ATT&CK Use Cases with MaGMa!
Over the last few years, the importance of aligning to industry standards and frameworks has become a huge focus at Adarma. As a Managing Consultant, learning, distilling and then implementing some of these frameworks are key parts of my role; to ensure what we deliver to our customers is fit-for-purpose and meets the high expectations they have for their cyber defence programmes.
One area of preparation is ensuring you have the ability to DETECT threats once they have circumvented your protective controls (firewalls, anti-virus, etc). These detective controls are often implemented in the form of use cases, usually deployed on top of big data analytics platforms (Splunk, Elastic, etc) and are commonly referred to as a SIEM (Security Information & Event Management).
In this post, I hope to explain some of the challenges of managing these use cases within an enterprise-scale environment and make a case for the use of the MaGMa Use Case Framework. This should be used together with mapping all use cases to the MITRE ATT&CK framework which tracks attacker tactics and techniques to detection and mitigation possibilities.
What’s a Use Case?
A term often [over] used and rarely defined upfront, so in the context of this post:
“A use case is a requirement or purpose which defines how a system is configured to detect threats to an organisation”.
Examples are static detection signatures or behavioural rules which dynamically adapt based on the system being monitored.
Within medium to large enterprises, the number of these use cases can easily surpass one-hundred. In fact, in some more mature environments, they could even climb to thousands. Therefore, like all important artefacts, it is important to manage these use cases with care and understanding.
Why? Well, the main business driver for deploying these use cases is to detect threats to the organisation and therefore enable security teams to respond in a timely manner, to limit (ideally avoid) the impact of the attack (destruction, theft, fraud). Therefore a question often asked, but rarely answered is:
What is our coverage against the adversaries/threat actors who are targetting us?
Enter MaGMa
MaGMa is a Use Case Framework (UCF) created and released by FI-ISAC NL and was created to address the challenges in managing use cases at scale, and help organisations understand how their uses cases map to threats.
We’re going to focus mainly on the use cases themselves, and not the business drivers, underlying detective technologies or data sources. Below is the high-level structure of the entire UCF.
High-Level Threat Descriptors
Within MaGMa, one of the key attributes of each use case is the high-level threat phase. These are mostly aligned to the Cyber Kill Chain phases (by Lockheed Martin) and are shown below.
Each phase within the kill chain helps an organisation to understand the high-level phase an attacker might go through when planning and commencing an attack against them. The objective of a mature programme of detection is to have controls within each phase to ensure no matter what protective controls fail, you can still detect an attacker.
However, it shouldn't be forgotten that the earlier in the attack cycle you detect the attacker, the faster you can respond and mitigate, or even avoid its impact completely.
ATT&CK[ing] Use Cases!
As we move into the low-level of the definition of use cases within MaGMa, we start to not just map the phases an attacker goes through during a campaign. We now want to understand how the attacker will use technology to achieve its objectives. The actions an attacker takes are then aligned to the MITRE ATT&CK Framework, and are an awesome contribution to the cyber community!
ATT&CK describes many different components and attributes of attacks, but the focus in the context of MaGMa is adversarial techniques. These are the actions or activities an attacker might go through when conducting an active attack. By understanding the techniques an attacker might use, we’re able to turn to our use cases and ensure we have detective measures in place. Therefore, our detections now have industry-aligned context (and are therefore aligned to real-world attackers). This is powerful!
Below is an example mapping of common techniques used by threat actors who typically target a specific type of business (financial services).
So what are the biggest takeaways of starting to map use cases to MaGMa (or similar)?
- Mapping to a standard framework enables a deeper understanding of what use cases you have and enables key metrics to be gathered, compared and monitored
- Allows a high-level understanding of detection coverage against real-world attackers and the techniques they use.
- The industry has already done a TON of work for you, review what's out there (especially MaGMa and ATT&CK!) before you reinvent the wheel. Implementing an off-the-shelf framework is a great way to accelerate your cybersecurity programme, even if you customise and build on it in the future.
