Introduction to MITRE CAR
The MITRE Cyber Analytics Repository (CAR) project is a new initiative by MITRE that supports blue and purple security teams:
- Blue teams: It acts as a repository for all security hypotheses
- Purple teams: It enables them to try out the attacks mentioned in the repository
The value of MITRE CAR
In the current evolving threat landscape, security teams within organizations struggle to find detection mechanisms for the varying number of attacks they face. Threat actors trying to target organizations can choose from a large variety of attack vectors and exploits. A mere blocking of an indicator of compromise (IOC) doesn’t cut it anymore because of the level of intelligence on display by threat actors and their success in going undetected from security tools. Through this post, there are two questions we attempt to answer for growing security teams:
- How should a security team get started?
- How can security teams maximize ROI by triaging threats?
Even though threat actors can easily change their IOCs like IP addresses or file hashes, it becomes difficult for them to change their Tactics, Techniques, and Procedures (TTP), which unravel their attack methodology. Hence, the best way for an organization to defend against threat actors relevant to their operational space is to find which vulnerabilities they might exploit and then plug in detection mechanisms.
This is where the MITRE CAR project steps in. MITRE CAR is a knowledge base of analytics developed by researchers around the globe based on the MITRE ATT&CK adversary model. In terms of coverage, CAR focuses on providing a set of validated and well-explained hypotheses regarding their operating theory and rationale. It also contains detection mechanisms for various techniques used by adversaries, which are also mapped with their respective Tactic and Technique ID, making it easier for analysts to follow their implementations in phases.
Is it just another framework?
One of the main advantages of the MITRE CAR framework is that it is built on top of other widely used frameworks. This eases the process of adoption. CAR has various data models that are built by referencing the commonly logged parameters and tools.
What does the CAR framework offer to security teams?
- Knowledge base of commonly used attacks
- Coverage and priority details
- One-stop shop for all detections mapped that makes it even more powerful
- Supports SIGMA, which are interconvertible rules between SIEMs
- Data models organize objects that may monitor a host-based or network-based perspective
How does an organization Implement it?
This is a very subjective question, but one of the best ways to implement this will be in phases. Then, one can implement detections with high coverages and those that are the most relevant to their organization based on their infrastructure. MITRE CAR also provides mapping with particular TTPs, so it helps an organization looking to defend or prioritize only specific types of attacks.
What is the ROI?
The best ROI is that security teams are no longer simply blocking IOCs in the organization but instead implementing a full-fledged detection process while being armed with a knowledge base for the respective courses of actions in case an incident occurs.
What initial challenges a security team may face?
One of the significant challenges that security teams fall into while adopting the CAR framework is they forget that there could be multiple CARs for a single TTP.
This leads to them getting a false sense of security that they are now all protected against the threat, even though they implemented only a subset of the rules. Another challenge that they might face includes not following the proper coverage and getting tonnes of alerts in a noisy environment, which could overwhelm the security teams.
Recent Cyware CAR contributions that security teams can use:
Cyware has recently started contributing towards the MITRE CAR framework by submitting various analytics repositories. Some of our recent contributions include:
- CAR-2019-07-002 Lsass Process Dump via Procdump
- CAR-2021-01-001 Identifying Internal hosts and services for lateral movement
- CAR-2021-01-002 Identifying possible malware activity via unusually long command line strings
- CAR-2021-01-003 Detecting windows log clearing with wevtutil
- CAR-2021-01-004 Unusual Child Process For Spoolsv.Exe Or Connhost.Exe
- CAR-2021-01-006 Unusual Child Process spawned using DDE exploit
- CAR-2021-01-007 Detecting Tampering of Windows Defender Command Prompt
- CAR-2021-01-008 Detect disabling of UAC via reg.exe
- CAR-2021-01-009 Detecting Shadow Copy Detection via vssadmin.exe
Security teams need 360° visibility of threats. A good start in increased visibility would be building state-of-the-art defense mechanisms. Building a strong defense mechanism within an organization takes time. Open source tools and technologies like the CAR contributions are a good starting point for security teams to build robust futuristic detection mechanisms. Get started with using the CAR contributions from Cyware.