We use cookies to improve your experience. Do you accept?

Improve Detection Mechanisms by Leveraging Cyware’s MITRE CAR Contributions

Improve Detection Mechanisms by Leveraging Cyware’s MITRE CAR Contributions - Featured Image

Open Source Jul 23, 2021

Introduction to MITRE CAR

The MITRE Cyber Analytics Repository (CAR) project is a new initiative by MITRE that supports blue and purple security teams:

  1. Blue teams : It acts as a repository for all security hypotheses

  2. Purple teams : It enables them to try out the attacks mentioned in the repository

The value of MITRE CAR

In the current evolving threat landscape, security teams within organizations struggle to find detection mechanisms for the varying number of attacks they face. Threat actors trying to target organizations can choose from a large variety of attack vectors and exploits. A mere blocking of an indicator of compromise (IOC) doesn’t cut it anymore because of the level of intelligence on display by threat actors and their success in going undetected from security tools. Through this post, there are two questions we attempt to answer for growing security teams:

  1. How should a security team get started?

  2. How can security teams maximize ROI by triaging threats?

Even though threat actors can easily change their IOCs like IP addresses or file hashes, it becomes difficult for them to change their Tactics, Techniques, and Procedures (TTP), which unravel their attack methodology. Hence, the best way for an organization to defend against threat actors relevant to their operational space is to find which vulnerabilities they might exploit and then plug in detection mechanisms.

This is where the MITRE CAR project steps in. MITRE CAR is a knowledge base of analytics developed by researchers around the globe based on the MITRE ATT&CK adversary model. In terms of coverage, CAR focuses on providing a set of validated and well-explained hypotheses regarding their operating theory and rationale. It also contains detection mechanisms for various techniques used by adversaries, which are also mapped with their respective Tactic and Technique ID, making it easier for analysts to follow their implementations in phases.

Is it just another framework?

One of the main advantages of the MITRE CAR framework is that it is built on top of other widely used frameworks. This eases the process of adoption. CAR has various data models that are built by referencing the commonly logged parameters and tools.

What does the CAR framework offer to security teams?

  • Knowledge base of commonly used attacks

  • Coverage and priority details

  • One-stop shop for all detections mapped that makes it even more powerful

  • Supports SIGMA, which are interconvertible rules between SIEMs

  • Data models organize objects that may monitor a host-based or network-based perspective

How does an organization Implement it?

This is a very subjective question, but one of the best ways to implement this will be in phases. Then, one can implement detections with high coverages and those that are the most relevant to their organization based on their infrastructure. MITRE CAR also provides mapping with particular TTPs, so it helps an organization looking to defend or prioritize only specific types of attacks.

What is the ROI?

The best ROI is that security teams are no longer simply blocking IOCs in the organization but instead implementing a full-fledged detection process while being armed with a knowledge base for the respective courses of actions in case an incident occurs.

What initial challenges a security team may face?

One of the significant challenges that security teams fall into while adopting the CAR framework is they forget that there could be multiple CARs for a single TTP.

This leads to them getting a false sense of security that they are now all protected against the threat, even though they implemented only a subset of the rules. Another challenge that they might face includes not following the proper coverage and getting tonnes of alerts in a noisy environment, which could overwhelm the security teams.

Recent Cyware CAR contributions that security teams can use:

Cyware has recently started contributing towards the MITRE CAR framework by submitting various analytics repositories. Some of our recent contributions include:

  1. CAR-2019-07-002 Lsass Process Dump via Procdump

  2. CAR-2021-01-001 Identifying Internal hosts and services for lateral movement

  3. CAR-2021-01-002 Identifying possible malware activity via unusually long command line strings

  4. CAR-2021-01-003 Detecting windows log clearing with wevtutil

  5. CAR-2021-01-004 Unusual Child Process For Spoolsv.Exe Or Connhost.Exe

  6. CAR-2021-01-006 Unusual Child Process spawned using DDE exploit

  7. CAR-2021-01-007 Detecting Tampering of Windows Defender Command Prompt

  8. CAR-2021-01-008 Detect disabling of UAC via reg.exe

  9. CAR-2021-01-009 Detecting Shadow Copy Detection via vssadmin.exe

Takeaway

Security teams need 360° visibility of threats. A good start in increased visibility would be building state-of-the-art defense mechanisms. Building a strong defense mechanism within an organization takes time. Open source tools and technologies like the CAR contributions are a good starting point for security teams to build robust futuristic detection mechanisms. Get started with using the CAR contributions from Cyware.

Related Blogs

Join Cyware and Take a Break at Black Hat 2023 - Featured Image

Join Cyware and Take a Break at Black Hat 2023

We know how hectic Black Hat can be, so Cyware team is offering an oasis in the desert to let you relax, meet, have coffee or cocktails, and then have some fun!

Black Hat 2023black hatCyware
Cyware Raises $30 Million to Accelerate Expansion of AI-Powered Global Cyber Fusion and Threat Sharing Networks - Featured Image

Cyware Raises $30 Million to Accelerate Expansion of AI-Powered Global Cyber Fusion and Threat Sharing Networks

[Cyware](https://cyware.com/), the leading provider of **AI-powered Cyber Fusion** **platforms** for enterprises and MSSPs, and automated threat intelligence s

Series C FundingCyber Fusion CenterTen Eleven VenturesCyware
Cyware to Power Accenture’s Next-Generation Threat Intelligence Services - Featured Image

Cyware to Power Accenture’s Next-Generation Threat Intelligence Services

[Cyware](https://cyware.com/) has achieved another significant milestone, being selected to power the **Accenture Cyber Threat Intelligence (ACTI)** platform an

Threat Intelligence PlatformAccentureCyware
Cyware Joins the National Cybersecurity Alliance to Bolster Data Privacy Efforts - Featured Image

Cyware Joins the National Cybersecurity Alliance to Bolster Data Privacy Efforts

Cyware is proud to announce its participation as a Champion of [Data Privacy Week 2023](https://staysafeonline.org/programs/data-privacy-week/), an initiative

Data Privacy WeekNational Cybersecurity Alliance (NCA)Cyware
Streamlining MITRE CAR Operationalization with Security Orchestration - Featured Image

Streamlining MITRE CAR Operationalization with Security Orchestration

While threat actors are successfully making sophisticated intrusions with advanced attack vectors, security teams need to be quick on the uptake and take a proa

Use CaseSecurity OrchestrationMITRE Car
Cyware’s RFI Capability is Driving Enhanced Threat Intel Collaboration within Security Teams - Featured Image

Cyware’s RFI Capability is Driving Enhanced Threat Intel Collaboration within Security Teams

There’s always a need for more information, more so importantly in the security domain wherein cybersecurity teams are always on their feet in search of [action

request for informationCywareRFI
Enhance Cross-Community Collective Defense with Cyware’s Automated Threat Sharing - Featured Image

Enhance Cross-Community Collective Defense with Cyware’s Automated Threat Sharing

[Cyware Situational Awareness Platform (CSAP)](https://cyware.com/cyber-security-situational-awareness-platform-csap) v3.2 now enables smarter and faster sharin

Threat Information SharingCollective DefenseCyware
21 Amazing Things That Happened at Cyware in 2021 - Featured Image

21 Amazing Things That Happened at Cyware in 2021

Cyware has experienced tremendous business growth in 2021, and there are a number of people who contributed to our success story. From functional leaders to emp

Threat intelligenceCollective DefenseCywareSituational Awareness
Don’t Let Data or Team Silos Slow Down Your Threat Response - Featured Image

Don’t Let Data or Team Silos Slow Down Your Threat Response

**Author:**[**Thomas Bain (VP of Marketing, Cyware)**](https://www.linkedin.com/in/thomasbain/) What’s the point of information if you can’t use it to get

ForresterCywareSOAR
Fact or Fiction: SOAR Can Reduce SOC Alerts by 95% - Featured Image

Fact or Fiction: SOAR Can Reduce SOC Alerts by 95%

The cyber security threat landscape is often exposed to emerging technology being touted as a silver bullet that can stop new and evolving threats dead in their

CFTRCSOLCywareSOAR
Global Resilience Federation Leverages Cyware to Transform Threat Intelligence Sharing into a Collective Defense Model - Featured Image

Global Resilience Federation Leverages Cyware to Transform Threat Intelligence Sharing into a Collective Defense Model

**NEW YORK** \--([BUSINESS WIRE](https://www.businesswire.com/))--[Cyware](https://cts.businesswire.com/ct/CT?id=smartlink&url=http%3A%2F%2Fwww.cyware.com%2F&es

Global Resilience FederationThreat Intelligence SharingCyware
Cyware and Ivanti Announce Global Partnership to Scale the Fusion of IT Ops and SecOps - Featured Image

Cyware and Ivanti Announce Global Partnership to Scale the Fusion of IT Ops and SecOps

**NEW YORK & SALT LAKE CITY**\--([BUSINESS WIRE](https://www.businesswire.com/))-- [Cyware](https://cts.businesswire.com/ct/CT?id=smartlink&url=https%3A%2F%2Fcy

CywareIvanti