Evaluating Organisation’s Cyber Defense Capability with MITRE Top 10 ATT&CK Technique
Disclaimer :
This is a cross publication (in Bahasa Indonesia) in CDEF Magazine 1st Edition 2023 : https://cdef.gitbook.io/2023-1st-cdef-magazine/cyber-horizon/menguji-kapabilitas-cyber-defense-organisasi-dengan-mitre-top-10-att-and-ck-technique
Introduction
As we know there are quite a lot of tactics and techniques in the MITRE ATT&CK Enterprise matrix. Currently, there are 14 Tactics, 193 Techniques, and 401 Sub-Techniques in the MITRE ATT&CK Enterprise matrix. Of course, it is not easy for organisations to cover the entire detection and mitigation of all existing MITRE ATT&CK tactics and techniques. In fact, we often hear the question, where should I start? What should I prioritize? Which techniques can we cover with our existing security posture?
MITRE Sighting Ecosystem Project
MITRE Centre for Threat Inform Defense (CTID) is currently conducting research related to what tactics and techniques most often appear and are used by adversaries based on data in the field based on cyber security incidents that occur. They compiled the research report in the ‘Sighting Ecosystem’ Project: https://mitre-engenuity.org/blog/2022/02/23/sightings-ecosystem/. The data they obtained is then used as material for analysis to then provide information to the public regarding the latest trends in cyber security incidents that occur, how Tactic and Technique are involved in it within a certain period of time, and how threat actors change the techniques they use in their operations.
MITRE Sighting Ecosystem is expected to answer some of the questions that often arise in organisations:
1. Which MITRE ATT&CK Technique should I prioritize first?
2. Which techniques are relevant and often used to target the same type of industry as my organisation?
3. Are the same techniques always used by the same threat actors over time? How do they evolve and change the techniques they use in their operations?
One thing to note, that this Sighting Ecosystem Project looks at the Top ATT&CK Technique based on the available data and also the frequency of occurrence based on that data. Then, what if I want to adjust the Top 10 ATT&CK techniques based on the security posture of my organisation based on the condition of the telemetry that your organisation has, and what actions can be taken by your organisation to detect and mitigate the Technique? You can use MITRE Top ATT&CK Technique (https://top-attack-techniques.mitre-engenuity.org/) to measure the capability of your organisation’s cyber defence, as well as test how mature your organisation’s cyber defence is.
MITRE Top 10 ATT&CK Technique Project
MITRE Top ATT&CK Technique is a project launched by MITRE by releasing a calculator that provides an overview of defender capabilities in organisations based on inputs provided by users. The inputs provided by the user include the Security Controls that the organisation references (NIST 800–53 Controls and CIS Critical Security Control), Detection Analytics Repository (MITRE CAR, Sigma Rules, Elastic Detection Rules, Splunk Detection Rules), as well as the type of OS and other telemetry environment (Windows, Linux, MacOS, Network, Google Cloud, Azure, AWS, Container, IaaS, SaaS, etc.).
In the picture above, you can see the filters that are put based on the condition of your organisation, as well as the monitoring components that you have. But if you notice, in the monitoring component, you fill in by doing a self-assessment of each monitoring component option that you have. None means you do not have the monitoring component, up to the value of High.
You can see how MITRE determines maturity scores ranging from None, Low, Medium, and High based on criteria that you can get at the following Top ATT&CK Techniques Excel Calculator (https://github.com/center-for-threat-informed-defense/top-attack-techniques/raw/main/Calculator.xlsx):
An illustrative picture of this component monitoring is as follows: WMI Technique can be detected by Component Process Monitoring. If your organisation has a low score on this Process Monitoring component, WMI will be one of the Techniques that has a high priority score. This causes you to be able to see the gaps that exist from the Top Technique that emerged from the results of the MITRE Top ATT&CK Technique calculation as evaluation material and also gap analysis of cyber defense capabilities in your organisation.
In the process of compiling and determining the Top 10 ATT&CK Technique, MITRE uses a methodology based on the following components, namely:
- Actionability
Actionability is a component where the defender has the capability to detect or mitigate ATT&CK Technique based on the security controls owned by the organisation. This is closely related to the detection engineering capabilities in the organisation. Of course, in terms of Detection, detection engineering capabilities in the organisation can also be aligned by referring to datasets and Detection repositories available in the public such as the MITRE Cyber Analytic Repository, SIGMA Rules, and also other Detection rules that are published by many communities and organisations. In terms and areas of Mitigation, MITR TOP ATT&CK Technique refers to CIS Critical Security Control and also NIST 800–53 Security Controls.
2. Choke Point
In simple terms, Choke Point is a specific technique which if successfully detected or mitigated, many other techniques can be ‘disrupted’ by the organisation. This is because this specific technique has a close relationship with other techniques, so that if we mitigate this choke point, the organisation’s chance to ‘win’ against the threat actor will be greater. On its official page at https://top-attack-techniques.mitre-engenuity.org/#/methodology MITRE gives an example of one of the choke points is T1047 (WMI). Where by using this WMI, the threat actor can perform many other techniques. So that if we succeed in defending this WMI Technique, we can limit the potential attack paths that may be used by the Threat Actor through this WMI.
3. Prevalence
Prevalence is the frequency with which a Threat Actor uses a specific ATT&CK Technique in a certain period. This Prevalence concept is more or less the same as what I described in the previous Sighting Ecosystem Project. This Prevalence takes the existing population and data from the Sighting Ecosystem Project. But as I mentioned earlier, where this data is very limited because it depends on contributors and also a certain time span. Currently, the data owned by MITRE spans from 1 April 2019 to 31 July 2021.
Mitigation and Detection Top 10 ATT&CK Technique
After we get the results of the Top 10 Techniques that are still a gap and know which areas we need to improvise, we can see the mitigation and detection strategies on the page.
Summary
MITRE Top 10 ATT&CK Techniques helps us prioritise the Techniques that are relevant to your organisation and also those that are suitable for the conditions, especially the telemetry you have. This methodology helps you to determine a ‘quick win’ strategy, especially if you have limited resources related to the data sources you have in your organisation.
By knowing the Top 10 ATT&CK Techniques, you will be able to determine one of the ‘Choke Point’ and also fix the gap in that area, so that more Techniques can be ‘disrupted’ by the defender in your organisation.
