MITRE ATT&CK: Finding the right frame(work) for your map

Finding the right context in which to view your detection coverage is a hot topic in both the security sector and the Splunk world. During several Splunk .conf19 presentations, a lot of buzz was generated around the MITRE ATT&CK Framework and its application to existing SIEM deployments. Needless to say, it’s important for businesses and security professionals alike to take advantage of the benefits this framework has to offer.

In this blog post, I will outline what MITRE ATT&CK is, how the Hurricane Labs’ SOC has put it to use, and why it’s beneficial for businesses looking for enhanced security operations.

What is the MITRE ATT&CK Framework?

From the official website, “MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”

This framework provides a visual overview of the width and breadth of these use cases, and it allows you to drill into each for specifics–such as real-world examples or mitigation strategies. You can even filter the framework to focus on environments like Windows or Cloud from the broader enterprise perspective.

How does Hurricane Labs use this framework for better mapping and security coverage?

In the Hurricane Labs’ SOC, we live and breathe Splunk Enterprise Security (ES). Being able to understand how our coverage in any particular attack environment stacks up against a known framework, like MITRE ATT&CK, is valuable both to our team and our customers’ security posture.

For the past several months, a small group of us has been taking each customer environment and attaching the searches being used for detection to objects called “analytic stories” within Enterprise Security. These became a part of ES with the Splunk ES Content Update app, and are a collection of use-cases that lay out a particular focus–and what searches and software are involved–along with any known frameworks that might apply (such as MITRE or CIS).

We created separate versions of the existing stories based around the searches we have in production at Hurricane Labs, separating them from searches or use cases that may be stock or disabled. Then we mapped the relevant MITRE ATT&CK tactics and techniques according to the data being directly searched in each detection. Given we work with the detections themselves on a regular basis, it allows for a more accurate mapping than one simply based on search name or use-case alone.

We also leverage the MITRE ATT&CK App for Splunk

The MITRE ATTACK App for Splunk allows us to populate a dashboard displaying all the techniques and tactics covered by MITRE ATT&CK, and highlight where there is currently coverage provided by our production alerting. You can drill-down into any particular technique, and view which searches are currently deployed.

This process can be useful in two ways:

1. At-A-Glance Overview – It provides an overview of coverage that can be reported to management or checked at a glance to see what–if any–searches are addressing a particular adversary tactic.
2. Technique Gap Detection – It shows which techniques are NOT currently covered–which is probably even more useful than the At-A-Glance Overview. Identifying this gap can then drive further development for detections or generate ideas about new logging or solutions that might fill the gaps.

In Conclusion

The goal of this process is to provide further insight and value to your existing deployment against the backdrop of the MITRE ATT&CK framework; building this framework helps in the constantly changing world of security needs and detections by basing current and future work on relevant, real-world applications.