MITRE's Att&ck Framework has quickly become an industry standard for approaching several aspects of security. With ATT&CKCON2 in the rearview mirror, MITRE and the ATT&CK community are giving enterprise defenders another leap forward the framework. Today I'm going to dive a bit into how Att&ck can be built into an environment that uses IncMan as an analyst workspace and Security Orchestration, Automation and Response (SOAR) Future SOC.

What is an Att&ck Model

First up. A quick summary of Att&ck. The Att&ck model by design is aimed at the most valuable indicators of compromise attackers use, Techniques, Tactics, and Processes(TTP's). TTP's, like there informs, are complicated qualitatively defined indicators. Att&ck provides a matrix, mapping Techniques to Tactics. An evolution on the idea of the kill-chain, each technique such as a "SSH-Hijacking" is mapped to its respective tactic, in this case, that would be "Lateral Movement." Each mapping of technique and tactic contains a dirth of information provided by MITRE and the community, including response strategies and mappings to what threat actors use each technique and how. Below is a snippet of one of the many ways to view and interact with the matrix.

Introduction to MITRE ATT&CK with SOAR: IncMan and RecordedFuture Intelligence

Fortunately for me, the framework maps well to how IncMan organizes SOAR data.

The Scheduled Upload runbook below is set up to respond to a SIEM style alert that indicates behavior that looks like scheduled uploading for exfiltration purposes, a widely known pair of APT Technique and Tactic as described by ATT&CK. The runbook enriches the alert by gathering and linking to RecordedFuture Intel cards based on the contents of the alert. When a Procedure is known, such as the use of Machete, the matrix is used to search RF for cards on Machete, the software, and El Machete, the APT Group that uses it. If the procedure is unknown, the matrix is used to gather cards on all procedures, and their respective known associated groups related to the Tactic:Technique pair, ie; Tactic:Technique[Procedure:[Group]] for us nerds.

When this runbook finishes up, an analyst can be notified of either a Triage event or an Incident. In either of these views, the RF cards and data are easily accessible. The next step would be the one we’ve all been trying to spend our time doing, actual analysis of intelligence. With fields and tags populated to map the alert to the ATT&CK matrix, an analyst can read deep, search more broadly, and use the matrix, SIEM, and all the rest of the tools at IncMan’s disposal.

I’ve created an incident below as a quick look at how these details can be displayed. With IncMan SOAR, investigative tickets can be tagged, searched, and filtered by multiple tags. This allows for your threat hunters to take a deep dive into the investigative activity of old events once they have discovered anomalistic behavior within a Threat Intel Platform, or when IncMan is alert by said TIP.

Following guidelines offered by MITRE to assist in paring down, or building out, your enterprise’s matrix will help tie your alerts to real activity in terms that can be acted on by your cyber defenders and shared in a language that can help all defenders and responders become more adept.

In future posts I look to expand the steps further into the Investigation phase of incident response, using the matrix to go breadth-first, tying together Tactics uses found by more enrichments IncMan SOAR engage.

Please enable JavaScript to view the comments powered by Disqus.