MB Secure

View Original

DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™

A month ago Ruben and I released the first version of DeTT&CT. It was created at the Cyber Defence Centre of Rabobank, and built atop of MITRE ATT&CK. DeTT&CT stands for: DEtect Tactics, Techniques & Combat Threats. Today we released version 1.1, which contains multiple improvements: changelog. Most changes are related to additional functionality to allow more detailed administration of your visibility and detection.

By creating DeTT&CT we aim to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation.

In this blog we start off with an introduction on ATT&CK and continue with how DeTT&CT can be used within your organisation. Detailed information about DeTT&CT and how it can be used, is documented on the GitHub Wiki pages. Therefore, the explanation we give in this blog will be high-level.

ATT&CK

Wikipedia on cyber attacks

ATT&CK can be translated loosely to the Wikipedia on cyber attackers with a focus on TTPs (Tactics, Techniques and Procedures) and thereby the top of the Pyramid of Pain.

TTPs can in turn be translated to attacker behaviours. Meaning: what does an attacker do to achieve its goal (e.g. steal money or intellectual property). In more detail TTPs can be explained the following way (an even more in-depth explanations on TTPs can be found here).

  • Tactics: the adversary’s technical goals.

  • Techniques: how the goals are achieved.

  • Procedures: specific technique implementation.

ATT&CK Matrix

The ATT&CK Matrix visually describes the current 12 tactics and 244 enterprise techniques. On top of the matrix we can visualise TTPs in the following way:

Source: SANS CTI Summit 2019 - ATT&CK Your CTI w/ Lessons Learned from 4 Years in the Trenches

The order of tactics within ATT&CK are logically arranged within multiple matrices (for Windows, Linux, MacOS and mobile) and start with the tactic “Initial Access”. For example: sending a spear phishing email containing a malicious attachment is a technique within this tactic. Every technique within ATT&CK has a unique ID, such as T1193 for this particular one. The next tactic in the matrix is “Execution”. Within this tactic there is, for example, the technique “User Execution/T1204”. This technique describes the execution of malicious code achieved during a specific action performed by a user. This could play a role with T1193 when opening the malicious attachment that is sent through spear phishing. Later on in the matrix you will encounter tactics like “Privilege Escalation”, “Lateral Movement” and “Exfiltration”.

MITRE provides an interactive editor to browse the ATT&CK Matrix called the ATT&CK Navigator. In this tool you can visualize techniques in multiple ways. DeTT&CT uses this for creating its visualisations.

Relationship of entities within in ATT&CK

Besides information on TTPs ATT&CK also has valuable information on groups (threat actors), software (used by groups) and data log sources (visibility required for detection). The relationship between these types of information can be visualised as shown in the diagram.

DeTT&CT

You can map the information you have within your organisation on the entities available in ATT&CK. DeTT&CT delivers a framework which does exactly that and it will help you to administrate your blue team's data sources, visibility and detection. It will also provide you with means to administrate threat intelligence that you get from your own intelligence team or third-party provider. This can then also be compared to your current detection or visibility coverage.

We will now take a closer look at DeTT&CT. Detailed information on DeTT&CT and how it can be used are documented on the GitHub Wiki pages.

Data Sources

For blue teams it is crucial to know what data log sources you have, what the quality is and if it can be used to perform data analytics. Having that, you are able to know if you can find certain attacker behaviours (which make themselves visible in one or more log sources) or if you can build new detections.

One of the first steps in using DeTT&CT is making an inventory of your data sources. ATT&CK has defined around 50 different types of data sources, which we included in this framework. For every data source you can administrate several aspects, such as data quality for which we provide a scoring table.

This administration of data sources is stored in a dedicated data source YAML file. (YAML is a human readable data serialisation language. Its footprint is smaller than XML and more readable compared to JSON).

Visibility

Once you know where you lack visibility, you can start making improvements, and enhance your detection and incident response.

For every technique ATT&CK has listed which data source you will need to have for detection. While using ATT&CK quite extensively we noted that this listing of data sources is not always complete. However, it will provide you with a very good starting point.

Once you have administrated the information on your data sources, you can start doing something interesting with the data sources defined and scored in the data source administration file. Data sources can be mapped to ATT&CK techniques to visualise your potential visibility coverage, using MITRE's ATT&CK Navigator as shown below. Please note that this gives you a rough overview on your visibility coverage. For multiple reasons manual scoring of your visibility is still required (more on that on the Wiki). Visibility scores are administrated within a technique administration YAML file for which DeTT&CT also provides a visibility scoring table.

Use DeTT&CT in the way it works best for you. Scoring every single technique for visibility within the ATT&CK Matrix is a lot of work. You therefore may only score what you know at that time and what you want to communicate to others or want to verify/compare.

Example heat map showing a rough overview on your visibility coverage based on number of data sources.

Detection

Detection can also be scored and hence visualised on top of the ATT&CK Matrix, in a similar way as can be done for visibility. Administrating and scoring detection is a manual exercise. This administration is kept within the same YAML file as used for visibility.

Example heat map showing detections scores.

Groups

Knowing what ATT&CK techniques are used among threat actors is of big value for blue teams. It allows you to prioritise your blue team’s cyber defence efforts. The group functionality of DeTT&CT allows you to:

  • Get an overall heat map based on all threat actor group data present in ATT&CK. Please note that like all data there is bias. As very well explained by MITRE: Building an ATT&CK Sightings Ecosystem.

  • Create heat maps based on a subset of groups present in the ATT&CK data of MITRE.

  • Create heat maps based on intelligence you get from your own intelligence team or based on techniques that have been performed in red team exercises. This information is stored in a groups administration YAML file.

  • Compare techniques used by threat actors with your level of detection or visibility to uncover possible gaps and improvements.

  • Compare threat actor groups.

  • Visualise the potential capabilities of a threat actor based on the software they use.

The example below shows a heat map based on all threat actor data within ATT&CK. The darker the colour in the heat map, the more often the technique is being used among groups:

Identify gaps and prioritise

When you have a good understanding of your visibility, detection coverage and which ATT&CK techniques are relevant for your organisation (based on threat intelligence), you can start to identify gaps and improvements to prioritise your blue team’s defence efforts.

For example, your internal threat intelligence team provides you with intelligence that tells you that a certain set of ATT&CK techniques are relevant for your organisation. You store those techniques within a groups administration YAML file. DeTT&CT allows you to visually compare this with your current state of detection to identify possible gaps or improvements on ATT&CK techniques. You can also compare this with your level of visibility. This may tell you that your current level of visibility is insufficient to detect a particular technique. Upon which you can then act to improve.

Example visualisation in which a threat actor group/red team exercise is compared to your detections.

We have discussed the most important parts of DeTT&CT and we encourage you to take a deep dive into our Github and Wiki pages. Creating DeTT&CT helped Rabobank to administrate and visualise the current state of the blue team’s cyber defences. We hope that releasing DeTT&CT will also help others in cyber defence. We welcome contributions! Contributions can be in code, as well as in ideas you might have for further development, usability improvements, etc. Please feel free to contact us via Twitter. DMs are open.