Building Threat-Informed Defenses: Rapid7 Experts Share Their Thoughts on MITRE ATT&CK

Last updated at Wed, 03 Jan 2024 18:38:41 GMT

MITRE ATT&CK is considered by practitioners and the analyst community to be the most comprehensive framework of cybersecurity attacks and mitigation techniques available today. The MITRE ATT&CK Framework helps the security industry speak the same language and stick to a well-known, common framework.

To get more details on MITRE's ATT&CK Matrix for Enterprise and its impact, I spoke with 3 members of Rapid7's Managed Detection and Response team who have firsthand experience working with this framework every day — read our conversation below!

Laying some groundwork here, what are your thoughts on the MITRE ATT&CK framework?

John Fenninger, Manager of Rapid7's Detection and Response Services, kicked us off by sharing his perspective:

“MITRE ATT&CK is an incredibly valuable framework for both vendors and customers. From things like compliance to more immediate needs like investigating an ongoing attack, MITRE makes it easy to see specific techniques that customers may not have heard of and helps think of tactical moves customers can protect against. With InsightIDR specifically, we align our detections to MITRE to give both our MDR SOC analysts and customers visibility into how far along a threat is on the ATT&CK chain."

Rapid7 is not only a consumer of the MITRE ATT&CK Framework but an active contributor as well — in 2020, Rapid7 Incident Response Consultant Ted Samuels made a contribution to MITRE around group policy objects for discovery that is now in the latest version of the ATT&CK framework.

Can you share your perspective on how the MITRE framework is used, and by who?

When it comes to leveraging the MITRE ATT&CK framework, there are 2 key audiences to consider, says Rapid7's Senior Detection & Response Analyst, Vidya Tambe:

“There are 2 main categories of users — people who write detections and people who do the analysis of the detections, and the MITRE framework is important for both. From the analyst side, we want to know what stage of attack each alert is at, and based on where the alert falls, we know how critical an incident is. With MITRE, we can track how an attacker got to where they are and what kind of escalations they did — overall, it helps us back-track to see what they were able to compromise.

"From the detection writing standpoint, we want to stop attacks before they get too far into someone's environment. Attacker techniques are always evolving, and while we aim to write detections for all the phases, a primary focus is to try and write detections early on to stop attackers as early in the ATT&CK chain as possible."

What advice do you have for security teams when it comes to leveraging the MITRE framework to drive successful detection and response?

Rapid7 Detection and Response Analyst Carlo Anez Mazurco shared some advice for teams when it comes to using the MITRE framework at their organization:

“The MITRE Framework allows us to build a threat-informed defense. It shows us the 3 main areas that we need to focus on for data collection, data analysis, and expansion of detections. For teams to successfully utilize the MITRE framework, they need visibility into the following data sources at a minimum:

• Process and process command line monitoring can be collected via Sysmon, Windows Event Logs, and many EDR platforms
• File and registry monitoring is also often collected by Sysmon, Windows Event Logs, and many EDR platforms
• Authentication logs collected from the domain controller
• Packet capture, especially east/west capture, such as those collected between hosts and enclaves in your network

"Teams need a platform like InsightIDR, Rapid7's extended detection and response solution, where the data from all of these sources can be ingested. Whatever platform or tool teams choose to use for this data ingestion should include MITRE mappings to attacker behaviors to understand what attackers are trying to do inside our environment at each stage, the TTPs (Tactics, Techniques, Procedures) of each threat actor should be documented in each alert — InsightIDR maps its detections to the MITRE framework to do just this for users."

You mentioned InsightIDR has MITRE mapping — can you dig a little more into how this impacts customers?

“Our InsightIDR platform helps our customers collect all the necessary data sources," Carlo continued. "That includes process and process command line monitoring via our endpoint Insight Agent, as well as file monitoring. Plus, authentication logs are collected from domain controllers and also via the Insight Agent, and network flow inside the environment can be gathered through our Insight Network Sensor.

"Our ABA and UBA detections are mapped to the MITRE framework to show our customers which TTPs are the most commonly used by threat actors in their environment, and it gives an insight into the attack patterns in real time. You can see an example of this in one of our past Rapid7 Threat Reports here.

"Additionally, our Rapid7 Threat Intelligence team is always developing new threat detections based on the threat intelligence feeds and public repositories of attacker behaviors. These new detections are mapped to the TTPs inside the MITRE framework and pushed out to all Rapid7 customers."

We also recently released a new view of Detection Rules in InsightIDR where all detections are mapped to the MITRE ATT&CK Framework, and users can see associated MITRE tactics, techniques, and sub-techniques for detections while performing an investigation.

Interested in learning more?

As you can see, we really value the MITRE ATT&CK framework here at Rapid7. With InsightIDR your detections are vetted by a team of professional SOC analysts and mapped to MITRE to take the guessing game of what an attacker might do next.