Enterprises are armed with many cybersecurity weapons to fight system intrusions. Tools like EDR, NDR, NIDS, and SIEM are widely deployed. They continuously record system activities and generate alerts for security analysts to react to. Those tools are critical for enterprise security.
However, several challenges undermine their usefulness in practice. We often hear of a “threat alert fatigue” problem, a phenomenon in which security analysts receive so many alerts each day that they become unable to hunt down contextual information and supporting evidence for each alert. True threat alerts often get lost in the large volume of noisy false alarms.
There are many reasons for the threat alert fatigue problem, however the two main causes are:
1. Cybersecurity tools in general are prone to high volumes of false alarms. Detecting a true attack becomes a problem of looking for a “needle in a haystack.” Today’s systems employ a wide range of IOCs (indicators of compromise) that capture isolated indicators such as malware signatures, abnormal traffic, or blacklisted IPs and domains. The indicators are merely pieces of evidence observed on a network or system that indicate some level of intrusion has happened. They are isolated, lack in contextual information, and often have many false positives.
2. Insufficient attack event correlation is another main cause of the lack of timely detection and response. Today’s system intrusions are more subtle and sophisticated. They often involve multi-stage adversary actions and long dwelling time within the enterprise network. This requires temporal and spatial correlation to create a true attack sequence. However, without the right level of abstraction, there are huge semantic gaps between system-level event logs and high-level attack behaviors. Observations at the system level can hardly be stitched together to have a whole picture of attacker’s goal and steps of action.
So what solutions are out there that can make a security analyst’s life easier? To better protect the network, these defenders need to learn from their opponents: What do adversaries want to achieve? What are the approaches they use to achieve their goals? To find the “needle in a haystack,” defenders need a high-level big picture to connect the dots. Getting a holistic view of a given attack requires a paradigm shift from IOC-based detection to a more TTP-based methodology of threat hunting and forensics.
What are TTPs and the MITRE ATT&CK Framework?
TTP stands for tactics, techniques and procedures, which provide a description of an adversary operation. Tactics explain “what” an attacker is trying to accomplish, while techniques and procedures represent “how” an adversary achieves these tactical objectives, such as escalating privilege, or exfiltrating files. Using TTPs enable security analysts to look for attack patterns instead of those indicators after an attack.
MITRE ATT&CK maps TTPs used by adversaries by cataloging thousands of attacks to a common framework. It provides a common categorization and curated knowledge. The framework can help to design threat hunting tools and detection methods to identify specific tactics and techniques.
The MITRE ATT&CK Matrix visualizes all known TTPs into an easy-to-understand matrix format. Tactics are listed across the top, with individual techniques are listed down each column. Tactics are presented from left to right in the order of an attack sequence. Some techniques are broken down into sub-techniques that are described in more detail.
Multiple techniques can be used for one adversary tactic. For example, an attacker might try both an attachment (T1566.001) and a link (T1566.002) in Phishing techniques to achieve the Initial Access tactic. Also, some techniques are cataloged under multiple tactics since they can be used for different goals.
Using MITRE ATT&CK to Understand Threat Alerts
TTPs in ATT&CK are a valuable tool for security analysts because they illustrate how an attack happens. However, since the framework is designed for recall, the TTP alone cannot tell you whether actions are related to malicious activity or a normal business operation.
For example, a remote access tool (RAT) “3PARA RAT” has the following behaviors:
- It uses HTTP for command and control (T1071.001 Application Layer Protocol: Web Protocols).
- Its command-and-control commands are encrypted (T1573.001 Encrypted Channel: Symmetric Cryptography) within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of certain strings.
- It has a command to retrieve metadata for files on disk as well as a command to list the current working directory (T1083 File and Directory Discovery).
- It has a command to set certain attributes such as creating/modification timestamps on files (T1070.006 Indicator Removal on Host: Timestomp).
Most of these activities are normal in an enterprise’s network and systems, however when taken together, can indicate a serious network threat. Thus, TTPs are far better than IOCs at identifying threats.
Nevertheless, this in itself does not overcome the fatigue problem with false threat alarms. Security administrators still need to adopt TTP-based behavioral analytics and correlation to vanquish alarm exhaustion. The TTP specification defined in MITRE ATT&CK is a valuable ally in tagging anomalies and correlating timeline events to hunt threats.
In this post, we have talked about how changing from IOC-based threat detection to TTP-based behavioral methods can help increase threat hunting efficacy. In the next part of this series, we will talk about how to use behavior analytics to distinguish between normal operation and real network threats.