A New Resource Helps Thwart Hackers by Analyzing their Actions

January 2017
Topics: Cybersecurity, Cyber Threat Intelligence, Computer Security
Cyber adversaries can change how they break into a system, but they usually don't change behaviors once inside. That's the idea behind MITRE's Cyber Analytics Repository, which helps network defenders detect suspicious behavior that indicates a threat.

If there were an Olympics for illegal cyber activity, today's cybercriminals would take the gold. The agility of malicious hackers—their ability to make rapid changes to how they operate—makes traditional network defense fragile and unsatisfactory. Most such approaches look for so-called indicators of compromise (IOC). Hackers are adapting rapidly—at least on the surface—to avoid detection.

Figuring out how to foil a would-be attacker who’s trying to bring down your network could save countless hours of time, energy, and money. It's a big task, but one good place to start is to have an understanding of the most likely behaviors that cyber adversaries display.

Collecting and sharing such behavioral knowledge with the cyber-defense community is the reason MITRE engineers developed the Cyber Analytics Repository, or CAR. It's a knowledge base of analytics to help cyber-defenders recognize suspicious actions occurring in their systems.

Working in Tandem with ATT&CK

CAR complements the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK) model, also developed by MITRE. ATT&CK is a framework for describing the actions that attackers take after they've gotten inside and compromised a network.

Together, CAR and ATT&CK focus on the detection of possible threats based on observed adversary behaviors. And both are free for the public and government agencies to use.

"When you're looking at your network to detect attackers, you should be looking at behaviors," says MITRE's Craig Wampler, a lead cybersecurity engineer. "CAR is a jump-start for that process. It contains the analytics for behaviors you want to watch out for."

The analytics that comprise CAR are designed for host-based sensing in Windows environments. Currently, MITRE has released analytics in four different categories: Situational Awareness, Anomaly/Outlier, Forensics, and Tactics, Techniques, and Procedures (TTP). Situational Awareness, Anomaly, and Forensics analytics may not always be indicative of an adversary action, but can still provide valuable data for use during an investigation. TTP analytics are based on ATT&CK, and each analytic includes techniques from one or more categories of tactics covered by ATT&CK. (See the full list of analytics for more information.)

An organization doesn’t have to implement all of the analytics in its environment, if it chooses not to. Not every analytic is right for every organization. However, the creators of CAR hope that other organizations will take a cue from MITRE, which extensively tested and refined the analytics through a series of targeted cyber games, based on the ATT&CK methodology.

While not every organization has the resources for that type of full-scale test, MITRE's Michael McFail hopes that they’ll be interested in choosing and adapting the analytics that work best for them. "It's the sort of mindset that we're hoping people will adopt," says McFail, a lead cybersecurity engineer.

Why Being Flexible When Monitoring Suspicious Behavior Matters

It's much more effective to monitor suspicious behavior than to look for set characteristics of an adversary. That’s what makes CAR a more valuable asset than a security solution relying on IOCs, such as malware hashes (a number derived from a string of text that indicates a virus) or malicious domain names. IOCs are easily changeable, which makes them harder to detect and use effectively.

But the analytics in CAR can detect patterns of suspicious behavior. Adversaries can change their appearance, but behavioral patterns tend to be similar. There are only so many paths attackers can take, once they've found an entry point.

An example sometimes used to illustrate the concept is a bank robber's disguise (an analogy originally proposed by the cybersecurity company CrowdStrike). A bank robber might wear a purple baseball cap to break into a bank and steal the money inside. But the robber can always ditch the baseball cap. The most important thing to track is the bank robber’s behavior when conducting the robbery, not the outfit he's wearing.

And when you know your attacker’s tactics and techniques, you can defend yourself.

"Once the CAR analytics detect a behavior, an analyst receives an alert," says Kristin Esbeck, a lead cybersecurity engineer in MITRE's threat-based operations department. "Then the analyst can conduct triage to look at the alert and understand what happened. Depending on the severity of the alert, the analyst would follow their traditional security operations center procedures."

The Community Makes CAR Stronger

Adversaries are always looking for the next best way to wreak havoc, so cybersecurity is always striving to stay at least one step ahead of them. So by necessity, CAR is always a work in progress.

"It's a tool that's like an instrument that you tune and retune to get the right sound," McFail says.

Community-based collaboration is essential for improving cybersecurity, he added. One major reason that CAR was released publicly was to foster that kind of collaboration, so it’s set up to welcome contributions.

By working together and sharing defensive techniques, everyone can contribute to the defeat of attackers.

—by Jennifer Larson


Publication Search