Informing Defense with Adversary Sightings
Written by Kellyn Wagner Ramsdell, Mike Cunningham, and Jon Baker.
Sophisticated threats dominate information security headlines. MITRE ATT&CK® for enterprise includes over 560 unique adversary behaviors seen in the wild. Cyber defenders cannot focus on all these threats. Defending against this huge number of observed attacks is further complicated by the evolving nature of our IT environments and the threats against them. Both our environment and the threats against them are continually changing. Defenders need data to drive prioritization and understanding of how adversaries are evolving.
Our vision is to establish an ecosystem in which security teams, vendors, ISACs/ISAOs, and governments share when they see adversaries use specific behaviors — sightings of ATT&CK techniques — to give defenders unprecedented visibility into what adversaries are actually doing in the wild.
To establish this Sightings Ecosystem, the Center for Threat-Informed Defense (Center), in collaboration with participants including AttackIQ, Inc., Fortinet, Inc.’s FortiGuard Labs, The Global Cyber Alliance, and Verizon Business Services, collected and analyzed sightings of adversary behaviors in the wild. This analysis presented a clear look at the most commonly observed adversary behaviors and provides a roadmap for developing threat-informed defenses. We also packaged our methodology and tools and are releasing those alongside the report so organizations can perform similar analysis to develop a threat-informed defense specific to their organization.
With data contributions from ConnectWise Cyber Research Unit, FirstEnergy Corp, Red Canary, and others, we were able to collect over 6 million sightings of adversary behavior. After normalizing the data and narrowing our scope from April 2019-July 2021, we were left with 1.1m different observed techniques. Many of the findings confirmed what we knew or suspected about adversary behaviors, but it was comforting to have the data to back it up. Below is our list of the top 15 most common techniques that were observed. We focused on the top 15 because those techniques made up 90 percent of all techniques in our dataset.
As you’ll notice, there are not a lot of surprises on our list. The most commonly observed techniques often leveraged legitimate processes and system administration tools, which are commonly called living off the land (LotL). Techniques like Scheduled Task/Job [T1053], Command and Scripting Interpreter [T1059], and Windows Management Instrumentation [T1047] serve as facilitators for many of the other techniques. There are a few techniques that are used for C2 and the rest of the top 15 are techniques that are typically carried out by the aforementioned LotL facilitators.
What can you do with this data?
We wanted to make defense information readily accessible alongside our analysis of adversary behaviors, so the Sightings Ecosystem project leveraged the Center’s mappings of NIST Special Publication 800–53 security controls to MITRE ATT&CK to analyze which controls help mitigate the above techniques. In documenting the relevant controls, we also called out the top 10 controls which provide the most coverage across the observed adversary techniques.
We also provided defenders a way to detect those same techniques by mapping them to analytics captured by SigmaHQ and MITRE’s Cyber Analytic Repository. Of course, we encourage anyone who applies these analytics to test them before deploying to evaluate the volume of alerts they generate and whether the analytic provides helpful results within your environment.
How else can defenders use sightings?
The goal of the Sightings Ecosystem Project was to help defenders, so we did not want to just provide a long data analysis product. We also wanted to provide the tools for defenders to apply our approach in their own environments. For that reason, we are also releasing Do-It-Yourself (DIY) Sightings.
DIY Sightings is a containerized bundle of code that will ingest your own sightings data, store it in a PostgreSQL database, and output the data in Dash, which is a python-based data visualization platform. The Dash platform included in DIY Sightings contains pre-built queries for doing frequency analysis on techniques, understanding the technique breakdown, and performing a co-occurrence analysis to identify which techniques adversaries use together in your environment.
So, what did we accomplish?
We set out on this research effort with some ambitious goals of discovering something new about adversaries. Our top 15 list should not be a surprise to anyone. If we polled about 100 defenders on what they thought are the top 15 most common ATT&CK techniques, they would probably match 75% of our list. While this is not groundbreaking, we were able to learn some valuable information about defenders.
At the top of that list is that defenders are doing a pretty good job. The fact that our assumptions are backed up by data means that our research, training, and sharing of information is working. That’s not to say that we can declare victory over our adversaries. Far from it. But it does mean that we have evidence to show that what we are doing as a community is working.
Speaking of information sharing, another one of our goals was to create a community-based ecosystem in which ATT&CK data could be shared in order to capture an unbiased picture of what adversaries are doing around the world. While we still have work to expand this ecosystem, we demonstrated that a community-based approach can work and has differentiated value.
The full report is available here. Take a look and let us know what you think. For those who don’t have time to read through all of the data deep dives and hypotheses about adversary behaviors, we also produced an infographic highlighting some key points. Have questions? Please contact us. We’d love to get your thoughts on the report and your ideas for the future of the Sightings Ecosystem Project.
What’s next?
This project release represents a first step toward establishing the sightings ecosystem that we envision. We created the foundational capability to collect and analyze sightings data. We demonstrated that organizations both have sightings data and are willing to contribute it. Our analysis shows that with the right data, we can create meaningful visibility into adversary behaviors in the wild.
Now we need your support to scale and advance the Sightings Ecosystem. The Sightings Ecosystem Project is looking to onboard more data contributors and gain an even broader understanding of adversary behaviors. The first iteration of the Sightings Ecosystem Project gave us our initial window and we’re excited to broaden the scope with your help.
We are also interested in your feedback on the report itself. As we consider future sightings reporting, we aim to ensure that our analysis and reporting is well-aligned with the needs of defenders.
We look forward to working with you to establish a robust sightings ecosystem that gives defenders unprecedented visibility into what adversaries are actually doing in the wild.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2022 MITRE Engenuity. Approved for Public Release. Document number CT0039.
