Using ATT&CK to Advance Cyber Threat Intelligence – Part 1May 24, 2018
As ATT&CK continues to grow and change, we’re excited to bring you a blog series to help you better understand ATT&CK and how to use it. In this post, we want to highlight an area where we think ATT&CK can have a significant impact: cyber threat intelligence. This post outlines how ATT&CK can help analysts improve how we perform cyber threat intelligence.
A Traditional Cyber Threat Intelligence Approach
Let’s take a quick look at how analysts have traditionally approached cyber threat intelligence (CTI) before we delve into how ATT&CK can help them. For the purposes of this blog post, we define cyber threat intelligence as the process of analyzing information about adversaries, as well as the output of that analysis, in a way that can be applied to help network defenders and decisionmakers. Cyber threat intelligence has made significant advancements over the past few years and is coming into its own as a discipline.
Much of an average cyber threat analyst's day focuses on reading: they read vendor reports, Tweets, internal analyses, academic papers, news stories and other sources. When they find information that is relevant to their requirements, they may store it in a database for future use as well as add the information to their "mental database." After processing and analyzing that information, cyber threat analysts then write reports for their consumers. These reports may be about a specific threat group, a vulnerability being exploited in the wild, or a recent trend in an attack vector.
In addition to reading and writing, cyber threat analysts often spend much of their day dealing with the other part of cyber threat intelligence: indicators. Organizations use indicators of malicious activity, such as IP addresses, domains, email addresses, and SSL/TLS certificates, for alerting and hunting in support of network defense.
Challenges with the Traditional CTI Approach
Despite advancements in cyber threat intelligence, some key issues continue to plague analysts. Written reports will always have a role in CTI, but we should recognize their limitations and consider adding other analysis methods to address those limitations. Consumers may not have the time or interest to read reports, and network defenders may find it difficult to parse through them to apply relevant information to improve security. The sheer volume of reporting and new threat groups threatens to drown overwhelmed analysts. It takes analysts years to build up expertise on a threat group, and new analysts may find it difficult to quickly get up to speed.
Indicators also have the potential to cause analysts significant frustration. If indicators are embedded in prose reports, analysts must manually copy them, a monotonous process that can consume most of their day. Indicator vetting can be a time-consuming process, and if it is not done well, indicators could slip through that cause significant false positives for defenders and impact operations.
Indicators can be useful for network defenders when implemented in the right way, such as to identify historic activity. Indicator extraction tools and machine-to-machine sharing through structured languages like STIX can help remove the need for manual analyst processing. Still, though they can be useful, indicators are not sufficient as the only way to identify and track adversaries.
As popularized by David Bianco's Pyramid of Pain, adversaries can easily change hash values, IP addresses, domains, and other indicators produced by their activities. This means that these indicator types are only useful to detect adversaries for a fleeting time. The Pyramid of Pain encourages us to focus on actor tactics, techniques, and procedures (TTPs), which cause the most pain (or hassle) for an adversary to change. While the community largely accepts that we need to move to TTPs, analysts struggle with how to track them in a way that facilitates actionable detection and mitigation.
How ATT&CK Can Help
ATT&CK gives us a structured way to describe adversary TTPs and behavior. This structure allows us to compare adversary groups to themselves, to other groups, and to defenses in a way that addresses some of the challenges discussed earlier. Analysts and defenders can both structure their information using ATT&CK: analysts can structure intelligence about adversary behavior, and defenders can structure information about what behavior they can detect and mitigate. By overlaying information from two or more groups, they can create a threat-based awareness of what gaps they have that analysts know adversaries are exploiting. This concept applies to all flavors of ATT&CK, including Enterprise ATT&CK, PRE-ATT&CK, and Mobile ATT&CK. In addition to helping analysts, performing this type of analysis also improves the actionability of CTI for decisionmakers.
Let's see how this could work in practice by visualizing the reporting on our ATT&CK website using the ATT&CK Navigator. The graphic below compares techniques used by APT3 and APT29, including the techniques from the software they use. The techniques used only by APT3 are highlighted in blue; the ones used only by APT29 are highlighted in yellow, and the ones used by both APT3 and APT29 are color-coded in green. If APT3 and APT29 were two groups an organization considered to be high threats, the techniques in green may be the highest priority to determine how to mitigate and detect.
Next, if your defenders populate an ATT&CK matrix with what techniques you can detect, you can overlay that on to the matrix showing what techniques adversaries use. For demonstration purposes, we created a notional matrix of what an organization can detect and overlaid it with our previous matrix of APT3 and APT29 techniques. We used red to denote those that both groups use and the organization cannot detect. The techniques in red would likely be the highest priority to focus on. You can download these matrices for yourself from the folder of sample layers we posted on Github.
ATT&CK also provides a common language for analysts to use when describing adversary behavior. Analysts often use diverse ways to describe the same adversary behavior in reporting, which can cause headaches because analysts may interpret the behavior in different ways. ATT&CK gives analysts a set of definitions for behavior they can use to be sure that they clearly communicate. This normalization allows analysts to use reports from a variety of sources to perform analysis of ATT&CK techniques.
Structuring TTPs gives us a way to count them, which helps make adversaries and defenses measurable. Metrics about TTPs provide an easy supplement to indicator counts that some organizations rely on to demonstrate the value of CTI. For example, on a monthly basis, analysts could track the number of new techniques they observe adversaries performing, and defenders could track the number of techniques for which they created new detections.
That Sounds Great, but Now What?
At this point, maybe we've lost you to looking at cat pictures, but maybe some of this sounds good to you. You also may be thinking that this all sounds great in theory but are skeptical of how to do it in practice. If that's your concern, stay tuned, because in our next post we will discuss how you can apply ATT&CK to CTI in practical terms.