How Breach and Attack Simulation Helps You to Operationalize MITRE ATT&CK

Keep up to date with latest blog posts

MITRE ATT&CK has become a go-to framework for security teams. Yet, by being so comprehensive, it can be difficult to know where to begin in your mission to operationalize it.

In this blog, we offer advice to help get started with ATT&CK and explain how Breach and Attack Simulation (BAS) can be used to accelerate your efforts to leverage it in your daily security operations.

Areas we cover:

Getting starting with ATT&CK

Starting out with MITRE ATT&CK can initially seem daunting. Containing over 180 techniques and 375 sub-techniques (distinct ways that attackers perform malicious activities) the framework is very thorough - making it tricky to decide where to focus your attention.

A key piece of advice before starting out is to forgo any ambition to achieve complete threat coverage. Very few organizations have the time and resources needed to observe every adversary behavior. Instead, focus on identifying threat actors that pose the greatest risk to your organization and the types of tactics and techniques they use.

On the MITRE’s website, there is a list of prominent adversary groups. Conduct a search to identify the adversaries that are more likely to target your organization based upon the vertical industry in which you operate. Learn about the techniques they exhibit and apply this information to create a prioritized list of required detections. To help identify the most common techniques, try using MITRE’s free ATT&CK Navigator tool, which can help you to visualize the behaviors of multiple threat groups simultaneously.

Live-demo-Picus

Becoming more proactive in your approach 

Identifying and detecting the activities of the threat actors that are more likely to target your organization will provide a solid foundation to leverage the framework further. However, to keep up-to-date with new threats that emerge daily, you’ll need to become more proactive in your approach.

Being proactive in your use of ATT&CK will require you to use cyber threat intelligence to observe new threat behaviors and then map these to the framework. Threat intelligence can be curated from open-source and commercial threat feeds as well as your own internal investigations. Leverage whatever data is available to you.

At this stage of your journey to operationalize ATT&CK, things can quickly start to become more complex. Discovering and mapping emerging threat behaviors is rarely straightforward and can easily become a drain on your resources.

A significant amount of time and effort for defenders to build new detections to identify high-risk behaviors must also be factored in. New detections will require new correlation rules to be developed and tested. 

As a rough guide, it can take a security engineer approximately seven hours to write and implement a new detection rule. Additional time will need to be allocated if new data sources are needed to achieve the visibility required.

Responding to evolving attacker behaviors

Although improving your coverage of ATT&CK might be labor intensive, the ever-evolving threat landscape makes this vital if you are to achieve a greater level of assurance.

To illustrate this point, The Picus Red Report found that over half of the top ten most commonly observed ATT&CK techniques in 2021 did not appear on the equivalent list in 2020 - highlighting the extent to which adversarial approaches change.

For the same reason, you can never be 100% sure of identifying a given technique in your environment. To improve their chance of success, adversaries will continue to think up new ways to execute attacks, making it important to regularly review and validate your existing coverage.

Operationalizing ATT&CK with Breach and Attack Simulation(BAS)

If your organization is thinking of adopting ATT&CK or is struggling to take your use of it to the next level, Breach and Attack Simulation is a great way to accelerate your approach, reduce the level of manual effort required to operationalize the framework, and measure the success of your actions.

BAS platforms, such as The Complete Security Control Validation Platform by Picus, simulate real-world cyber-threats to automatically and continuously validate security control effectiveness. 

By identifying prevention and detection gaps, BAS can be used to determine the threat behaviors that pose the greatest risk to your organization and help you take swifter action to mitigate them.

How Picus can improve your success

The Picus Complete Security Control Validation Platform is an end-to-end BAS solution for security control validation; one that not only validates the performance of security controls but also provides actionable insights to get the best protection from them.

The Picus platform can help you to operationalize ATT&CK more swiftly and effectively by challenging the effectiveness of your network security, SIEM and EDR tools and by mapping assessment results to the framework automatically.

With Picus, quickly and easily simulate malware, ransomware and web application attacks, and techniques to exploit vulnerabilities such as Log4j. The Picus Threat Library contains over 11,000 threat samples and is updated daily by offensive security experts - reducing the need for your in-house security team to monitor cyber threat intelligence to discover new tactics, techniques and procedures (TTPs).

To identify and help address threat coverage and visibility blind spots, Picus validates that detection rules are in place and that they reliably trigger alerts. For any gaps identified, the platform supplies log source suggestions and vendor-specific prevention signatures and detection rules.

To help you get started, Picus’ customer success team will guide you through how to use the platform with ATT&CK so that you are able to identify and prioritize mitigating the greatest risks to your organization.

See Picus in action

Watch this short video to discover how our award-winning platform helps to take the hard work out of operationalizing ATT&CK. In it, we demonstrate how to simulate OS Credential Dumping - one of the top ten most common ATT&CK techniques observed by Picus in the Red Report 2021 - and see the results of the assessment mapped to the framework.

10 STEPS

1. Let us show you how you can operationalize MITRE ATT&CK framework with Picus. Picus Threat Library includes attack simulations for MITRE ATT&CK techniques under Attack Simulation. To see them, click on Attack Simulation.

Step 1 image

2. Under Attack Simulation, Picus provides analysis results of your security controls against MITRE ATT&CK techniques. Click on MITRE ATT&CK Matrix Analysis to see your analysis results.

Step 2 image

3. Under MITRE ATT&CK Matrix Analysis, you can see your security performance against MITRE ATT&CK techniques. Click on OS Credential Dumping to list related attack simulations.

Step 3 image

4. OS Credential Dumping is a widely used attack technique and in Top 10 MITRE ATT&CK techniques used by adversaries list in the Red Report 2021.
Click on highlighted attack simulation for OS Credential Dumping to assess your security controls.

Step 4 image

5. Under Overview tab, the threat details for the attack simulation are available. This attack simulation uses SilentProcessExit method for credential dumping. Let's click Assess to go to assessment screen.

Step 5 image

6. Under Assess tab, you can run attack simulations any time you want. Click on Assess to run simulation for OS Credential Dumping technique.

Step 6 image

7. Assessment is finished and the result is "Not Blocked" as indicated by the red icon but don't worry. Picus provides detection and mitigation methods for simulated attacks. Click on Mitigation to see detection signatures.

Step 7 image

8. Under Mitigation, Picus provides vendor specific and vendor agnostic detection signatures. Type SilentProcessExit on the search bar and press Enter.

Step 8 image

9. Sigma rules are vendor agnostic and can be converted to specific security product. Click on highlighted rule to view the Sigma rule used for detection of OS credential dumping attack.

Step 9 image

10. With few clicks, you can test your security posture against MITRE ATT&CK techniques and get detection signature for your security controls.

Click here to request your free Picus demo to test your security control against cyber threats.

Step 10 image

Here's an interactive tutorial

** Best experienced in Full Screen (click the icon in the top right corner before you begin) **

https://www.iorad.com/player/1913344/Operationalizing-MITRE-ATT-CK-with-Picus


Want to learn more? Please reach out to our friendly team to request a personal demo of our platform and learn how it can help you to improve your organization’s cyber resilience.

Subscribe

Keep up to date with latest blog posts