There are a lot of things that MITREs’ ATT&CK framework can be used for. Apart from detection and analysis, adversary emulation and other uses of ATT&CK, it also shines in threat intelligence.
What is threat intelligence?
Threat intelligence is the knowledge that helps prevent or mitigate cyber attacks that can harm an organization. Threat intelligence is all about keeping data. Data about the types of attacks and techniques.
Threat intelligence provides you context to help you in decision making about your cyber presence and security by providing you the answers to questions relating to cyber security.
The important questions include, who is the adversary attacking you, what are the motivations behind the attack and lastly, what are the vulnerabilities in your system that you need to fix.
Why is threat intelligence critical?
Threat intelligence is actionable information that can stop cyber intrusions. This very much sounds like a cybersecurity framework. Cybersecurity frameworks is a documented tool that contains information about attack tactics and techniques. It also includes the countermeasures related to those techniques.
The thing with threat intelligence is that it is closely related to cybersecurity frameworks. Cybersecurity frameworks are the pillars that further enhance threat intelligence. Those frameworks include NIST cybersecurity framework, ATT&CK cybersecurity framework.
Threat intelligence follows and aligns itself with the principles of cybersecurity frameworks. Threat intelligence has varying levels for different calibers of organizations. Each level differs from one another only in the size of teams.
- For Starters – Those who are just starting out
- Mid Level – For mid-level cybersecurity teams
- Professionals – For organizations with advanced cybersecurity teams
Level 1 – For Starters
Cyber threat intelligence gathering is all about gathering information about your adversaries and using that information to improve decision-making. Organizations that are small in size and that are starting out to plan their cybersecurity can use ATT&CK framework.
There are certain groups that target small businesses, or maybe you have a group that focuses your organization. You can use att&ck to find the tactics that the group uses and try to implement the countermeasures for the tactics.
Information relating to groups, techniques and strategies that can be used to attack an organization, is readily available on ATT&CKs’ official website. The framework consists of information that helps you to defend your organization from possible intrusions and attacks.
Level 2 – Intermediate Teams
As the name suggests, this section of information is about the mid-level or intermediate cybersecurity teams. So let’s begin. Regularly reviewing information about your adversaries is a fundamental thing to do. But what more can you establish that can give you an upper-hand over your adversaries?
Cybercrime and attacks aren’t restricted to a single organization, which is why it is essential that you start mapping information that you’ve discovered back to the primary resource that is ATT&CK. Or you could directly use an external blog post, to describe what you’ve found about an attacker group in detail.
What good does it do? It’s a global issue, the more actionable Intel on different groups of attackers, the higher the chance it is to tackle the prevention and mitigation properly.
Here’s an overview of the processes that you should go through before releasing the said information.
Learn ATT&CK Framework
By learning it doesn’t mean that you should just fit every information there is in your brain, nobody can do that. By learning, I wanted to say that you should understand the framework from inside out. What tactics do the perpetrators use, the techniques that allow them to achieve their goals, and the implementation of those techniques and tactics.
All of them are readily available for anyone to go through on the ATT&CKs’ official website. Without having the knowledge about this, we can’t move forward with the second process, so make sure that you understand the structure of the framework completely.
Learning the mindset of the hacker
The name should explain most of the information that you’ll learn under this heading. Getting the hackers’ perspective is the most important thing; this will actually allow you to predict the actions that hacker will take.
However, it’s not an easy task to accomplish. hackers’ mindset and vectors are never static. Regular reviews are essential to be ready, in case of an untimely attack.
ATT&CK has a variety of information on different attacking groups. The best thing that you can do is to go through the information and determine the attack vector they used.
For example, you’ll find specific reports that’ll state that the perpetrator “established a SOCKS5 connection”, here the behavior or attack vector is establishing a connection through the SOCKS5 protocol.
Research the attack behavior
Since attack vectors and behaviors are mostly dynamic, meaning that they are never the same. There could be a scenario where you do not have knowledge about the attack vector being used to execute the attack. In that case, you’ll have to go and gain information on the vector.
Again, the information you need is readily available in the frameworks’ structure; you just have to search for it. It is needless to say that having the most actionable information to mitigate the effects is the way to go in the cybersecurity industry.
Combinations of attack behavior and attack vectors
Now, that you’ve information about the attack behavior and how it works, it’s time for you to dive deep in the other section of the attack behavior. The attack behavior compliments some attack vector types.
In simple words, the action of the attack can be used in different attacking methods, combined. So you’ll have to find information about what tactics can be used with the attack behavior the attacker used.
Technique implementation with attack behavior
Finding out the tactics is just one side of the picture; the other hand requires you to find out the techniques that can be used to implement both the tactic and the attack behavior.
Lastly, you’ll have to compare your results with the results of different analysts since there can be a difference of interpretation of attack behaviors. Other than that you’re pretty much done, you now know how to write an extensive report on cybersecurity attack groups using ATT&CK framework.
Level 3 – For advanced teams
The advanced level includes all the techniques used in both mid-level and small-level teams. The techniques remain relevant. Advanced level requires the combination of all techniques used in both mid-level and small-level teams.
Information gathered is not actionable unless it consists of information relating attack vectors, techniques, and mitigation. Mapping information and keeping track of your adversaries is essential, as we’ve learned before.
After you’re done mapping information to ATT&CK, you will have to use that information to prioritize security. After observing and documenting the groups that are of priority threat to your organization. You can use that information to determine which of the techniques and tactics are used commonly.
This information can help defenders determine what to prioritize. This allows you to prioritize techniques that’ll help defenders to detect and mitigate the effects of any intrusions. Here’s a more detailed version of threat intelligence, written by the pros at MITRE themselves.
Conclusion
Threat intelligence is the process of gaining intel over your adversaries and potential threats. Documenting that information helps you in to keep track of the various tactics, behaviors, and techniques a typical hacker group would utilize while trying to infiltrate your organization.
Frameworks like ATT&CK are a gold mine of information about these tactics and techniques, which is why threat intelligence is essential to counter cyber attacks.