MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
MITRE ATT&CK Framework and DNIF
The MITRE ATT&CK Framework helps DNIF in their efforts to understand attacker behaviour and mitigate the risks and threats facing them using Workbooks, Connected Signals and other threat detection mechanisms. With DNIF the threat detection, investigation and response procedure is automated. You can directly map the observations in the environment to the techniques and tactics.
Security teams can associate the different alerts generated with specific tactics and techniques within the MITRE ATT&CK framework. As time advances more and more tactics, techniques, malicious actors, tools, malware and mitigations are identified during operations and added to the MITRE ATT&CK knowledge base. This helps in management and tracking of defensive measures and strengthening the overall security of the organization. By utilizing this data security teams can track alerts and gather insight with a clearer understanding of the different attack vectors used against your organization.
- Context: For true security effectiveness, threat alerts must contain context to allow security teams to effectively prioritize threats and organize response.
- Adversary awareness: Adversary awareness helps you to identify the threats that are capable of causing harm to the enterprise data, its sensitivity, value, and other factors that contribute to the formulation of an appropriate response.
How to use MITRE ATT&CK?
MITRE ATT&CK displays all the various techniques that fall under each tactic. The list of all the workbooks with adversaries under each technique are displayed, indicating the techniques an attacker may have taken. You can easily visualize the security breaches within the organization and ways to mitigate them.
- Click the MITRE ATT&CK icon on the left navigation panel of the DNIF console.
- The different colors in the techniques indicate the following
|Green Vertical Bar in Technique||Data & Workbook both exists
Indicates the data required for that Technique to get detected is available and also the Detection rule exists in the form of Workbook.
|Blue Vertical Bar in Technique||No Data but Workbook exists
Indicates the data required for that Technique to get detected is not available, however the Detection rule exists in the form of Workbook.
Note: A blue technique turns Green as soon as the Logs are made available by integrating appropriate log sources.
|Gray Vertical Bar in Technique||No workbook and no data exists
Indicates absence of both Data as well as workbook for a Technique.
- You can toggle between Show active link on the right corner of the screen to view only active workbooks.
- The Search icon will help you to search for any specific techniques.
- Click the count block to view the workbooks, it will list down the workbook names.
- Click the workbook that you want to investigate. It will help you to trace the attack points through the signals raised.
The workbook will open in edit mode / view mode as per the role assigned.
- Even inside the Green Tactic, Technique and Procedure, the workbooks must be in Streamed or Scheduled mode in order to trigger detection. If the Streamed or Scheduled mode of workbook is ‘Off’, it will not trigger detections even if data is available.
- DNIF provides large number of workbooks as its out-of-the-box content, however these workbooks need careful tweaking at your end. Failing to do so may result into lots of false positives and noise.
- On the Mitre Att&ck page, streams option is displayed on the top right corner of the screen.
- Click streams option on the right side of the top bar, a panel will be displayed as follows:
The panel displays the all the streams available in the workbook, each stream displays the following details:
|Green vertical bar||This indicates that there are active incoming signals for this stream|
|Blue vertical bar||This indicates that there are no active signals but logs are available for this stream.|
|Light Grey vertical bar||This indicates there are no active workbooks but logs are available for this stream|
|Dark grey vertical bar||This indicates there are no active signals and logs are also not available for this stream.|
|Displays the log size of the particular stream|
|Displays the number of workbook associated with this particular stream|
|Displays the number of tactics involved|
|Displays the number of techniques used|
|Displays the number of active signals|
|Displays the timeline graph for that particular stream related to signals|
- Click the stream and it will automatically highlight all the workbooks that has the selected stream under each tactic
- The green bar next to the technique indicates that there are workbooks with active signals and blue bar indicates that there are no active signals.