Know Your Adversary: Finding Patterns
This is the first article in our Know Your Adversary series—an examination of how the security industry is evolving to better enable organizations to profile adversaries and stop them before they attack. We’ll examine this topic from several angles to better understand the tools and techniques available today and how organizations can put them to work to truly understand adversary profiles, patterns, and behaviors and improve their security posture in the process.
Know Your Adversary: Finding Patterns
By Mark Alba
When I was starting out in cybersecurity, the focus of the SOC was on what happened in the past. For my colleagues and I, even anticipating an attack was an imprecise luxury that required a lot of guesswork to map out, analyze and compare attack patterns. We might have noticed random pings on the network perimeter signaling early reconnaissance of a nefarious global threat actor – or maybe a script kiddie in their parent’s basement. Surrounded by the chaos of “real attacks,” threat hunters were left alone to play Sherlock Holmes, manually piecing together scarce clues in order to get ahead of the attack. While this was a time-consuming process that, by definition, always left attackers holding the initiative, it was adequate in a pre-automation world where there was at least a chance of detecting the “slow and low” attacks of the day.?
But security professionals woke up to a new reality in the summer of 2010, when the malicious computer worm commonly referred to as Stuxnet transgressed the cyber world to inflict physical destruction on infected industrial centrifuges used at Iranian uranium enrichment facilities. Looking back, it’s clear that Stuxnet constituted a turning point in the history of cybersecurity. Up until then, most malware probes were manual, and defenders could monitor the attacker’s activity.?But Stuxnet manifested the destructive potential of a multi-stage, automated piece of malware. And it wasn’t a one-off.
?In subsequent years, Stuxnet was followed by a wave of multi variance attacks. That added new urgency to better understand these stages and help defenders grasp what attackers were actually doing. Ultimately, it led to the development of the MITRE ATT@CK framework, giving defenders a “map” of potential stages of attack and the more recent Attack Flow project to create a data format for automating detection of adversary behaviors.
No Standing Still
MITRE is a valuable tool that can map attacker activity, helping organizations to assess the risk of the attack with the investments in their security. And while there’s a lot of hope that the framework will “auto-magically” lead to a better SOC, I am less sanguine.
A better way to think about the MITRE ATT&CK framework is seeing it as being akin to the Rosetta Stone. When used properly, it can become a translation point between tactical indicators of compromise that are the evidence of an attack to the strategic intelligence that helps us understand how attackers operate. And just like the Rosetta Stone, we need to keep working on translations and figuring out connections between pieces of information.
It can’t remain static, because attackers aren’t sitting still. To be sure, we now have a framework that allows us at the highest levels to look at tactics and techniques and sub-techniques. But those sub-techniques are rapidly changing as attackers constantly evolve. For example, you can find more than a hundred different variants of the Emotet malware, all with different permutations. The mainstreaming of these automated threats requires the MITRE framework to similarly evolve.
领英推荐
The way that attackers are typically tracked in MITRE are via PDF reports on specific threat actors. But the minute that document gets printed out, it starts to go stale. Attackers don’t stand still, and we need to understand any shifting intent if we’re to align our defenses with potential new threats.
What’s more, there’s a qualitative aspect of adversary detection to consider here. To build on the MITRE ATT&CK framework and make it more relevant, we should be able to track attackers on a continuous basis to understand not just changes in tactics and techniques, but also their profiles, their personas, and their motivation.
Clearly, we’re in a much better position than I was back in my SOC days. Now we have a framework that allows us at the highest levels to look at those tactics and techniques. We can identify the fingerprints of threat actors and get a very good idea of where they’re heading. This is undeniably progress, but it’s still up to security professionals to operationalize their knowledge of an attacker into something that's more meaningful than just a PDF report.?
Ongoing Improvement
There’s a lot more work ahead to win hearts and minds to the point where it’s universally adopted. The bigger organizations with the wherewithal have invested the time and resources to understand what MITRE is – beyond just the framework – and how to translate it into something actionable. Less so at smaller companies where resources are more constrained.
MITRE has launched a great free training and certification program. However, while it’s fine for a technical audience, it’s not helping senior business leaders understand what the MITRE ATT&CK framework is and how they ought to apply it.?
As an industry, we need to make sure that there's sufficient training to help organizations better leverage the MITRE framework. I talk with a lot of customers and they’re clearly hungering for a better understanding of how to use it effectively. When it comes to the boardroom, we need to translate all this into terms they’ll readily grasp. Who is being attacked? What are they targeting? What is their intent? What security controls are in place to protect the organization? In other words, help contextualize the risk framework so that management can understand it from the perspective of the dollars and cents investment it’s made in security controls.???
We need to continue to think holistically about the broad set of steps an adversary takes in each attack. Then it’s up to the organization to figure out whether its defenses are aligned with adversary behaviors. But as we work on adding improvements in the coming months, let’s celebrate the moment for what it is: the data model and approach in Attack Flow describing the full series of moves that an adversary takes is a big step toward operationalizing our knowledge of the attacker into something that's truly meaningful.
??