♻️CISO’s MITRE ATT&CK | OPERATIONALIZING STRATEGIC INTELLIGENCE
Often Cyber Threat Intelligence (CTI) analysts are the one that provides this report to the leadership through MITRE ATT&CK framework’s threat modelling to map adversaries’ Tactics, Techniques, and Procedures (TTPs).
What if the CISO itself learned this and even able to level-up to the next? Is it not more effective in filling the gap on defense-in-depth and even more efficient in presenting it to the board?
The Breaches
Many companies even with paid subscriptions in one or more CTI platforms (CTIP), still experienced breach. It is simply because the Threat Actors (TA) are not dumb to broadcast their next target and when they will attack. What organization pays for the CTI solutions providers are the quick availability of the information regarding the latest Common Vulnerability and Exploit (CVEs), Emerging Threats, Cyber Espionage, Newly Registered Cybersquatting Domains, Sensitive Data Leak, Compromised Account, and Indicators of Compromise (IOCs).
With the free subscriptiosn from different online security news providers, CTI analysts could help the CISO by providing what TTPs that was used during the past incidents on same sector that your organization has.
Let us take for example on below breaches on few Financial organizations in the last 30 days where 10 unique TTPs identified for a lesson learned.
Links:
- ASIC reports server breached via Accellion vulnerability | ZDNet
- Data breach at Buyucoin crypto exchange leaks user info, trades (bleepingcomputer.com)
- Livecoin has Announced Shutdown of Services after Being Hacked (gbhackers.com)
- MediaLand: Magecart and Bulletproof Hosting | RiskIQ Community Edition
- New Zealand Reserve Bank breached using bug patched on Xmas Eve (bleepingcomputer.com)
After been a thorough examination and analysis of the breached, it is noticeable that most of the above attack vectors does not have a corresponding MITRE ATT&CK identifications. Hence, People and Process are big factors to consider in every organization’s proactive defense. Not all can be covered by security tools.
The Defense-in-Depth Mapping
Given the attack vectors on the table above and the features of the organization’s common security stacks like Endpoint Detection and Response (EDR), Ant-Virus (AV), Firewall (FW), and Multi-Factor Authentication (MFA); these can be mapped through the use of online MITRE ATT&CK navigator — ATT&CK® Navigator (mitre-attack.github.io).
MFA on MITRE ATT&CK
EDR+AV on MITRE ATT&CK
FIREWALL on MITRE ATT&CK
Now the moment of truth; the two identified ATTC&K IDs that was used on the beached were not even covered by the common security tools — T1588.006 (Vulnerabilities) and T1583.001 (Domains ‘Acquire Infrastructure’).
As a CISO, you may need to re-evaluate the use cases of all your existing security stacks, security controls and policies, and even skills of your people to align with the attack vectors used on the breaches. You may need to ensure that you have an updated Incident Response playbook (NIST Framework SP 800–61 v2) and also a Retainer in case your organization will be the next on the news.
Humble Recommendations
Many leaders and technical cyber security professionals need to be reminded sometimes of the three pillars of Information and Communication Technology (ICT) where balance of these methodology is fundamental. Lack of one will register on the risk factors on the organization’s attack surface. Good of this is being tracked, but mostly it is being forgotten and becomes residual risks until the breach happens.
Conclusion
MITRE ATT&CK framework is not only useful for both the Blue and Red Teamers but also a good pocketknife for CISO’s and leaders to make their overall decision making more effective and efficient on evaluating their security postures and budgeting towards achieving the defense-in-depth.