MITRE ATT&CK Is About Incident Response. It’s Not an NDR Vendor Measuring Stick

The MITRE ATT&CK framework has become the tool of choice that allows cybersecurity specialists to all speak the same language and have a better understanding of the techniques used by our adversaries, ultimately enabling teams to increase the speed and accuracy of active threat response.

But alas, we are also seeing it being misused as a security vendor measuring stick.

Table 1. Dispelling myths about what the MITRE ATT&CK framework is and is not.

As an example, here are common misleading statements by network detection and response (NDR) vendors:

• “[Vendor/product] covers 97 percent of the network techniques identified by the ATT&CK model.”
• “By checking a potential detection tool against which TTPs it’s able to spot, you’ll be better able to understand how that tool will perform in the wild.”
• “[Product] provides especially strong coverage of late-stage TTP categories, with 89 percent coverage of the TTPs in the lateral movement, command and control, and exfiltration stages, and 100 percent coverage of TTPs labeled as ‘Requires Network.’”

Unfortunately, vendors point to detecting a single procedure for a technique as if they have coverage for the entire technique or every adversary’s use of the technique. This simply is not true and provides a false sense of security.

Fair and Accurate Representation of NDR Technologies and the MITRE ATT&CK Framework  

With the fog lifted on what MITRE ATT&CK is and is not, we can now speak to how security teams can effectively use MITRE ATT&CK along with NDR technology to improve their security posture.

1. NDR technologies should annotate detections against specific MITRE ATT&CK techniques.
While it is inaccurate to use the ATT&CK framework as a detection measuring stick, the annotation of ATT&CK technique by the NDR vendor is critical. It allows the vendor and the security team to speak the same language. The security analyst will immediately understand the behavior of the attacker being identified by the NDR.

2. NDR technologies should:

• Guide security teams on how to triage detections based on the ATT&CK techniques
• Guide security teams on best practice next steps for investigations based on the ATT&CK techniques
• Facilitate hypothesis-based hunting against ATT&CK techniques

NDR’s focus is not only detection but also response. Response includes the ability to hunt, triage, and investigate. By first annotating detections against the ATT&CK techniques, the vendor should provide guidance to the security analysts on how to both triage and investigate the threat. If the NDR vendor does not give this guidance, they are not truly helping with response. Secondly, as the ATT&CK framework is a catalogue of adversarial techniques, it serves as a phenomenal starting point for any hypothesis-based hunting efforts. As such, an NDR should provide a fast, comprehensive search capability that allows a hunter to quickly assess their hypotheses.

3. NDR technologies should highlight which ATT&CK techniques are being used by adversaries in an organization so security teams can take preventative steps to eliminate those attack surfaces going forward.

NDRs along with EDRs close the SOC visibility gap by providing a comprehensive view into the activity on an organization’s assets and network. By exposing the techniques used successfully by adversaries in their network, security teams can take countermeasures making it more difficult for adversaries to be successful.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today