Network Detection and Response (NDR) Mapped to MITRE ATT&CK

Network Detection and Response (NDR) Mapped to MITRE ATT&CK

Network-based attacks are a concern for all of us. Carbon Black revealed in its April 2019 Global Incident Response Threat Report that 70 percent of the attacks analyzed by its researchers attempted to use lateral movement across the network. When asked to weigh in on their susceptibility to these attacks, 44 percent of respondents said a lack of visibility was to blame.

This finding highlights the importance of organizations using resources such as the MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) to improve their understanding of and visibility into digital attacks and assessing their current prevention, detection, and responsive capabilities. Towards that end, I will discuss what the MITRE ATT&CK is and how we can all use it to identify capabilities needed to defend ourselves against digital attackers. I’ll then explain how the Lastline Network Detection and Response (NDR) platform provides needed visibility into the tactics and techniques included in the matrix.

The Purpose of the MITRE ATT&CK Matrix

According to MITRE’s website, the ATT&CK matrix is a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” Private organizations, governments, and security analysts alike can use this knowledge base to better understand the unique stages of a digital attack campaign. All of us can then implement appropriate security measures to deter malicious actors at each of these stages.

The MITRE ATT&CK serves as a model through which interested parties can learn to identify and map digital intrusions against their existing security technologies allowing them to shore up their gaps and prevent more intrusions. The MITRE ATT&CK matrix elements help to illuminate the tactics and techniques commonly employed by malicious actors in their attacks and as a result, help security teams identify gaps in their security stack.

But these attack methodologies are always changing. Indeed, the emergence of new technologies such as the cloud, IoT, and mobile computing, has opened up new attack vectors to nefarious individuals. Hence the importance of incorporating the MITRE ATT&CK within your security operations to understand what new methods an attacker is using across the attack chain. When the MITRE ATT&CK is integrated into technologies, security solutions providers can help their customers understand the severity and stage of the attack, thereby enabling them to better prioritize response measures.

Inside MITRE ATT&CK

The MITRE ATT&CK breaks down an attack chain into 12 tactics, each of which has several identified techniques (the current number of techniques is shown in parentheses below) that attackers can use. In short, these tactics are:

  • Initial access (11): I am trying to get into your network and on your endpoints…
  • Execution (33): …to run malicious code…
  • Persistence (59): …to gain a foothold…
  • Privilege escalation (28): …to escalate my privileges…
  • Defense evasion (67): …to avoid your detection…
  • Credential access (19): …to steal your credentials
  • Discovery (22): …to better surveil your environment…
  • Lateral movement (17): …to move through your environment…
  • Collection (13): …to collect your data…
  • Command and control 22): …to communicate with the dark side…
  • Exfiltration (9): …to steal your data…
  • Impact (14): …to destroy your systems and data.

Visualizing the MITRE ATT&CK Matrix

Let’s go through a sample intrusion scenario to better understand the value MITRE ATT&CK matrix of tactics and techniques brings in helping to standardize the industry on adversaries’ tactics and techniques:

  1. An attacker gains initial access (tactic) by targeting an employee with a spear-phishing (technique) email and tricking the user into clicking on a malicious attachment or link.
    • Lastline Defender prevents initial access by detecting phishing emails and malicious links that trick your users and evade your defenses.
  2. This email loads and executes (tactic) a malicious PowerShell script (technique) to download and install malware or the user clicks on the link in the email.
    • Lastline Defender detects and prevents these advanced threats from ever being delivered to your endpoints for execution.
  3. The malware, in turn, executes (tactic) and achieves persistence (tactic) by creating a new service in the registry (technique). It then escalates its privileges (tactic) by running code in the context of another process (technique), all while evading detection (tactic) because it has obfuscated its executable (technique).
    • The Lastline Defender NDR platform has the industry-leading file analysis capabilities that uses Deep Content Inspection to detect advanced threats persisting, escalating privileges, and evading detection.
  4. At this point let’s just hypothesize that the asset is compromised, the malware discovers (tactic) other network accounts (technique) to brute-force passwords (technique) and abuses the Remote Desktop Protocol (technique) to move laterally (tactic) to other endpoints.
    • Lastline Defender’s network traffic analysis uses our deep understanding of malicious behaviors to discern between benign anomalies and malicious lateral movement, account discoveries, and brute-force techniques.
  5. On this asset, it collects (tactic) data and stages it (technique), uses alternative protocols (technique) to contact its command-and-control (C&C) server (tactic), and exfiltrates (tactic) this information over its multi-stage C&C channel (technique).
    • Lastline Defender’s network traffic analysis and IDPS together detect and respond to alternative protocols used to communicate and exfiltrate your data.

How Does Lastline Complement the MITRE ATT&CK?

As of this writing, MITRE ATT&CK consists of 12 tactics that includes 314 specific techniques. Due to the wide range of techniques represented, no single solution can detect all of them. However, Lastline Defender prevents, detects and responds to far more of the total MITRE ATT&CK techniques than other NDR solutions.

Lastline’s NDR platform provides coverage across all 12 MITRE ATT&CK tactics and provides network prevention, detection and response capabilities to the vast majority of the 314 techniques, thereby presenting some of the broadest coverage in the industry.

It does this by using a software-based network sensor to detect anomalies in north-south and east-west traffic along with the cloud, web, and email. It also can distinguish between benign network anomalies and malicious activity to minimize false positives. Lastline NDR uses network traffic analysis (NTA) in tandem with file analysis, intrusion detection and prevention systems (IDPS), all coupled with machine learning and threat intelligence to deliver high-fidelity insights into threats across the MITRE ATT&CK matrix.

See our coverage below, and please contact us if you’d like to see our integration with MTIRE ATT&CK and the details of how we compare to the other NDR offerings.

Lastline’s detection coverage of the techniques aligned to each tactic.

To learn more about Lastline Defender and how it provides visualization of cyber threats across the attack stages and maps to MITRE ATT&CK, please see our on-demand webinar titled, Lastline Defender Maps Incidents to the MITRE ATT&CK Framework.

Chad Skipper

Chad Skipper

Chad serves as a security technologist, marketing, and sales executive focusing on a broad section of the Information Security space. He provides strategic thought leadership, vision, and execution guidance in the advancements of security technologies that proactively protect organizations’people, processes, and assets. Chad is a seasoned public speaker and is co-author of “Next-Generation Anti-Malware Testing for Dummies."
Chad Skipper