MITRE ATT&CK, SIEM, and SOC Work Together for Better Security
Internet-based attacks on data networks employ an overwhelming variety of methods. Advanced persistent threats (APTs) exploit every possible weakness in their attempts to steal private data and use targeted systems for their own ends. New threats constantly appear, and old ones change to evade detection.
Even small business networks consist of more than a handful of machines. They all have different operating systems, applications, configurations, Internet connections, and roles. The information from all of them needs to come together intelligently to provide an overall security picture. Integrating so much information is beyond unaided human capabilities.
System and application logs are valuable, but the occasional indicator of a dangerous event is buried in thousands of lines of routine messages. IT managers have long recognized the need for software to coordinate information, identify significant events, and call administrators’ attention to threats. At the same time, they have to avoid a barrage of alerts if administrators are going to pay attention. They need to have the information boiled down to a form they can use.
Organizations that count system security as a major issue need a comprehensive approach to maintain it. For many of them, including those dealing with finance and health care, maintaining a strong level of security is necessary for compliance with regulations and industry standards. A three-part approach consisting of the MITRE ATT&CK framework, SIEM software, and a security operations center (SOC) brings together the necessary elements that serious security requires.
Let’s take an in-depth look at how MITRE ATT&CK, SIEM, and SOC work together to make organizations and businesses more secure.
Cyber defense with SIEM
SIEM (security information and event management) software aims at these goals. It combines and correlates information from diverse sources on a network. The software analyzes them and generates two kinds of information:
- It provides periodic reports on potentially hostile activity. These reports serve as a guide for strengthening security.
- It issues alerts when it detects active security issues. The cybersecurity team needs to look at what has happened and decide if they need to take action.
SIEM systems are one leg of a tripod for automated threat detection and remediation. To work well, it needs two supporting factors.
The first is a knowledge base of tactics, techniques, and procedures (TTPs). This information lets the software connect anomalous behavior to specific threats and identify the appropriate remedies. The second is a knowledgeable and experienced security operations center or SOC. Machines can’t do it all. Human intelligence and intuition are necessary to tell real threats from false alarms and to choose the best approach. Most breaches involve human error, and they require responsible reporting. A SOC is necessary for communicating issues to management and promoting strong security practices.
Early SIEM software was generally deployed on-premises. The trend today is to deploy it as a cloud service. That way it’s easier to keep up to date, and it can scale to deal with high-intensity hostile activity. Its functions include the following:
- Data aggregation from multiple sources
- Correlation of these sources
- Use of threat intelligence to match data to threats
- Monitoring of traffic metrics for abnormal activity
- Measuring the severity of threats
- Determining whether issuing an alert is warranted
- Initiating automatic responses to threats
SIEM and ATT&CK
A SIEM system needs a solid base of information to achieve these goals. It needs to categorize threats, correlate activities that are part of the same threat, and provide specific information in its alerts. For example, there’s some value in detecting an SQL injection attack. To be really useful, though, the software should identify an attack pattern, its objective, and any available remediation. That allows an automated response or gives administrators enough information to take action.
Providing this level of information requires a thorough, regularly updated knowledge base with enough information to pinpoint the tools, techniques, and tactics used. BitLyft integrates its SIEM as a service (SIEMaaS) with the MITRE ATT&CK framework to generate detailed information about the threats that it discovers.
ATT&CK is a knowledge base that focuses on APTs. It lists 11 tactics that threat actors use, such as initial access, lateral movement, and defense evasion. Under each tactic, it lists techniques — methods by which adversaries try to reach their tactical goal. Each technique has a description and a list of mitigations to go with it.
There was a time when looking at file names and headers allowed the identification of a threat and led straight to a technique that would remove it. Today the job is much harder. Breaking into computer systems offers large returns, and criminals have invested heavily in making their attacks hard to detect.
The emphasis is now on recognizing patterns of hostile activity rather than bit patterns. A threat encompasses multiple tactics and techniques. Often, it uses a “cyber kill chain” approach, going through multiple phases to achieve its ultimate goal. It uses deception or software vulnerabilities to gain initial access. Then it conceals itself after getting a foothold. Once in the network, it migrates from one machine to another while concealing its presence. It’s necessary to identify and eradicate the whole chain to be sure that the threat is completely eliminated. Otherwise, it may lurk undetected, like a cancer that hasn’t been completely removed and can reactivate itself later on.
Websites, articles, and lists often have different names for the same tactics and techniques. ATT&CK offers a widely accepted standard terminology. It has been used for developing threat models and methodologies. When SIEM reports consistently use the ATT&CK classifications, IT teams can understand the information more easily.
ATT&CK enumerates threat groups and the tools and malware that they use. Groups may be disciplined organizations funded by national governments, or they may be loose confederations of people who don’t know each other’s names and faces. What defines a group is a unified focus on certain attack methods. Identifying its characteristic mode of operation is a major step toward pinpointing and defeating the intrusion.
The role of the SOC
While going deep into the identification of techniques and tactics, IT managers can’t forget the human element. Most successful attacks take advantage of human errors, such as these:
- Weak and reused passwords
- Failure to change default settings
- Granting more privileges than necessary to low-level accounts
- Neglect of software updates
- Insecure communication of sensitive data
- Loss or theft of mobile devices
- Falling victim to a phishing attack
The automated aspect of security requires human management as well. The tuning of the SIEM so that it strikes the right balance between false positives and missed concerns requires judgment and experience. The prioritization of security issues depends on an understanding of what is most important and most likely to be attacked.
How the SOC operates
Many organizations use a security operations center to monitor, analyze, and manage their security systems. The center is a command post for the defense of the network. A typical SOC team reports to the CISO and consists of a manager, some engineers and analysts, and an incident response team. The analysts review the SIEM reports to identify weak points and potential threats. When they discover areas that need improvement, they give their analysis to the engineers, who will correct problems and reduce risks as much as possible.
The incident response team goes into action when an intrusion is discovered. Time is of the essence when dealing with a security incident, and the response team has to be ready to act at any hour of day or night. The faster they can fix the problem, the less harm it will do. A threat that is left unchallenged for too long can bankrupt a business.
After the response team has eliminated the immediate danger, it gives a report to the analysts. They and the engineers look into what let it happen and correct the relevant weaknesses. Mitigation may include recovering lost data and restoring systems to a known good state.
Important as agile responses are, prevention is better than reaction. The SOC team needs to keep up on threat intelligence and keep the network defenses updated to handle whatever threats are likely to come next.
What the SOC is not
The SOC handles day-to-day security concerns. It doesn’t set policies or determine high-level strategies, though it may make recommendations. The choice of security systems, the issuing of policies, and the training of employees in security awareness come out of higher-level decisions.
Network configuration is important to the protection of key systems, and it falls outside the SOC’s realm. The SOC team needs to communicate regularly with the network managers to understand where the most important assets are and how the architecture protects them. The analysts can point out weaknesses and make recommendations for hardening the network. The team doesn’t update applications and operating systems, but it will point out vulnerabilities tied to outdated software.
For example, a WAF is an important part of a network’s protection. The network administrators configure it, but the security operations analysts may identify vulnerabilities that the WAF needs to address. Other aspects of network protection involve similar coordination.
SOC as a service
Retaining an in-house SOC is a serious investment. It requires multiple specialists and a response team who are on call around the clock. Unless a business is very large or is focused primarily on Internet operations, the cost may be prohibitive.
An alternative that is better suited to many organizations is to outsource the SOC to a managed security services provider. The MSSP lets customers share the cost, making a top-quality SOC more affordable.
BitLyft provides a range of operational SOC security services based on the customer’s needs and budget. The required level of service will depend on the complexity of the network and the level of security the organization needs. A company performing classified government work needs tighter security than one selling consumer merchandise, and the appropriate service level will vary accordingly.
The tripod: ATT&CK, SIEM, and SOC
The three service components discussed here form a tripod; each one has an essential role in operational security. The ATT&CK matrix provides the underlying information for identifying and classifying potential hostile actions. By itself, though, it’s difficult to use. The number of techniques and sub-techniques is huge. The lists of adversary groups and software are constantly updated. It requires considerable experience and study to use it effectively.
For many purposes, software can use that information more effectively than people — even specialists — can. The SIEM system uses that information to recognize the occurrence of these actions and counter them. Finally, the SOC analyzes and acts on SIEM reports and alerts to manage network security, communicate with the organization, and take the steps to report and eliminate threats.
The MITRE ATT&CK framework is designed for use by both human readers and software systems. SIEM systems can use its API to query for information about patterns of action and zero in on specific threats and solutions. The security team uses the MITRE ATT&CK Navigator to drill down interactively for information. It can review the list of techniques that could implement a tactic, or it can check hypotheses about the tools an attacker is using.
Updates to the ATT&CK matrix keep the analysts informed of new threats. They can compare this information against the current defensive measures and recommend updates and configuration changes to keep the defense strong.
Even the best security experts can’t keep a network safe without sophisticated software to monitor it and automatically identify threats. At the same time, no security software can run on autopilot without human expertise to oversee it and set priorities. Security specialists and protective software both need continually updated threat intelligence to know what to look for.
Not every alert from a SIEM represents a serious threat. Alerts are based on departures from a baseline, and sometimes spikes or unusual access patterns occur for legitimate reasons. While the SIEM will be tuned to minimize false positives, it’s ultimately the job of security specialists to decide if a problem is real or not and which ones to give the highest priority.
All three pieces — MITRE ATT&CK, SIEM, and SOC — are necessary. The ATT&CK framework provides vital information for analysis of threats, but without security experts and state-of-the-art software to take advantage of everything it provides, an IT department can’t use it to its full potential. The tripod of ATT&CK, SIEM, and SOC gives full support to a security strategy and does the best job of holding off threats.