Mitre ATT&CK
A brief, high-level "Blue Team" Cybersecurity defense framework. I won't be going too deep into the technicals of how it works, but I will cover some of the basics of what I'm learning. To illustrate the purpose of this framework, let's consider football - namely Offense vs Defense.
What is Mitre ATT&CK
In football, it is super-critical and advantageous for the Defense to know what the Offense is capable of, understand trends, and know how to respond. Basically, situational awareness. The Mitre Adversarial Tactics, Techniques & Common Knowledge is that "situational awareness" concept wrapped in a framework.
Imagine the scneario: 2nd quarter, game is tied, the Offense tends to throw a lot, but the situation warrants a run or run/pass option. As a Defender, it is imperative to know what to anticipate. Blue Team, aka Cybersecurity Defenders, must be able to "read & react" when a situation occurs that warrants further investigation.
The framework consists of 6 different actions to take:
- Develop & Update Malicious Activity Model
- This is like the Defense's playbook. A model is an understanding for what the threat actor is doing, how, and why.
- Develop Hypotheses and Abstract Analytics
- To understand what the Offense might do (or has done), a hypothesis is drafted. The hypothesis must be concise and succinct.
- Analytics serve to track the "how" of an attack.
- Determine Data Requirements
- There's a long list of criteria that are factored in to writing up a good model, primarily with the efficacy of the data and its source.
- Identify and Mitigate Data Collection Gaps
- Eliminate any likelihood of "escaped" data; that is, any missing or obsolete data from the model
- Implement Test Analytics
- Use the constructed playbook to set up a Defensive posture.
- Hunt / Detect Malicious Activity and Investigate
- Deploy the defense and have Red Teamers test it.
These 6 different actions iterate as many times as necessary. The goal of Defense is to have close to no false negatives for non-detected issues, and true positive results for detected issue (that is to say, Defense caught something truly malicious instead of confusing a benign action as a hostile one). The MITRE framework attempts to aggregate information from a wide array of resources to "read & react" to an event caught by intrusion detection or intrusion prevention system.
Blue Team spots something fishy on their scanners. The investigate and see something is up. Based on the attack pattern and area compromised, they can refer to their model to understand what the attack type is, what it is targeting and why, and how to craft a threat mitigation plan against it.
It is not a hard framework to learn, nor is it overly simplified. But this is a great thing to learn, do, and grow.
Ciao For Now!
Tune in next week, I will give a brief write-up on some cool attacks learned from Security+ and Network+
No comments:
Post a Comment