Incident responders work much like police detectives or journalists, finding the who, what, when, why, and how of incidents before they can take action to resolve the issues. One tool that helps responders deal with incidents after they have occurred and position organizations for better defense in the future is the widely used Miter ATT & CK framework (along with ATT & CK for Adversarial Tactics, Techniques, and Common Knowledge) .

The ATT & CK framework is deployed as a cyber intelligence tool during or after an incident to identify the relevant adversary and reveal the appropriate mitigation measures. A recent example comes from McAfee, who used ATT & CK in a case that initially started as an investigation into a suspected malware infection, but ended with the surprise discovery of a long-term cyberattack by two groups. of Chinese threats, APT27 and APT4.

MITER ATT & CK draws on a detailed knowledge base of opponent’s tactics and techniques based on real-world observations. Essentially, the ATT & CK framework granularly deals with the who, what and why of the attack.

Another framework used by incident responders is the Vocabulary for Event Recording and Incident Sharing (VERIS), a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. It is used, among other things, to categorize incidents and violations that appear in the widely read Verizon Data Breach Investigation Report (DBIR) annual report.

VERIS is a broader and higher level framework than ATT & CK which is based on an open and free repository of publicly reported security incidents. It offers incident responders when and how to attack.

Last month, Verizon and the Center for Threat-Informed Defense, a nonprofit research and development organization funded by the private sector and operated by MITER Engenuity, an R&D foundation founded by MITER, announced a “mapping layer and translation between VERIS and ATT & CK which allows the use of ATT & CK to describe the adverse behaviors that have been observed during an incident coded in VERIS. “

Bidirectional mapping is the goal

Both organizations want this connectivity between ATT & CK and VERIS to provide ‘two-way mapping’ that connects the behaviors that adversaries use to attack systems with demographics and metadata in the hope of giving organizations better, aligned defenses. latest threats. “Although VERIS is relatively popular and quite useful, it does not have the kind of high profile visibility that something like ATT & CK provides,” said Alex Pinto, senior manager of the Verizon DBIR team. CSO. Nonetheless, VERIS functions as a useful policy tool, and security officials often use it to communicate with the board, he says.

“Corn [VERIS] does not help the defender with the details. ATT & CK is good on a practical level, but it lacks the coverage of VERIS. VERIS doesn’t just deal with real “cyber attacks” like all hacks and malware. We are also concerned about the misuse and theft of devices. “

So, MITER Engenuity and Verizon decided to link them to make them work together more effectively. “We think it would be a huge victory for the information security community,” Pinto said.

ATT & CK / VERIS collaboration available on GitHub

The goal is to enable defenders to create a more detailed picture of cyber incidents, encompassing threat actor, technical behavior, targeted assets and impact. The mapping created by this collaboration is available on GitHub for all advocates and responders in the event of an incident.

“We decided to make it as smooth as possible,” said Richard Struse, director of the Center for Threat-Informed Defense at MITER Engenuity. CSO. “We’ve posted it on the centre’s website, and there’s a corresponding GitHub repository. We’re not trying to track or control who’s using it.”

“It’s a building block. It’s a bridge that allows two communities that each do valuable work to now connect the work they do in a powerful and truly effective way, ”says Struse. “What we hope to do is let the community know that this resource is available and that it is available for free. They can grab it and use it today to either add more technical detail to their VERIS centric worldview or take it and add more of that more strategic level information if they are in some way ATT & CK centric. . “

Lingua franca for communications on security incidents

While it’s not yet clear how the integration between the two frameworks would bring practical benefits to advocates or incident responders, Pinto believes a key benefit would be providing a lingua franca for communicating about incidents. . “It becomes a lot easier to understand end-to-end, the flow of the type of contextualization. I should do ‘this’ to be protected from ‘that’ becomes so much simpler,” he says.

Basically the two frameworks and the integration of the two frameworks anyway formalize what responders and incident advocates do all the time. These models offer a more logical and systematic approach to this type of work, explains Pinto. “It’s something everyone has to do anyway. You always try to figure out. ‘Okay, am I spending my money or my time safe on the things I should be doing?’ It’s something that everyone has to do in a certain way, you try to guess most of the time if what you are defending against is what you should be defending against.

The VERIS-ATT & CK mappings “is the dictionary,” Pinto says. “This is your translation dictionary. So you really don’t have to think about it.

Copyright © 2021 IDG Communications, Inc.

Leave a Reply

Your email address will not be published.