Red or Blue Pill – MITRE's Impact On The Infosec Industry

Süleyman Özarslan, PhD
|
May 2019

Introduction

With major data breaches making headlines every other week, it's easy to forget that the cybersecurity industry is actually rapidly innovating and improving. Comparing security monitoring capabilities today to capabilities from 5-7 years ago illustrates this point... Where once heavy-weight SIEM deployments were the only option to realistically operate security monitoring, today organizations have many options to choose from in order to determine the best path to achieve the same end goal. Usable, affordable and powerful detection technology is available in different variants – EDR, NTA and next-gen SIEM are currently the most prominent selections on the market.

Cybersecurity has gained significant mainstream attention in recent years thanks to high-profile data breaches and hacks. This clearly affects all areas of the industry; leading to an influx of investment and an explosion of vendors in the detection landscape, just as it became particularly notable in the EDR space.

The problem today has been shifted from 'How can we achieve practical detection?' to 'Which of these 20 vendors with similar promises are worth running a Proof-Of-Concept with?' Almost every CISO is expected to deal with the challenge of information overload; In addition to having limited time to be able to thoroughly research every vendor, they are often faced with decision paralysis as the marketing strategy of each vendor promises to deliver the same results.

One Possible Solution: MITRE ATT&CK Framework

Until recently, CISOs were having a hard time comparing detection technologies in a repeatable, easy-to-understand manner. Despite the existence of various complex, scientific or homegrown methodologies on how to evaluate vendors and tools, in reality, most of them had limited use while others were impractical beyond comparing two vendors.

The introduction of the MITRE ATT&CK matrix has changed all of this significantly by formulating a common language and a methodology to evaluate detection technology. Although the main focus is still on EDR-based products, there are various efforts to enhance and expand the current matrix for use in broader applications. All of these developments have contributed to the extreme increase in MITRE ATT&CK's popularity in recent years; it was no surprise that ATT&CK was among the common themes at the 2019 RSA conference.

The ATT&CK framework has brought forth countless advantages:

  • It provides a common framework to test tools and human capabilities
  • It raises awareness for which TTPs are most-widely known
  • It helps companies make better purchasing decisions based on vendor evaluations
  • It raises the bar for detection companies to adhere to an industry standard

Everything Comes at a Price

While MITRE ATT&CK is great and is filling a long-overdue niche, some downsides might be anticipated. Organizations sometimes fall into the 'compliance trap'. Once they have followed their due-diligence to implement security controls on paper, they are lured into a false sense of security if the controls are not properly operated and maintained. The same might happen to MITRE – only because a vendor ticks all the checkboxes in the MITRE ATT&CK framework, it does not mean they can detect all TTPS continuously, repeatedly and in all environments.

Enterprises might also become complacent by getting stuck in the matrix and only covering the MITRE ATT&CK TTPs. While ATT&CK covers the most prominent ones, threat actors will always find TTPs that lie outside the matrix. MITRE might be a great starting point but should not turn into an excuse to ignore TTPs beyond MITRE's coverage.

One of MITRE's major advantages is that it helps decision makers cut through marketing claims. However, vendors are already striving to claim that their products have '100% MITRE coverage'. The value of the matrix will have become diluted when most vendors start issuing such claims. MITRE ATT&CK is one framework for the classification of TTPs – a great one in that sense, but it is the only one to date.

To play the devil's advocate further, one could also foresee Darknet services springing up, allowing criminals to test their malware against the MITRE matrix – to see if it hits on any TTPs or manages to stay fully undetectable. Similar services are known to exist which test antivirus engines on the Darknet.

Maximize MITRE ATT&CK's Value

MITRE ATT&CK has become a known quantity in the security industry. To avoid diluting the value of ATT&CK by turning it into a theoretical checkbox-ticking exercise, organizations should start to embrace the power of Breach and Attack Simulation (BAS) tools.

Picus Security, the leader in the continuous BAS market, can put the matrix into practice and test to see if your security stack detects the TTPs. More importantly, Picus chains techniques together to create realistic attack scenarios. Testing TTPs in attack scenarios is the best method to test whether or not your defenses are equipped for today's threat landscape.

Süleyman Özarslan

About the Author

Süleyman Özarslan, PhD
|
VP, Picus Labs, Founder
|
A true security enthusiast with extensive experience in ethical hacking, cyber defense, computer networks, and cryptography.
A true security enthusiast with extensive experience in ethical hacking, cyber defense, computer networks, and cryptography.

Share