of Strategy And Tactics." You can consume it in a variety of formats, the tree killer version with real paper for people who just have to feel the paper between their fingers, the digital version with your Kindle or favorite digital reader, my preferred method, by the way, because it allows me to highlight, take notes, and grab quotes, and for all of you that like to listen to books as you're doing the laundry, walking the dogs, or other honey-do tasks, there's an audible version. Order it now at amazon.com or wherever you buy your books. And finally, we'd love to know what you think of this podcast. Send email to cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help you keep a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like "CSO Perspectives" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. N2K Cyber's "CSO Perspectives" is edited by John Petrick and executive produced by Peter Kilpe. Our producers are Liz Ervin and senior producer Jennifer Eiben. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Pelzman, who also does the show's mixing, sound design, and original score. And I'm Rick Howard. Thanks for listening.