If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience.
In this post I will show you how to systematically improve up your defenses using the MITRE ATT&CK Navigator.
Note: this tutorial is written for MITRE ATT&CK version 11.0 (published on 2022-04-24) and Navigator v3.6.3 (released on 2022-05-13). Some of the concepts discussed are not correct for different versions.
A few weeks ago I talked about modelling intelligence reports using the ATT&CK Navigator.
One of the largest reasons for collecting intelligence is to ensure you are defending against it.
In this post I want to show you how intelligence can be used to improve your defensive security posture with the help of the MITRE ATT&CK Navigator.
ATT&CK Data Sources
As covered earlier in this series of tutorial, the ATT&CK data model contains the following Object types;
Data Sources (
x-mitre-data-source): Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Tracked using ID in format: DSNNNN (e.g. DS0029 - Network Traffic)
Data Component (
x-mitre-data-component): Data components are children of Data Sources. Data Components identify specific properties/values of a data source relevant to detecting a given ATT&CK technique or sub-technique. For example, Network Traffic is the Data Source and Remote Services is one of the Data Components linked to it.
Each Data Component Object has a Relationship to one or more Technique.
For example the Data Source DS0026: Active Directory has a Data component Active Directory Credential Request which is linked to the following Techniques;
This is very useful information to have.
If an organisation is using Active Directory, it is very likely their SIEM is ingesting Active Directory logs for detection.
Assuming the logs cover Active Directory Credential Requests, with the right detection rules, the organisation would be able to detect the Techniques shown above.
To better document this coverage of Data Sources flowing into the SIEM, the Organisation could create a new layer covering all the Techniques associated to the Data Sources being monitored.
To create a new layer for Techniques associated with Data Sources; search for the Data Source, find the correct Data Source(s), and click select.
Mapping Intelligence Reports to Data Sources being monitored
Continuing with the example, now imagine the organisation is analysing APT 39 and wants to ensure they are prepared.
Above, I’ve overlaid a layer containing APT 39 Techniques against the Techniques linked to Data Source being monitored by the organisation.
As you can see in the legend:
- green: represents Techniques related to Data Sources being monitored and leveraged by APT 39
- red: represents Techniques being leveraged by APT 39 but not Techniques related to Data Sources being monitored, and finally,
- orange: represents Techniques related to Data Sources being monitored but not leveraged by APT 39.
In short, the Techniques in red indicate those used by APT 39 the organisation will not be able to detect.
Here is the layer json file shown in the screenshot above.
Of course, the ability to detect the Techniques depends on whether the right detection rules are in place for the specific way the threat is exploiting the Technique (more on that in a bit).
However, before I get into that, let us take a Technique in red (related to Data Sources that I am not monitoring) and see what Data Sources are linked to it (so that the organisation can start ingesting them, should they be relevant to their network);
To uncover the Data Sources where there are blindspots, right click on the Techniques in red, and select view Technique.
This opens up the MITRE ATT&CK website on the Technique where the associated Data Sources are listed.
Take for example the Technique T1078: Valid Accounts highlighted in red. One of the related Data Sources is DS0028: Logon Session.
Therefore, it is important the organisation considers monitoring logs that contain Logon Sessions. In some cases, the Data Sources might not always be applicable, for example, if you are not using Active Directory (in which case cannot be exploited).
Detection Coverage in ATT&CK Navigator
Once you are collecting the necessary Data Sources to detect an attack, the next step is to ensure that detection rules exist for the Techniques.
In a similar way to before, this is just a process of taking a live detection rule, mapping it the relevant ATT&CK Techniques, and then modelling these on the ATT&CK Navigator.
Take this Sigma rule:
title: User Added to an Administrator's Azure AD Role
description: User Added to an Administrator's Azure AD Role
date: 2021/10/04
references:
- https://attack.mitre.org/techniques/T1098/003/
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
logsource:
product: azure
service: activitylogs
detection:
selection:
Operation: 'Add member to role.'
Workload: 'AzureActiveDirectory'
ModifiedProperties{}.NewValue|endswith:
- 'Admins'
- 'Administrator'
condition: selection
falsepositives:
- PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
status: experimental
tags:
- attack.persistence
- attack.t1098.003
It monitors azure activitylogs for Add member to role. operations, where the properties are upgraded to Administrator or Admins.
In the tags section of the rule the associated ATT&CK Tactic is TA003: Persistence and Techniques:
In this case, the rule covers one ATT&CK Technique.
Adding ATT&CK data to your rules makes it easy to create layers for each of them in the Navigator.
The logsource part of the detection rule can also be directly tied to ATT&CK Data Source Objects which helps to perform the initial task of linking ATT&CK Techniques to a rule.
In this example the relevant Data Source is DS0026: Active Directory > Active Directory Object Modification (which is linked to T1098: Account Manipulation).
The layers for each rule can then be combined into a single layer displaying a complete picture of your defensive posture.
To help me keep track of all the rules I have added, I make sure the rule ID is added to each layer (under layer metadata fields).
And by associating ATT&CK Techniques to detection rules, you can also take advantage of ATT&CK Mitigations:
Course of Action (
course-of-action): represent ATT&CK Mitigations. Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
Mitigations provide defenders with ways in which they can take action during an incident when a detection rule linked to an associate Technique is triggered.
For example, if I right click the Sub-Technique T1098.003: Additional Cloud Roles I can see that is has the following ATT&CK Mitigations:
In this case M1026: Privileged Account Management is most relevant to the detection.
Assuming this rule was triggered I could use some of this information to help with remediation and improving defenses.
Automated ATT&CK classification
In the last two posts I have shown manual examples of classifying intelligence against ATT&CK Objects.
Threat Report ATT&CK Mapping (TRAM) is a tool from MITRE that automates the mapping of cyber threat intelligence reports to ATT&CK. I will cover TRAM in detail for the next post.
ATT&CK Certification (Virtual and In Person)
The content used in this post is a small subset of our full training material used in our ATT&CK training.
If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.
Discuss this post
Never miss an update
Sign up to receive new articles in your inbox as they published.