Pt 2 – Mitre ATT&CK: from the Rick the Toolman Series.
Rick Howard: When I started the Rick the Toolman series, the very first question I got from the fan base was, who was going to be my Al Borland? If you all remember, in the 1990s TV show "Home Improvement," Tim the Toolman, played by Tim Allen and based on his stand-up comedy routines, was the host of a local PBS-like TV show that focused on home improvement projects similar to the real PBS show "This Old House," hosted by Bob Vila. Tim's sidekick in the show was Al Borland, played by Richard Karn, and was therefore comedy relief by pointing out the mistakes Tim made on the various fixer-up projects they both tried to do on the show and had a number of running gags that lasted throughout the eight TV seasons, like Al's love of Bob Vila. Or whenever Tim would suggest something stupid or unsafe, Al would say...
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Richard Karn: (As Al Borland) I don't think so, Tim.
Rick Howard: And Al's continuous need to hug Tim when Tim didn't want them. Fans of this "CSO Perspectives" podcast and the newish Rick the Toolman series had some thoughts about who should be my sidekick. So when I needed an expert to help me discuss one of the tools - the MITRE ATT&CK framework - I thought I would reach out to one of the names mentioned the most in all of that fan mail. His name is Steve Winterfeld, the advisory CISO for Akamai and my best friend. He might be my Al Borland.
Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire secret sanctum sanctorum studios located underwater somewhere along the Patapsco River near Baltimore Harbor. And you are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis.
Rick Howard: Before we start the interview, I need to make one small correction to the previous Rick the Toolman episode we did on the MITRE ATT&CK framework. In that episode, I said that MITRE runs six U.S. government FFRDCs, or federally funded research and development centers, that study a broad range of topics. I also said that the ATT&CK framework came out of the National Cybersecurity Center of Excellence FFRDC sponsored by the National Institute of Standards and Technology, or NIST. It turns out that's not correct.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, no.
Rick Howard: I had lunch with Richard Struse the other day. He's the director of the Center of Threat-Informed Defense at MITRE Engenuity. And he informed me that although MITRE does a lot of good work for the National Cybersecurity Center of Excellence, the work MITRE did inventing and building the ATT&CK framework was purely a minor project. In other words, MITRE saw a need for something like the ATT&CK framework and just built it themselves, and good on them for doing so. With that little correction made, let me bring Steve Winterfeld in here, the Akamai Advisory CISO.
Steve Winterfeld: All right.
Rick Howard: So, Al, how's it feel to be nominated by my show's fan base to be my sidekick, my Al Borland?
Steve Winterfeld: Well, Tim...
Rick Howard: (Laughter).
Steve Winterfeld: I will tell you that there are a couple of things that I have in common with Al. The first is constantly wondering how you get yourself into circumstances and trying to explain to you how things work.
Rick Howard: Exactly (laughter).
Steve Winterfeld: The other thing is I think you enjoy my hugs as much as Tim enjoys Al's hugs on the show.
Rick Howard: I can vouch for that, my friend. I can totally vouch for that (laughter). We're talking about the MITRE ATT&CK framework on this episode, and that thing's been around since 2013. And when it came out, we all thought it was revolutionary, you know, a different way to operationalize threat intelligence. But here we are eight years later, and most organizations have yet to operationalize it. And let me just ask you this. Am I right about that, or has my observations been wrong? Do you see more people operationalizing the MITRE ATT&CK framework?
Steve Winterfeld: Operationalize is an interesting word. So the framework has 218 techniques flowing across 14 different categories. And as you try to, say, operationalize that - that's a huge thing. So I've seen Fortune 500 companies look at this and try to operationalize it. And that's where my experience leveraging this will come from. But for the smaller organizations, I think the most common way they've tried to operationalize it is ask their vendors how the vendors have mapped their capabilities back to this. But that's a big chunk to bite off unless you've got a fairly robust team that includes pen test team, threat intelligence and a security operations center.
Rick Howard: Well, I agree with that. But what makes it so hard? I mean, I agree that's what's happening, OK? But why is it so hard to do that? It's just big. Is that the only reason?
Steve Winterfeld: Well, and it's manual. It is a spreadsheet that you go reference. It's not something you automate. It's not something you pull into dev ops currently. You know, it's not STIX/TAXII or, you know, something that you leverage. It's a process. And when you go out and try to leverage a process, that's much more difficult.
Rick Howard: So I agree that nobody has done that, but you were a big information security executive in your last gig. How did you use the MITRE ATT&CK framework?
Steve Winterfeld: So I want to bring up four use cases.
Rick Howard: All right.
Steve Winterfeld: The first is the board is going to say, how mature is the SOC operations? Well, that's - you know, what standard do you measure against? And so you can take the SOC and say, we use the MITRE ATT&CK framework, and we've scoped out all those that are relevant techniques that our SOC should be able to detect. And remember, some of these are for different environments. Some of these may be process-driven, so not belonging to the SOC. So let's say of the 218, we've determined 150 of these our SOC should be able to detect.
Rick Howard: Let me back up on that, Al, because that means you can actually collect telemetry, that you can decide that you can see that kind of thing, and then actually make a decision about what to do about it. Is that what you mean?
Steve Winterfeld: Well, Tim...
Rick Howard: (Laughter).
Steve Winterfeld: ...Let me walk you through that. And so the way I would go through all 150, the goal would be to say - to have the red team - to do a lifecycle of an incident. So the red team would go in and conduct the attack that should be discovered. And then, you would say, was it discovered? Was a log created? Was a log moved over to the Security Operation Center? Did they take action on that for remediation? And was notification done? Your blue team operations here - the red team would notify the blue team they'd done it. The database personnel would validate that there was a log. The incident response team would see if that came in and was actually - an incident was created, an investigation and remediation done. And so for each one of these 150 then, you could go do a lifecycle validation and tell how mature you were. And again, depending on the type of technique, this would be across multiple tools. So you can see just validating, you know, the first 10 has a lot of effort.
Rick Howard: Well, I mean, everybody I know jumps right to red team, blue team, purple team operations. And I agree that that set of intelligence that's sitting in the MITRE ATT&CK wiki is invaluable for that kind of effort. But most people don't have red teams. Small, medium-sized companies or organizations - you know, they don't have any resources to do that kind of thing. But my question to you is, is there no value in tracking the adversaries behind those techniques and procedures? The MITRE is tracking 125 the last time I counted. And is there no value knowing that APT1 is in your network or not? Does that not help you?
Steve Winterfeld: That's my second use case, actually - perfect lead-in - is when you go and say, so APT29 - what techniques do they use? You want to pull the techniques, ideally, out of the 218 MITRE has. And so now you've got a documentation process of how you're going to validate that. So then your consultant, your red team, whoever's doing that can then go through and do all this. And for the smaller companies, you can do a tabletop exercise walking the team through - on this first one, what controls do we have in place? Do we believe those controls are effective? So it may be more of a tabletop exercise for measuring your maturity. But cycling back to the very beginning, I think APT and measuring maturity are two great use cases.
Rick Howard: Go back to what you said earlier, though - we were both agreeing that small and medium-sized organizations, many don't have the resources for this kind of thing. And so a tabletop exercise you were suggesting - what about just insisting that the vendors that you use in your security stack give you this functionality? Wouldn't that be a thing to push on?
Steve Winterfeld: Yeah, and I had mentioned that earlier as, in fact, yes, that's a great idea as far as asking your vendors. Part of that also goes to understanding - you know, my third use case scoping out an environment. You may want to say, which one of these techniques are focused on endpoint or on a cloud environment or on my edge? If I want to look at how I'm protecting my edge, let's say 20 of these are actually focused on similar firewall, web application and API capabilities. And then you may go back to your vendors that provide those and say, which of these 20 do you take advantage of? Or you can go back and just ask all your vendors, have they mapped to this? And when they haven't, then maybe ask them, map to these 20 for me.
Steve Winterfeld: I also like that scope environment, because when you go back to an exercise, it's a quick way to say, OK, let's focus on the edge. Which ones are edge-based? Let's do both a technical and a tabletop environment. And I can go back to the board and say, this is - our first round of maturity is an environment, not necessarily the entire load.
Steve Winterfeld: I'll bring up my last use case 'cause it kind of paralyze that.
Rick Howard: OK.
Steve Winterfeld: Parallels that.
Rick Howard: Easy for you to say.
Steve Winterfeld: Yeah, please feel free to edit that out. But you won't.
Rick Howard: I won't.
Steve Winterfeld: So...
Steve Winterfeld: The last use case I wanted to talk about is using the ATT&CK framework as a training program.
Rick Howard: Yes.
Steve Winterfeld: I was at an actual MITRE conference and listened to a talk on this. And it's really well done; where you can say my junior analysts need to be familiar with these 20 techniques. Tier two needs to know these 75, and tier three should know these 150.
Rick Howard: Oh, what a great way to measure. That's a - I never thought of that before. Yeah, interesting. It's kind of...
Steve Winterfeld: Yeah, which is why I was giving props to the talk 'cause I really liked that way. And you can almost - again, as you have auditors coming in, especially if you're in a regulated industry, this is something you test on and certify your team. And auditors love certification.
Rick Howard: So kind of a black belt program for your analysts in the SOC, right? Here's the things you have to know to be a white belt. And here's the thing you have to know to be a green belt. That kind of thing.
Steve Winterfeld: Yeah.
Rick Howard: MITRE rolled out the ATT&CK framework in 2013 and has added significant upgrades to it about every two years since. One of their upgrades included deep dives on special data islands and use cases they call matrices. In other words, they take a look at special attack vectors like cloud deployments, containers, industrial control systems and mobile devices and just focus on the tactics and procedures adversary groups use against those environments. They even had a matrix called PRE-ATT&CK that covers preparatory techniques bad guys perfect before the attack begins, like leveraging vulnerabilities and the common vulnerabilities and exposures database, or CVE. They also rolled out a companion program called CAPEC - C-A-P-E-C - designed to help red teams.
Steve Winterfeld: You know, the MITRE's also done CVEs. Great job there. MITRE has done an industrial control system-focused version. And I like that for not only the SCADA environment, but also thinking about the IoT environment, it's probably more appropriate. And finally, they're working right now on an insider threat version of the ATT&CK framework.
Steve Winterfeld: The other thing is, if we're talking about pen test teams, the framework MITRE built for a pen test team is actually the CAPEC, the common attack pattern enumeration and classification. And that was the one designed for red teams to use to have a consistent methodology or a framework by which they do their attacks.
Rick Howard: OK. I want to go back to something you said before because I push back on this all the time, and I think I'm really in the minority on this. You were just mentioning all those techniques. These are technical things that have no relation to each other unless you tie them together with the MITRE ATT&CK framework. And so what I want to see in my environment - OK? - I want to see a report that says APT29 uses 100 things. We only see two firing in your network, so it's likely they're not in your network. But if you see 80 of them, they're in your network and maybe you should run around and do something to stop them from being successful.
Steve Winterfeld: And you and I are also fans of another framework, the Cyber Kill Chain. I love the Cyber Kill Chain as a flow to kind of do war gaming and saying, you know, it's the perfect counterpoint to an APT exercise. And if you look at these, you know, the first technique of the 14 is reconnaissance. And then you look down here, privilege isolation is No. 6. No. 10 is lateral movement. No. 13 is exfil. No. 14 is impact. These are really mapping back to the Cyber Kill Chain. And so that's another great technique to both do a kill chain exercise 'cause you can pull techniques from each one of the columns to have a complete exercise.
Rick Howard: The reason I want to get to this is when you're just listing the techniques, these technical things, and you block, let's say, half of them because that you're able to do, you have no idea if an adversary group can be successful in your organization. But if you deploy these things in relation to how the adversary traverses the kill chain, you deploy all the things you can do across the entire chain as opposed to a technique with no relation. Then you might know that there is an adversary coming into your environment.
Rick Howard: One of my frustrations with the framework is, like I said before, there's 125 advisory group patterns with unique names as of, like, last week some time. And they do track a handful of criminal groups, but the ATT&CK wiki mostly tracks nation-state activity. Just by my loose count or just watching the news in this last year, there's about another hundred criminal groups with unique names that we should be tracking too. And where do we get that kind of information if it's not here in the MITRE ATT&CK framework?
Steve Winterfeld: And as you talk about these different larger ones, you can do two things. One, you can say, when I'm talking about ransomware, what are the common elements of the ransomware APT attackers? And it may be something like phishing. You know, that's a common element, and that's something you can get your hands around and take quick action on. If you think about where you're vulnerable, where the biggest activities are, that is another technique that, I think, can be successful.
Rick Howard: One of the great innovations of the Lockheed Martin Kill Chain model, which is kind of strategic, and then the extended version of the MITRE ATT&CK framework, which is I call operational, is we realize that every adversary out there has to do the same thing. They have to traverse the Kill Chain. So whether or not you're a criminal group or a hacktivist group or an espionage group, it doesn't matter. They still have to do those things. So that model in our head should be easy to produce. And it feels weird to me that we're in 2021, and here's a MITRE ATT&CK intelligence collection that just does espionage groups. And I'm just frustrated by that.
Steve Winterfeld: Yeah, I don't disagree. And the same - you know, our controls are fairly narrow. I have DLP, which just fixes this. Or...
Rick Howard: Yeah.
Steve Winterfeld: I have certain aspects that are very narrow. So both on the threat side, we've got specific. On the control side - and then within this, we've made 14 lanes of how we're defending it. But...
Rick Howard: Yeah. We made it...
Steve Winterfeld: Part of it is...
Rick Howard: ...Even more complicated than it is, right? So...
Steve Winterfeld: But that comes back to the fact that we have so many different environments and so many different priorities across different industries.
Rick Howard: Yeah.
Steve Winterfeld: And then when you start mapping in compliance, it gets even more complex. And I will highlight that you want to make sure if you talk about using the ATT&CK framework - it's a reference framework. I would be very careful to not put it in your policy as required because then somebody could come in and look at all 200-plus and start evaluating against all of them. So...
Rick Howard: (Laughter) And how you're not doing it right.
Steve Winterfeld: Right. And so I would be very careful in how you use this as a reference tool just like I coach people on the cyber Kill Chain as a great, you know, war gaming or reference tool - same with the SASSY framework. All of these - just be careful how you say you're using it. I don't want you to get caught sideways by an auditor.
Rick Howard: Well, Al, we've kind of run the MITRE ATT&CK framework through the ringer - anything else that we missed that you want to point out?
Steve Winterfeld: I think the last thing would be around safety, Tim.
Rick Howard: (Laughter) Well, you know me too well, Al, because I'm going to get hurt doing this stuff for sure.
Steve Winterfeld: As always, I appreciate the time. It's been a great session.
Rick Howard: Thanks, Steve. Thanks for coming on. And I appreciate it. We'll talk to you soon.
Rick Howard: That was Steve Winterfeld, the advisory CISO for Akamai and - for this episode, at least - my Al Borland or sidekick for the Rick the Toolman series.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, yeah.
Rick Howard: And that's a wrap not only for this episode but for the entire season, Season 7 of "CSO Perspectives." And while I'm talking about it, that's a wrap for this crazy year of 2021. What a year. There has been so much contention in the world these days. So do me a favor. Take this time over the holiday break and decompress. Find your inner zen. Be nice to crazy Uncle Joe and his stories about contrails and the impending invasion of Cthulhu. And please, please, please take a moment and be extra kind to your neighbors. We've all had a tough year, and we could all use it.
Unidentified Musical Group: (Vocalizing).
Rick Howard: And, finally, let me leave you with a special holiday wish from my favorite poet laureate and my personal life coach, Dr. Seuss' The Grinch. And I quote, "welcome, Christmas. Bring your cheer, cheer to all the Whos far and near. Christmas Day is within our grasp as long as we have hands to grasp. Christmas Day will always be just as long as we have we. Welcome, Christmas, as we stand heart to heart and hand to hand," end quote. Truer words could never be spoken. So happy holidays, merry New Year, and we will see you again on the backside in 2022.
Unidentified Musical Group: (Singing) Christmas, Christmas Day.
Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.