May 19, 2022
To manage the risks in today’s threat landscape, defenders are faced with a number of day-to-day responsibilities – from investigating hundreds of security alerts, patching vulnerabilities, and threat hunting – to name a few.
Security teams use threat modeling, a key method to proactively remediating vulnerabilities and detecting active threats, to understand their adversaries’ potential techniques, tactics, and processes (TTPs).
The most popular threat modeling framework today is called the MITRE ATT&CK framework. This framework, provided by the MITRE Corporation, is structured based on common threat actor TTPs, offering a methodology for security risk management of those TTPs in the security environment.
With MITRE ATT&CK incorporated into the security strategy, defenders can use the framework for threat modeling and security attack analysis.
The MITRE ATT&CK Framework is a globally-accessible knowledge base of tactics and techniques for understanding how cyber adversaries operate.
ATT&CK stands for (Adversarial Tactics, Techniques & Common Knowledge) and has been compiled based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies, and is intended to be used by organizations as a tool to decrease their attack surface.
This framework helps organizations manage their cyber risk by understanding attacker behaviors and enhances their ability to investigate security incidents.
Gaining a better understanding of how adversaries mount attacks and using this information as additional context for prioritizing risks will better position you to improve your cyber defense posture.
The MITRE ATT&CK matrix contains a set of tactics and techniques used by adversaries to accomplish specific objectives.
These objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented in a linear fashion starting with reconnaissance and moving to the right to the final goal of exfiltration or “impact”.
Currently the different MITRE matrices look at ATT&CK tactics for enterprise, which includes Windows, Linux, Cloud security, Containers and more.
The goal is to use the MITRE ATT&CK matrices that apply to what you are interested in (for Orca they are the cloud security, Windows, Linux, and container matrices) and review the tactics and techniques at different stages of an attack and identify and manage what controls you have in place to identify, prevent, or stop an attack.
The kill chain is a way of describing how a threat actor works their way from successfully attacking a vector to securing a foothold in a target network to reach their final objective.
With that foothold, a threat actor can laterally move across the network, looking for PII and internet-facing systems to prey upon credentials and access control – perhaps in search of command and control.
Does the threat actor want to use ransomware to encrypt the network and financially extort their targeted victim? Or do they want to quickly snatch the company’s crown jewels, and sell them on the dark web?
Understanding these TTPs and final objectives can aid defenders to manage risks proactively as well as stop attacks earlier on the kill chain.
When defenders can anticipate an attacker’s next moves on the kill chain, they can remediate security gaps – ideally before an attack occurs. If it’s an active security event, security teams can use threat modeling to identify potential compromises faster for investigation and rapid remediation.
Not all threats are the same across security environments, and cybersecurity risk management requires a laser-focus on what matters most.
While vendors, particularly traditional EDR vendors, have long focused on ATT&CK as it relates to endpoints, Orca has deeply integrated this data specifically from MITRE’s cloud point-of-view.
Orca uses cloud risk research, threat intelligence, and threat modeling data from established organizations, such as MITRE, to advance our customers’ security postures.
Orca Security uses the MITRE ATT&CK framework in the following two ways to improve cloud security.
A good example of this is that Orca will tell you there is an initial access risk, which is a MITRE tactic, on an internet facing asset with a vulnerability that can be exploited through initial access.
And one of probably the most useful ways that MITRE ATT&CK is used is with attack path analysis, where you can view risks as an interrelated chain, rather than just siloed risks.
MITRE tactics are critical to understanding which combinations are a direct path to your critical assets. Security teams can operate strategically by making sure that the risks that break attack paths are remediated first.
Orca provides a visual representation of each attack path, as shown in the diagram above, along with detailed information on each attack vector.
As you can see in the diagram, every risk in the attack path is tied together using MITRE tactics from “initial” access going through different tactics like “lateral movement” all the way to an asset that has a tag like “credential access”, which is one of the tactics that designates a critical asset.
The attack path visualization includes further information and context for each step in the attack path.
In short, Orca uses attack paths to help teams remediate more strategically, improving efficiency and ensuring that the truly dangerous issues are remediated faster, which in turn helps avoid damaging attacks and data breaches.
Some of the specific ways that Orca uses the MITRE ATT&CK framework to help with risk prioritization and context:
Orca leverages MITRE ATT&CK in two ways, 1) to provide greater insight into threats and improve the ability to prioritize risks, and 2) to assist in the ability to respond to and investigate incidents.
Want to learn more about how Orca leverages the MITRE ATT&CK framework and Attack Path Analysis? Visit our Context-Aware Security page, watch the 2-minute video Orca Bytes: Attack Path Analysis, or read our blog on attack path analysis.
Want to get more hands on? Sign up for a Free Risk Assessment to see how quickly and easily the Orca Security Platform can help you identify and address risks.