Using the MITRE ATT&CK Framework for Rapid Threat Detection in the Cloud

Published:

May 19, 2022

Reading time:

7 Minutes

To manage the risks in today’s threat landscape, defenders are faced with a number of day-to-day responsibilities – from investigating hundreds of security alerts, patching vulnerabilities, and threat hunting – to name a few. 

Security teams use threat modeling, a key method to proactively remediating vulnerabilities and detecting active threats, to understand their adversaries’ potential techniques, tactics, and processes (TTPs).

The most popular threat modeling framework today is called the MITRE ATT&CK framework. This framework, provided by the MITRE Corporation, is structured based on common threat actor TTPs, offering a methodology for security risk management of those TTPs in the security environment.

With MITRE ATT&CK incorporated into the security strategy, defenders can use the framework for threat modeling and security attack analysis.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK Framework is a globally-accessible knowledge base of tactics and techniques for understanding how cyber adversaries operate. 

ATT&CK stands for (Adversarial Tactics, Techniques & Common Knowledge) and has been compiled based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies, and is intended to be used by organizations as a tool to decrease their attack surface.

This framework helps organizations manage their cyber risk by understanding attacker behaviors and enhances their ability to investigate security incidents.

Gaining a better understanding of how adversaries mount attacks and using this information as additional context for prioritizing risks will better position you to improve your cyber defense posture.

What is the MITRE ATT&CK Matrix?

The MITRE ATT&CK matrix contains a set of tactics and techniques used by adversaries to accomplish specific objectives. 

These objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented in a linear fashion starting with reconnaissance and moving to the right to the final goal of exfiltration or “impact”. 

Currently the different MITRE matrices  look at ATT&CK tactics for enterprise, which includes Windows, Linux, Cloud security, Containers and more.

Source: https://attack.mitre.org

The goal is to use the MITRE ATT&CK matrices that apply to what you are interested in (for Orca they are the cloud security, Windows, Linux, and container matrices) and review the tactics and techniques at different stages of an attack and identify and manage what controls you have in place to identify,  prevent, or stop an attack.

What is the Kill Chain?

The kill chain is a way of describing how a threat actor works their way from successfully attacking a vector to securing a foothold in a target network to reach their final objective. 

With that foothold, a threat actor can laterally move across the network, looking for PII and internet-facing systems to prey upon credentials and access control – perhaps in search of command and control. 

Does the threat actor want to use ransomware to encrypt the network and financially extort their targeted victim? Or do they want to quickly snatch the company’s crown jewels, and sell them on the dark web? 

Understanding these TTPs and final objectives can aid defenders to manage risks proactively as well as stop attacks earlier on the kill chain.

When defenders can anticipate an attacker’s next moves on the kill chain, they can remediate security gaps – ideally before an attack occurs. If it’s an active security event, security teams can use threat modeling to identify potential compromises faster for investigation and rapid remediation.

How Is MITRE ATT&CK Cloud data used with Orca Security?

Not all threats are the same across security environments, and cybersecurity risk management requires a laser-focus on what matters most. 

While vendors, particularly traditional EDR vendors, have long focused on ATT&CK as it relates to endpoints, Orca has deeply integrated this data specifically from MITRE’s cloud point-of-view. 

Orca uses cloud risk research, threat intelligence, and threat modeling data from established organizations, such as MITRE, to advance our customers’ security postures.

Orca Security uses the MITRE ATT&CK framework in the following two ways to improve cloud security.

  1. The first is to assist with risk reduction and the tactics and techniques are used to provide contextual information that help show you if and how risks are related to each other. One use of this context is by creating attack path visualizations.Here are some of the specific ways MITRE ATT&CK is used:
    • Identify risks that an attacker can use for an attack for each tactic (Orca tags alerts with tactic tags if applicable)
    • Identify Cloud risks based on cloud configurations
    • Improve prioritization of workload risks, what can be harvested or exploited or used against the customer

      Vulnerability alert with MITRE labels

  2. Orca also helps with incident response (IR) and investigation. Here are some of the ways Orca uses MITRE ATT&CK data to help with IR: 
    • Identify events from cloud logs for anomalies or malicious events and in which tactic category they fall under
    • Ability to see events against resources, which can assist in identifying attacks in progress to stop them before a breach occurs
    • Orca uses this additional tactics and techniques information to help contextualize the events, for example only certain vulnerabilities can be used for “initial access” so this extra information improves risk prioritization

A good example of this is that Orca will tell you there is an initial access risk, which is a MITRE tactic, on an internet facing asset with a vulnerability that can be exploited through initial access.  

And one of probably the most useful ways that MITRE ATT&CK is used is with attack path analysis, where you can view risks as an interrelated chain, rather than just siloed risks. 

MITRE tactics are critical to understanding which combinations are a direct path to your critical assets. Security teams can operate strategically by making sure that the risks that break attack paths are remediated first.

An attack path showing MITRE tags for each link in path

Orca provides a visual representation of each attack path, as shown in the diagram above, along with detailed information on each attack vector. 

As you can see in the diagram, every risk in the attack path is tied together using MITRE tactics from “initial” access going through different tactics like “lateral movement” all the way to an asset that has a tag like “credential access”, which is one of the tactics that designates a critical asset. 

The attack path visualization includes further information and context for each step in the attack path.

In short, Orca uses attack paths to help teams remediate more strategically, improving efficiency and ensuring that the truly dangerous issues are remediated faster, which in turn helps avoid damaging attacks and data breaches.

How is the MITRE ATT&CK used in the Orca Security Platform

Some of the specific ways that Orca uses the MITRE ATT&CK framework to help with risk prioritization and context:

  • We map and tag alerts to MITRE Tactics if applicable 
  • You can currently search and filter by alert labels and MITRE tactics tags
  • Orca has attack paths that uses the MITRE tactics; an alert displays a visualization of the attack paths, all the way from initial access to final objective.

Leverage MITRE ATT&CK with Orca Security

Orca leverages MITRE ATT&CK in two ways, 1) to provide greater insight into threats and improve the ability to prioritize risks, and 2) to assist in the ability to respond to and investigate incidents.

Want to learn more about how Orca leverages the MITRE ATT&CK framework and Attack Path Analysis?  Visit our Context-Aware Security page, watch the 2-minute video Orca Bytes: Attack Path Analysis, or read our blog on attack path analysis.

Want to get more hands on? Sign up for a Free Risk Assessment to see how quickly and easily the Orca Security Platform can help you identify and address risks.