Building Detection Chart Using MITRE ATT&CK Framework
This article is about how MITRE ATT&CK Framework can be leveraged to measure current detection capability of the organization. There are significant numbers of tools out there that can achieve similar purpose. However, the goal of this article is to leverage minimum resources available to almost all the organizations to start building the detection chart.
This idea is derived from this post by Cyber Wardog. The main difference would be that the aforementioned post is focused on pro-active hunting while this post in particular is focused on how to measure current detection capability for different TTPs mentioned ( and not mentioned ) in ATT&CK Framework.
What Are TTPs ?
TTPs ( Tactics , Techniques and Procedures ) can be explained by combination of these questions :
- Why attackers is doing what they are doing ( a.k.a. goals, objectives ) ?
- What are the attackers doing ( to achieve the goals, objectives ) ?
- How are the attackers doing this ?
MITRE has explained all the TTPs from different threat actors in detail. These TTPs can be tested using atomic red team tests. So for the purpose of this article I am not going to go in the details of TTPs or atomic tests.
The How part of TTPs will be the important driver for building detection chart ( and later purple team exercises ). Atomic red team tests are a good guide to follow but as a red team operator / blue team analyst , custom tests should always be added to test detections as comprehensively as possible.
We already have what we need , WHY are we doing this ?
Even after all the above mentioned knowledge at our disposal, it becomes challenging to keep track of detected and not detected TTPs , mostly because without having the data to visualize about which of the TTPs are detected , it becomes hard to keep track of which TTPs to focus on and which not to. Also, not all the TTPs would be relevant to the environment.
Thus, we would be working on how to have that data visualization by building detection chart. In the next article , we will talk about driving purple team exercises using this chart.
WHAT do we need ?
In this article we would try to solve these to problems with tools that would be at our disposal. More often than not it would be easy to get the first three while the last one of two is probably used by almost everyone :
- Laptop with Corporate ( a.k.a. gold ) Windows Image
- Laptop with Corporate Linux Image
- Laptop with Corporate MAC Image
- MS Excel or Google Sheet
It is important that those images are corporate images which has necessary security tools installed with standard logging enabled or it would give a false baseline for tradecrafts detected.
HOW are we doing this ?
The steps can be summarized as mentioned below.
- Create a spreadsheet of TTPs
- Rule out TTPs not relevant to the environment
- Run atomic and/or custom tests. Assign appropriate detection score to TTPs
STEP I
UPDATE : You can use Detection Navigator instead of spreadsheet for Detection Chart. This spreadsheet uses old MITRE ATT&CK Framework.
Follow the steps to create spreadsheet based on the post by cyberwardog. If you choose to skip this step , I have a link to google sheet I have created which looks as shown below. The color scheme definitions are as followed and they are also mentioned in “Score Defs” Tab. You can also choose your own color schemes and score definitions which would require you to modify spreadsheet accordingly.
For the purpose of explaining color schemes , we would use example of T1197.
- Red means T1197 is not detected at all.
- Yellow means T1197 is detected but not its variations.
For example , bitsadmin is detected but not certutil. - Violet means T1197 and its all known variations are detected.
- Black means T1197 is irrelevant for this environment
For example , don’t have single windows machine so don’t need to worry about that.
STEP II
Go to Detailed Technique sheet and turn Detection Scores for all TTPs not relevant to your environment to N/A. This way you would only focus on relevant TTPs.
STEP III
Use atomic red team tests along and/or custom tests for different TTPs on laptops with corporate Windows / Linux / MAC images. After running the tests , based on the score definitions provided in STEP I , change detection score to YES / NO / SOMEWHAT.
The Scores should be assigned based on the criteria mentioned below. Let’s take T1197 as an example again.
- “No” means we don’t detect T1197 at all. It will be marked in Red.
- “Somewhat” means T1197 is detected but not its variations. It will be marked in Yellow.
For example , bitsadmin is detected but not certutil. - “Yes” means T1197 and its all known variations are detected. It be marked in violet.
- “N/A” means we have not tested T1197 ( or it is not relevant since we are a mac shop and have no windows machines ) and it will be marked in Black.
Now that you have detection scores assigned to each TTP, we will talk about how to conduct purple team exercise to build detection in the following article. We will talk about how to focus on TTPs that have score of NO or SOMEWHAT and work with your blue team such that they can capture IOCs in real time and build detections for it.
It is important to keep in mind that “detected” here means an alert is triggered for analyst to work on. If you see that activity in logs but the alert is not triggered , it means a detection rule needs to be written for that. If you can’t find it in any of the logs it means there is a visibility gap that potentially affects all endpoints / servers in the environment and those logs would be required to build detection rules. Also not all the TTPs have same severity level. So that should also be taken into account while creating detection rules.
Should you choose to automate this , you can use these scripts I have developed and modify it as per your requirements. The GitHub link for the scripts are below.
Conclusion
In conclusion , we used bare minimum resources that pretty much all the organizations have to create detection chart that can be leveraged to continuously test detection capabilities for different TTPs.
While it is a effective , to sustain this long term , it should be automated. I would like to emphasize that this concept can be modified to suite the needs of the organization starting from how to visualize it, all the way to score definitions and color schemes. But if you want to get started on measuring your current detection capabilities without spending the time solutioning it , this is a good start.