ULTRA RED & THE MITRE ATT&CK POV
“MITRE ATT&CK® is a knowledge base that helps model cyber adversaries' tactics and techniques—and then shows how to detect or stop them” (MITRE).
BACKGROUND & HISTORY
The MITRE ATT&CK knowledge base emerged in 2013as a direct outcome of MITRE's Fort Meade Experiment (FMX), a significant undertaking that involved the emulation of both adversarial and defensive behaviors. The core objective of this endeavor was to enhance the efficacy ofpost-compromise threat detection through telemetry sensors and behavioral analysis. What resulted was the MITRE ATT&CK knowledge base as we know it today–a meticulously designed and continuously enriched knowledge base to classify and comprehend adversary actions.
DIGGING INTO THE TACTICS & TECHNIQUES
Tactics and Techniques
The acronym “ATT&CK” stands for Tactics, Techniques, and Common Knowledge (ATT&CK) and is an exact phrasing for how the knowledge base is organized–tactic by technique.
Include the following:
Enterprise: This Matrix contains information for Windows, Mac, Linux, and Cloud environments. Tactics: 14.Techniques: 196. Sub-Techniques: 411.
Mobile: The Matrix containsinformation involving device access and network-based effects that can be usedby adversaries without device access. Tactics: 14. Techniques: 66.Sub-Techniques: 41.
Industrial Control Systems: This Matrix contains acollection of behaviors that adversaries have exhibited while carrying outattacks against industrial control system networks. Tactics: 12. Techniques:81. Sub-Techniques: 0.
The matrix design is employed across three domains: Enterprise, Mobile, and Industrial Control Systems. Each domain has its own specific tactics, adversary techniques and further, sub-techniques. Tacts are specific attack types, techniques explain how attacks are carried out, andsub-techniques explain the step-by-step attack paths as available. The depth with which these matrices are written can be utilized in several different ways; we enumerate some below.
Threat hunting, threat intelligence, red/purple teaming, security engineering, and risk management teams can all act on the MITRE ATT&CK knowledge base in several ways. We document the Top 5 Use Cases across below.
Enrich Threat Intelligence
Because the MITRE knowledge base is efficiently organized and continuously enriched, Threat Intelligence teams and Red/Purple teams have a reliable source upon which to study probable attack paths against their exposed attack surface, and important threat actor patterns.
Help Prioritize Threats
Those Security Operations teams maintaining a proactive security posture can use intelligence derived from the MITRE knowledge base to prioritize threats early in the attack chain. For those Security teams in need of threat intelligence enrichment for detections well into an attack path, the MITRE knowledge base also serves well to prioritize the most important risks and proximal threats.
Red Teaming & Adversary Emulation
Techniques and sub-techniques enumerated in the MITRE knowledge base equips Red/Purple teams with intelligence about how adversaries operate so that they can build and test real-world emulation scenarios. Such emulations inform Security teams with how to improve defenses and fortify security controls.
Defensive Gap Assessment
The Red Teaming and Adversary Emulations described above enable Blue teams and security engineers to assess their existingSecurity architecture for gaps or lacking compensatory controls necessary to defend against likely threats and probable attacks
Strengthen Security Controls
For those existing controls, the MITRE knowledgebase helps to contextualize security control logs (e.g., SIEM, SOAR, EDR) by mapping events to attacks and threats for improved, prioritized response.
ULTRARED’s Continuous Threat Exposure Management platform applies the MITRE ATT&CK knowledge base to enable the top use cases described above to assist with threat visibility, vulnerability, and security control validation.
ULTRARED inventories discovered assets and initiates the vulnerability detection process to enrich asset information with threat intelligence on potential exposures and known threats vectors related to each asset. During in-platform discovery scans, the MITRE ATT&CK knowledgebase is combined with various open-source and proprietary threat intelligence sources to uncover evidence-rich, exposed assets. ULTRARED scans uncover any instance of account compromise across the web (i.e., clear, deep, dark), on social media, and in app marketplaces. Asset risks are organized into categories such as outdated technologies, misconfigurations, compromised accounts, risk score, present and non-present technologies, and remediation status. With the help of powerful “out of the box” filtering tools, timelines, and built-in facilities to document changes, assets can be managed, prioritized, and remediated with ease.
The ULTRARED Vulnerability Management (VM) tools discover, filter, analyze, prioritize, validate all of your asset vulnerabilities with automated recursive discovery. When combined with continuous threat intelligence enriched by MITRE ATT&CK knowledge, ULTRAREDVM filters your false positives and generates immediate, defensible, and actionable policy remediations. ULTRARED’s vulnerability scanner is not only able to uncover known public vulnerabilities, but also covers a wide range of proprietary scanning findings and the industry leading repository of Darknet based vulnerabilities. This can allow an organization to keep up with the latest security updates and configurations along with being able to test them with ease.
ULTRARED’s Breach and Attack Simulation (BAS) uses MITRE’s ATT&CK knowledge base among various threat intelligence resources to equip red/purple teams with intelligence about how adversaries operate to build and test real-world emulation scenarios. ULTRARED’s Continuous Threat Intelligence (CTI) tools test your perimeter defenses against all of your knowninternet-based threat vectors in a safe and secure environment. Together, the enhance the correlation between documented attack techniques and threat actors for clarity and probable attribution; and assist with prioritizing threats early in the attack chain and detections well into an attack path. Users receive all the accompanying intelligence - impacts, external references, actionable remediation list along with steps, and POCs to remediate their top vulnerability priorities. All detected weaknesses are validated without impacting the scanned system and its security infrastructure and controls, ensuring production system continuity.
ULTRARED empowers Security teams to action theMITRE ATT&CK knowledge base across its Continuous Threat Exposure platformto predict and prevent likely threats before they happen.
To learn more about ULTRARED, visit us at: https://www.ultrared.ai/