CSO Perspectives (Pro) 8.1.22
Ep 82 | 8.1.22

MITRE ATT&CK Flow: A Rick the Toolman episode.


Rick Howard: Hey, everybody.


Vincent Martella: (As Phineas, singing) We're back. 

Unidentified Actors: (As characters, singing) We're back. 

Rick Howard: Welcome back to the "CSO Perspectives" podcast. During the last season break, I attended a Splunk conference in Las Vegas, where I promptly caught COVID-19 and brought it home to share with my wife. 


Tim Allen: (As Tim Taylor) Oh, no. 

Rick Howard: She's still not talking to me about that one. We did a little staycation at the house because of COVID - or, as I like to call it here in the Howard house, the 'vid - where I did nothing but read trashy horror and fantasy novels, take several power naps a day, eat junk food and binge "Stranger Things" on Netflix. 


Kate Bush: (Singing) And if I only could, I'd make a deal with God. And I'd get him to swap our places. 

Rick Howard: It was so good. I highly recommend it. 


Kate Bush: (Singing) Running up that hill. 

Rick Howard: And here at the CyberWire, we put the finishing touches on the new "CSO Perspectives" season. We have some great stuff planned around the topics of securing the fintech ecosystem, privilege escalation, crisis planning and risk forecasting. But for today's show, we're going to have a discussion around MITRE the company and its nonprofit spinoff called Engenuity and the open source and free tools they published this year to help make operationalizing the MITRE ATT&CK framework easier. And if you think all that sounds like another Rick the Toolman episode, you wouldn't be wrong. So let's get this party started. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: If you've been listening to this podcast since the beginning, you know that I've outlined five cybersecurity first principle strategies that I think are fundamental to any infosec program - zero trust, resilience, risk forecasting, automation and intrusion kill chain prevention. This last one, intrusion kill chain prevention, is what we're going to talk about today; more specifically, some tools that came out in 2022 that can help us deploy it. You all know that security practitioners can choose a variety of tactics to support the intrusion kill chain prevention strategy. But for all of those tactics, like running a SOC, orchestrating the security stack, incorporating a cyberthreat intelligence function to build adversary playbooks and then share those playbooks with peers and finally using those playbooks in purple team exercises, you can't do any of them unless you focus on building a collection of good threat intelligence on the tactics, techniques and procedures used by known cyber-adversary groups. The security community, all of us, have recognized the MITRE ATT&CK framework as the best open source and free collection of that intelligence. And while that's true and it's awesome... 


Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: ...Using that information efficiently isn't for the faint of heart. In its current form, the MITRE attack wiki isn't that easy to use. 


Tim Allen: (As Tim Taylor) Oh, no. 

Rick Howard: MITRE's leadership recognized that situation and spun out a nonprofit company in 2019 called MITRE Engenuity to rectify that situation. One of their missions is to build tools like the ATT&CK Powered Suit and Attack Flow for the infosec community to use. In this episode, we'll talk with Jon Baker, the director for the Center for Threat-Informed Defense at MITRE Engenuity, about MITRE, MITRE Engenuity, his Center for Threat-Informed Defense and these two free tools that his team released to the public this year. 

Rick Howard: Back in Season 7, I talked about these strange companies called FFRDCs. They're U.S. government, federally funded research and development centers, and MITRE is one of them. But that's a mouthful of acronyms. Here's Jon to explain. 

Jon Baker: It is a bit of a mouthful worth explaining. MITRE has been around for 60 years. We were an organization that was established to run federally funded research and development centers for the government. We operate several of those FFRDCs, ranging from supporting DHS to DOD to IRS to FAA, as some examples - major, large R&D sort of centers around supporting those different federal government agencies. And we have rich research programs aligned with each of those FFRDCs and a long history of working with these government sponsors as a trusted adviser helping them tackle really hard problems. Some of the core tenets that MITRE's developed over the years is this concept of being an independent, trusted adviser. We're often seen as conveners, bringing our government sponsors together to solve hard problems or bringing industry and government together to solve hard problems. 

Rick Howard: U.S. lawmakers invented these FFRDCs after World War II, when the U.S. government didn't have the massive resources anymore to conduct big R&D projects of the size and scale of what they did at Los Alamos, per se, with the Manhattan Project building the nuclear bomb. Lawmakers back then decided that they needed to farm that work out in a way that was beneficial to the government but didn't compete with industry. Essentially, they are unbiased think tanks working for the U.S. government that act as a bridge to the commercial and academic sectors. The RAND Corporation was the first FFRDC back in 1947. Today, MITRE runs six centers that study a broad range of topics. The MITRE ATT&CK framework that we're talking about today came out of the National Cybersecurity Center of Excellence FFRDC, or the NCCoE, sponsored by the National Institute of Standards and Technology, or NIST. Any time you talk about government programs, you're going to deal with the alphabet soup of government acronyms. So far I've listed seven, and we haven't even really started yet. So hold on to your butts. 


Bette Davis: (As Margo Channing) Fasten your seatbelts. It's going to be a bumpy night. 

Rick Howard: FFRDCs have served the U.S. well for over 70 years. But the operating rules that kept them from competing with industry blocked them from dealing directly with the commercial sector. They needed a different legal framework, and that's where MITRE Engenuity comes in. 

Jon Baker: So MITRE was defined to work with government. And so we literally just didn't have the mechanism at that time to work with industry. And so we created this deliberate separation because one of the core things that's been critical about MITRE's success is that notion of being independent from our government sponsors and also from industry. And so to maintain that separation, we created MITRE Engenuity where we don't do any work for governments, U.S. or others. We're entirely focused on working in collaboration with industry. The MITRE Engenuity is a nonprofit. It is directly linked to MITRE. There are no staff in MITRE Engenuity. All MITRE Engenuity staff are actually MITRE employees that are supporting MITRE Engenuity research. So it basically gave us that legal framework to engage with industry directly and still honor that separation from government work. 

Rick Howard: So the first thing to emerge from MITRE Engenuity is Jon's Center for a Threat-Informed Defense. 

Jon Baker: So the Center for Threat-Informed Defense was really the catalyst and first entity that was launched out of MITRE Engenuity. So we had this series of conversations I mentioned where organizations were coming to us. Well, that thing that they were really excited about was MITRE ATT&CK. And they were looking for, you know, how do we scale it? How can we contribute resources to it? Hey, are other organizations working on this sort of R&D concept related to ATT&CK? Can we collaborate with you? Can we collaborate with others? 

Rick Howard: Some say that the MITRE ATT&CK framework is just another threat model in the same vein as the Lockheed Martin intrusion kill chain model or the Department of Defense's Diamond Model. That's correct to a point. The framework does extend the original Lockheed Martin model and correct some of the limitations. It eliminates the kill chain recon phase and clarifies and extends the actions on the objective stage. But the framework's significant innovation is an extension of the list of things intelligence analysts collect on adversary group attack sequences. In other words, they're advisory playbooks. Before the framework, cyber intelligence teams would collect indicators of compromise without any relation to known adversary behavior like IP addresses to known bad guy locations, strange DNS requests and network traffic on unusual ports. These are not bad, per se, but they are ephemeral, and hackers can easily change them at the drop of a hat and did. By the time InfoSec teams deployed countermeasures, the bad guys had already changed their behavior. 

Rick Howard: MITRE'S extension to the kill chain model includes the grouping of tactics - the why - the techniques used - the how - and the specific implementation the adversary group used to deploy the tactic. That intelligence is not ephemeral, is tied to known adversary group behavior and is conducive to designing impactful countermeasures. Where the Lockheed Martin kill chain model is conceptual, the MITRE ATT&CK framework is operational. And the Diamond Model is specifically designed for intelligence analysts as a way to think about both. But the real power of the MITRE ATT&CK framework is an intelligence product that I call the ATT&CK framework wiki. It's a globally accessible knowledge base of known adversary behavior. It's derived from real-world observations from both MITRE intelligence analysts and from the cybersecurity intelligence community at large. In other words, it's the most complete, free, open source, standardized database of adversary offensive playbook intelligence. 

Rick Howard: Although the wiki tracks several crime groups, that's not the focus. It primarily covers how APT groups, nation-state groups, traverse their version of the intrusion kill chain. Most importantly, the framework standardizes the taxonomy vocabulary for both offense and defense. Before the framework, each vendor and government organization had their own language. Any intelligence product coming out of those organizations couldn't be shared with anybody else without a lot of manual conversion grunt work to make sense of it all. Talk about the Tower of Babel. We were all looking at the same activity and couldn't talk about it collectively in any way that made sense. MITRE fixed that by releasing the first version of the framework in 2013 and has made significant improvements to the model almost every two years since. The bottom line is that the MITRE ATT&CK framework has become the industry's defacto standard for representing adversary playbook intelligence. 

Jon Baker: I like to describe it as like the encyclopedia of known adversary TTPs. So what we've done over the past, roughly, seven years have been carefully collecting, analyzing open source, publicly-disclosed threat intel reports. What exactly are adversaries doing in cataloguing those technical behaviors in the ATT&CK knowledge base? So if you look at the ATT&CK knowledge base today, you'll see that it's organized around a set of tactics that adversaries employ. So what are their goals? To establish persistence might be one goal, or to move laterally within your organization might be another goal, right? So those are basic goals that you'll see or tactics in the ATT&CK matrix. And then underneath each tactic are a set of techniques. So those techniques are basically how the adversaries have been documented to achieve those goals. So how, specifically, in that recent attack did an adversary establish persistence in an organization? Or how, specifically, did the adversary move laterally within an organization? 

Jon Baker: So this knowledge base, as you said, Rick, it's kind of taken off. It really resonated with practitioners. There was never a big marketing campaign or a push from government or anybody like that to tell people to use ATT&CK. People used it, from my perspective, because it aligned with how they thought about threats. It made sense and it was accessible. Kind of going back to that role of MITRE being an independent convener by not being a competitor to cybersecurity vendors, we enabled them to leverage and use that ATT&CK resource. And so today, security teams all around the world, security vendors all around the world, leverage ATT&CK. I'd say that the easiest way to summarize how it's used, is it's used essentially as a common vocabulary to help teams communicate about those very specific adversary behaviors that we've catalogued. 

Rick Howard: The reason I fell in love with the intrusion kill chain model and the MITRE ATT&CK framework early on is that, combined, they get to what I believe is really the heart of the matter. In the early 2000s, we were all focused on stopping technical things like zero-day exploits or malware or phishing with no relation to what the adversary behind the tool was trying to accomplish. But that job is endless, and there is always some new technical thing that emerges that we need to jump through hoops to counter, like the Log4j crisis at the end of 2021. But what we really want to do is prevent the success of the cyber-adversary, say, Panda Bear. If we know that Panda Bear does 100 things in its attack sequence, we should install as many prevention and detection controls for those hundred things as we can. If Panda Bear finds a way around one of them, they still have to negotiate the other 99. To me, that's a much more efficient way to protect the enterprise. 

Jon Baker: What you just described there, we would characterize as threat-informed defense - using understanding of adversary's behaviors to advance our defensive capabilities. There is a lot that you could do, but what should you focus on? And so we'd advocate for starting with understanding the threats to your organization and then taking that threat perspective - all right, well, what specific behaviors do the threat actors and the threats that you care about exhibit? And how do your defenses align with those behaviors? 

Rick Howard: What's interesting to me about all this is that if you just read the cybersecurity news headlines, there are stories every day about the latest adversary group attacking their victims. For the layperson who is just casually paying attention, it feels like there is an infinite number of cyber-adversaries out there doing an infinite number of attacks. But when you look at the MITRE ATT&CK framework, there's not that many. The last time I counted, I think I came up with about 150 nation-state groups. And Microsoft said last year that they're tracking some 100 cybercrime groups. So it's not an infinite number. It's just 250. That seems manageable to me. 

Jon Baker: And I think the way I describe it is with - I guess with cybersecurity, you're probably never done. But recognizing that, taking that threat perspective and figuring out what it is, the adversaries, the threats that you care about are known to do and focusing there is probably the best way to get started. And we'd advocate sort of an iterative process. So you used Panda Bear as an example. We're doing really well against what Panda Bear has been seen doing in the past now. So, all right, well, what's the next set of threats that we ought to focus on, right? And so iteratively, working through that process of understanding threats, orienting defensive capabilities. And, you know, to your point, Rick, there really are a finite set of things that an adversary can do once they're inside your network. And so there's a lot of overlap and reuse of those TTPs across threat actor groups. And so that means the work that you did for Panda Bear might be very applicable for the next threat actor group or the next set of TTPs that you're concerned with. 

Jon Baker: So what teams end up doing, kind of all around the world, is, like, building out that heat map - if you will - of the set of adversary behaviors or attack techniques that they're focused on in their organization and then, over time, systematically working to improve their ability to defend against those. The other core tenet to capture here is embracing a purple team type philosophy, where now we understand what the adversary behavior is. We've developed a defensive capability. Let's sort of, all in the same process, work to test out our ability to defend - right? - so that you kind of are working towards continually testing and validating your ability to defend against the adversary behaviors that you care about. And so it's that intel, plus test and evaluation and kind of evolution of your defensive capabilities that we see as sort of, like, the core triad, if you will, of threat-informed defense. 

Rick Howard: So that's all well and good. But to be fair - like I said up front - using the MITRE ATT&CK wiki is not for the faint of heart. Now, don't get me wrong. As I said, I might be its biggest fan, but it's not that easy to use. Pulling the right nuggets of information out of the wiki requires some fortitude and some grit. So one of the things that your group, the Center for Threat-Informed Defense, has been working on is building tools for the community to improve that situation. And one of them is called the ATT&CK Powered Suit, a Chrome browser extension that allows readers of intelligence reports to quickly look up information inside the ATT&CK wiki as you're reading the report. Let's say you're reading Unit 42's latest report on APT29. Right-click on the name, search ATT&CK Powered Suit and there's the list of everything in the wiki that references APT29. That's awesome. 

Jon Baker: That's sort of a special initiative that we did. I love to talk about this one because in retrospect, it's one of those little reminders that sometimes you can do something simple and have a really big impact with it. So ATT&CK Powered Suit - very much a simple Chrome extension that makes working with the MITRE ATT&CK knowledge base significantly easier. So go to the Chrome Store, you can get it. In the first couple of weeks since it's been out, we've seen well over 2,000 installs of it. So Chrome Store doesn't give you a ton of detail but huge and pretty immediate pickup of the Chrome extension we developed. And I think the reason for that is that it's simple. There's almost zero barrier to entry - you just got to add a Chrome extension - and then it solves a problem that everybody has. Everybody that uses MITRE ATT&CK had this problem. Analysts will go and read the latest threat intel report that was just published or the latest report from DHS CISA. That report might talk about phishing. And unless you know, offhand what the attack technique is for phishing, probably the next thing you're going to do if you're an ATT&CK user is, oh, yeah, what's that technique? And you're going to go look at the ATT&CK knowledge base to remind yourself of the information about the phishing technique there. 

Jon Baker: So ATT&CK Powered Suit is super easy. It allows you just to hover over that word phishing, right-click on it and open up the ATT&CK knowledge base there. It's got some cool custom actions you can create in ATT&CK Powered Suit as well. My favorite was we were running a workshop at a conference recently. And, you know, one of the team members was typing the name of a technique and its ID in a UI that we had that we're demoing, and I was looking at this like, one, you know, there were some typos that we made. You're doing a live demo when that happens, and, you know, two, it's sort of cumbersome, takes time. And I realized, well, wait a second, attack powered suit? That would allow me just to create a custom action where I could get technique, ID and name in one click by hovering over that word phishing. Right? So it saves a ton of time, saves a lot of, like, shifting back and forth between different resources as you're looking at threat intel reports and trying to understand what adversary behaviors were referenced in that intel report. 

Rick Howard: Before we started recording this, you and I were talking about the name, 'cause when I read it, I read it as ATT&CK Powered Suite. But you said there was a superhero origin story about the name Suit. 

Jon Baker: I said this one was sort of a special product of the center in our research program, and the reason for that is that, honestly, the team from Fujitsu - they're a center member. They were one of our founders. They helped us establish the Center for Threat-Informed Defense - they had this idea. They developed the initial implementation of it, and they felt like the right thing to do would be to work with us to publish this resource. And so they named it, and it was, you know, a play on the notion of, like, the superhero suit, helping your analysts essentially put on their superhero suit when they're working with MITRE ATT&CK and make their lives that much easier, and essentially give them a superpower so they can now find everything ATT&CK has to say about a technique or a threat actor group or some software, just right at the tip of your fingers. 


Samuel L Jackson: (as Frozone) Honey? 

Kimberly Adair Clark: (as Honey) What? 

Samuel L Jackson: (as Frozone) Where's my super suit? 

Kimberly Adair Clark: (as Honey) What? 

Samuel L Jackson: (as Frozone) Where is my super suit? 

Rick Howard: Well, as my listeners know, any time when I can tag anything in cybersecurity as something that is superhero-related, that gets triple bonus points in my book. But let's move on to the second tool you all released this year, called MITRE Attack Flow, a project that will help network defenders visualize the attack sequence from various adversary campaigns like APT29, with a way to annotate your own defensive posture against those steps in the campaign. 

Jon Baker: We created our project to help organizations start to think not only about the individual techniques and how they're able to defend against a specific adversary behavior, but to start to step back and recognize that these behaviors don't happen in isolation. And so the Attack Flow Project - the mantra we had there is to - like, to shift towards thinking about the graph, if you will, the set of actions that an adversary takes once they have compromised your organization. So once they're inside, there's a set of things they do, and they tend to have a sequence, right? And there might be, like, loops in that sequence and that sort of thing. So we basically built out a data model for allowing us to describe the set of actions an adversary takes in an attack, referencing back to MITRE ATT&CK techniques. 

Jon Baker: We had a question which was along the lines of, I'm struggling to communicate to my executive leadership our defensive posture as it relates to this recent attack in the news. We use MITRE ATT&CK. We can show our leadership an attack heatmap of our defensive coverage, but right now, I don't have an easy way of communicating to my leadership how an attack that they just heard about in the news on their car ride in or when they're checking their email this morning that's just happened - it can be mitigated by our current defenses. So with that as one of our core drivers, we set out to build a model for describing that attack, and then from there, you can start to identify where you have mitigations in place that might prevent that whole sequence of steps from occurring, so the adversary might not ever be able to achieve their goal of stealing intellectual property, if that's the goal, if further up that attack life cycle, you have some mitigation in place that prevents that attack overall. 

Rick Howard: As I've said in this episode and other "CSO Perspective" shows, the MITRE ATT&CK framework is the best open-source and free - let's not forget that. I like free - intelligence collection of cyber-adversary playbooks, but because of MITRE's weird status as an FFRTC, they were unable to collaborate with the commercial and academic sectors, which is a giant limitation, since arguably, the best open-source intelligence comes from the commercial sector. And yes, I mean it's better than what we get from the various governments out there, for lots of reasons. The main one is that the government hinders itself with over-classification, and the second one is that for any of the major security vendors, their intelligence collection apparatus rivals the NSA for this cybersecurity domain. Leaving them out of the discussion was a giant blind spot. MITRE's spinoff of Engenuity that allows them to collaborate with the commercial sector does a lot to close that gap. They can leverage that community to make the MITRE ATT&CK framework more useful and easy to use. These tools are a step in that direction. I use the MITRE ATT&CK Suit every week as I review the news of the day, and I highly recommend installing the Chrome extension. And I've just started playing with the MITRE Attack Flow visualization tool, but give it a shot and provide feedback if you can to make the entire InfoSec community more efficient in their day-to-day jobs. 

Rick Howard: And that's a wrap. I'd like to thank Jon Baker, the director of the Center for Threat-Informed Defense at MITRE Engenuity for coming on the show. And as always, if you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's csop@thecyberwire.com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address and we will try to address them on the show. Next week, we will be diving into the details of how to secure the fintech ecosystem. You don't want to miss that. 


William Dozier: Find out next week. Same Bat-time, same Bat-channel. 

Rick Howard: The CyberWire "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.