We use cookies to improve your experience. Do you accept?

Skip to main content

Streamlining MITRE CAR Operationalization with Security Orchestration

Streamlining MITRE CAR Operationalization with Security Orchestration - Featured Image

Use Case Sep 21, 2022

While threat actors are successfully making sophisticated intrusions with advanced attack vectors, security teams need to be quick on the uptake and take a proactive approach. This must monitor malicious activities and develop strategies to defend against threats. They need to be adept at cutting-edge technologies, such as cyber analytics, to identify and mitigate threats in real time.

To assist organizations worldwide in combating the rising volume of cyberattacks, MITRE created the Cyber Analytics Repository (CAR), a knowledge base of analytics. Based on the MITRE ATT&CK adversary model, CAR is machine-readable and contains actionable implementations, which make adding detections to an existing security stack easy, while maintaining inter-organization shareability.

MITRE CAR today stands as one of the leading projects, driven by the community to assist defenders in cross-collaboration of information against threats. All the CAR submissions follow MITRE’s data model to ensure detections have a semblance of uniformity and maintain unique detections for use cases across the ATT&CK adversary framework.

MITRE CAR detections empower organizations to effectively harness the power of the community by using community-contributed detections, thus, reusing the generated intel rather than reinventing the wheel for detections. This saves time, prevents analyst burnout, and keeps the detection stack up to date.

In this blog, Cyware explains how it can orchestrate MITRE CAR operationalization by building a self-sustaining workflow, which is capable of detecting new CAR contributions, implementing delta CAR detections, maintaining communication of updated detections across security functions, and testing implemented defenses.

Why MITRE CAR?

Attackers are rapidly developing novel techniques to automate a large part of attacks by reusing existing attack patterns against organizations. As a comeback, organizations are relying on security collaboration, allowing analysts across organizations to share attack detections with each other to collectively respond to and mitigate the attacks.

In this scenario where defenders share attack detections, MITRE CAR offers a common structure, enabling defenders across enterprises to share detections and allowing other defenders to reuse detections, thereby, reducing their Mean Time To Detect (MTTD) and Mean Time To Response (MTTR) to attacks.

In addition, CAR’s mapping with MITRE’s ATT&CK model gives enterprises a deeper understanding of their security landscape, helping them identify the attacks for which they have detections in place and the ones that need to be defended against.

Using this open-source repository of detections, organizations can not only implement detections quickly, but can also share new detections with their communities, enabling other organizations to have a more diverse set of attack detections.

Fig: A sample CAR

Why Orchestrate CAR Operationalization?

Orchestrating MITRE CAR facilitates a more streamlined flow, enabling security analysts to make use of security orchestration to automatically detect new CAR, begin initial implementation, and run simulations to test the implementations.

Ideally, this requires manual efforts, but by orchestrating this implementation, analysts can receive timely notifications of new detections, thus saving time to focus on other critical processes that demand human intervention.

Over the last couple of years, Cyware has contributed various detections to CAR, including:

How Cyware Orchestrates MITRE CAR Operationalization?

This orchestration is executed on a cron. Once configured, the Cyware Orchestrate playbook monitors for new CARs and implements them as they are detected. Cyware Orchestrate performs MITRE CAR operationalization in three steps:

Defining the workflow

The Cyware Orchestrate playbook detects new CAR submissions with the help of Cyware Orchestrate’s Persistent List feature. Once the CAR submission is polled for the day, the current CAR is compared with a pre-configured Persistent List.

Implementing the workflow

Any submissions present in the poll response, but missing in the pre-configured Persistent List are extracted. These are considered to be new submissions and are used for further courses of action. Subsequently, after taking action, the Persistent List is refreshed to ensure that the next poll stays up-to-date.

Once the new CARs are detected, action is taken on this new CAR by first downloading the analytics, converting it into a JSON format, and parsing it through MITRE’s CAR model to extract key pieces of information such as CAR ID, title, description, implementations, corresponding MITRE ATT&CK techniques, and unit tests.

Simulating the workflow

Post extraction, this information is reformatted and the new analytics and implementation details are sent to key stakeholders via email. Simultaneously, Cyware Orchestrate checks if the implementations fit the security landscape and proceeds to implement the detections in the environment.

Once the detections are successfully implemented in Cyware’s security stack, all the unit tests present in the CAR on previously configured victim machines are run to generate logs, which can be further used to test the implementation.

Fig: Playbook Overview

Fig: CAR Playbook

Benefits of Using and Orchestrating CAR for SecOps

Using and orchestrating MITRE CAR has four major benefits for a SecOps team:

  • Full Automation: By automating CAR implementation, the end-to-end workflow is handled by an automated playbook, allowing faster implementation times and a more robust function - ensuring continuous monitoring.

  • Improved Security Collaboration: The entire CAR project is fundamentally community-driven. Whenever new attack patterns are discovered, the community comes together to defend against them.

  • Better Visibility: As CAR is mapped to MITRE ATT&CK, security teams gain 360-degree visibility into the attacks for which they are better equipped to handle.

  • Reduced Burnout: As automation becomes more progressive in a SecOps environment, analysts have reduced workloads. The automation of repeatable tasks allows analysts to better spend time on the areas required, hence, reducing burnout.

To learn more about Cyware Orchestrate’s MITRE CAR Operationalization, schedule a free demo.

References

Cyware Orchestrate

MITRE CAR

Detecting Shadow Copy Deletion or Resize

Disable UAC

Detecting Tampering of Windows Defender Command Prompt

Unusual Child Process spawned using DDE exploit

Unusual Child Process for Spoolsv.Exe or Connhost.Exe

Clearing Windows Logs with Wevtutil

Unusually Long Command Line Strings

Identifying Port Scanning Activity

Lsass Process Dump via Procdump

MITRE ATT&CK

Related Blogs