In the first part of this series, we presented an overview of the ATT&CK framework, its components, and the origins of the project. Continuing on, in this second part, we take a look at some of the major use cases of the framework which make it an important part of enterprise security operations.
Adversary Emulation or Red Teaming
In the domain of security technology, adversary emulation (or Red Teaming) is a key activity which focuses on an organization’s ability to detect and mitigate against adversarial activity at various points in the attack lifecycle.
ATT&CK helps red teams plan and conduct their operations in ways to overcome the existing defensive measures while learning from real-world adversary behavior. ATT&CK facilitates the process of adversary emulation by allowing enterprises to create and test adversarial scenarios based on attack techniques enlisted in the framework. For this purpose, security teams can leverage various open-source adversary emulation tools that are modeled after the ATT&CK framework such as CALDERA, Atomic Red Team, RTA, ThreatHunter-Playbook or AutoTTP.
The insights gained from these activities allow the blue teams to further improve the readiness of their security operations. Apart from this, specific threat actors can be mitigated against by creating profiles based on their documented behavior in ATT&CK. Threat hunting teams can leverage this to improve their organization’s cyber defense readiness.
The process of threat hunting is aimed at finding anomalies in network activity and the different systems in it to detect any signs of compromise, intrusion, or data exfiltration. The ATT&CK Navigator helps the Threat hunters in formulating and validating their hunt hypothesis, and defining log sources for hunts, using known adversary tactics and techniques.
Behavioral Analytics Development
In certain scenarios, the enterprise security teams face the challenge of operating with limited knowledge about adversary tools and behaviors.
In such cases, they can leverage the power of behavioral analytics by studying how an adversary interacts with their network to link it with other observed suspicious activity without relying on the knowledge of any specific tools used by the adversary.
For this purpose, ATT&CK can be used to build and test behavioral analytics models for detecting adversarial behavior in an enterprise environment.
Defensive Gap Assessment
Even the most robust cyber defense can sometimes become a victim to a cyber attack due to a minor blind spot. To fix the defensive gaps, it is essential to test the effectiveness of the existing security tools against the various tactics and techniques an adversary may use.
This is where ATT&CK plays a critical role both for defensive gap assessment and security product evaluation by providing a reliable knowledge base to test the coverage of the security tools in use.
SOC Maturity Assessment
The Security Operations Center (SOC) is the prime security arm of any medium to large enterprise network. The effectiveness of the SOC directly determines the security of the network.
Thus, it is necessary to establish the right processes in the SOC to detect, understand, and respond to various kinds of threats to the network. ATT&CK can be used to evaluate the detection capabilities of the SOC, set a benchmark for the maturity of SOC processes and plan further necessary improvements.
When a cyber attack occurs, it is essential for an enterprise to be ready with its Incident Response (IR) process to mitigate its impact. The Incident Response Lifecycle, which is the model approach in wide use, consists of five phases - Detection & Analysis, Containment, Forensic investigation, Eradication & Recovery, and Learnings.
Across the various phases of the IR Lifecycle, the ATT&CK Navigator can be used to find correlations between Indicators of Compromise(IOC), TTPs, and Threat actors, thereby giving an understanding of the impact of an incident as well.
Cyber Threat Intelligence Enrichment
The field of Cyber Threat Intelligence (CTI) is a game changer for enterprise security as it allows organizations to proactively build defenses against threats that have not yet manifested as attacks on their networks. In the long run, it is necessary for an organization to go up the ladder in the Pyramid of Pain for threat intelligence and start harnessing the TTP intel for taking strategic actions or building countermeasures. The knowledge about adversary tools, TTPs, behavior, and IOCs, is necessary for security analysts to be able to map the defenses required for different adversary behaviors. ATT&CK provides a structured understanding of adversary TTPs which is agnostic of the tools used by the adversary. It helps the security teams narrow down the attribution for an attack to a set of known APTs or build defenses against specific APTs.
Thus, ATT&CK serves as a diverse tool for various kinds of use cases pertaining to adversary detection, behavioral analysis, threat intelligence, and overall security operations assessment.