What is MITRE ATT&CK®?
The MITRE ATT&CK® is a knowledge base of tactics and techniques used by adversaries to carry out cyberattacks. It describes the whole breach lifecycle from the initial stages of obtaining access through to end-game malicious activities causing damage to the victim’s environment.
The ATT&CK® framework distinguishes between tactics and techniques. Tactics are a broader term referring to the stages of an attack that describes how far the adversary has progressed into the target environment. The tactics follow in a sequence that more or less copies the usual behavior of attackers in the network.
Each tactic contains several techniques. They describe specific actions that the adversary performs in order to advance the attack.
For more information on MITRE ATT&CK®, visit the official pages.
What does it mean for ADS?
The Flowmon ADS 11.3 now assigns ATT&CK® categories to detected events to give you an understanding of what the event could mean. Simply put, the system relates a discrete anomaly that arose in your network with intelligence on globally observed adversary movements. The particular ATT&CK® category then appears in the Event detail as well as in the List of detected events.
This capability provides you with full situational awareness and enables you to quickly assess the stage of a breach, its scope, and anticipate the adversary’s next move.
How are the ATT&CK® categories assigned?
The Flowmon ADS performs a contextual analysis of the event and determines which category or even more categories matches it the most. This process has to take several different factors into account to assign the category correctly, as one event may indicate several different tactics or techniques. The assigned tactic or technique may also change over time depending on how the event evolves as new data comes in.
Where do I see the categories?
The enhancements stretch over the dashboard, reports, events, and filtering.
The dashboard is where you go for your high-level overview of your system’s security status. A new widget is available to give you a quick report on how your infrastructure is doing in MITRE ATT&CK® terms by showing the individual adversary tactics with the number/list of corresponding events below.
Figure 1 – MITRE ATT&CK® dashboard widget
The Events list features a new view option that allows events to be grouped by their belonging to an ATT&CK® tactic. This view serves to provide a more detailed view into the techniques that were used at that particular stage, facilitating a better assessment of what the attacker is attempting to achieve.
Figure 2 – Events grouped MITRE ATT&CK® technique
Both of these – the high-level widget and event groups by tactics – are also available as new chapters in reports.
Figure 3 - A report containing MITRE ATT&CK® chapters
Finally, event filtering by MITRE ATT&CK® technique is now supported. Therefore, if you are using the framework in your incident analysis workflow, this will greatly simplify and speed up the investigation.
Figure 4 – Event filtering by technique
Finally, ADS 11.3 also improves the definition of false-positive rules to make the system more tunable. You can now define the detection time together with a target filter or address, which allows you to avoid detecting false positives in situations that are known to you and take place at a specific time of the day, such as backups.
The Flowmon ADS 11.3 represents a major evolutionary step towards context-aware anomaly investigation. And a good thing, too, as context awareness is key for correct event understanding and effective mitigation.
Do you have any feedback about ADS 11.3? Let us know!