As the Director of Threat Operations at Deepwatch, I lead our Detection Engineering team, responsible for the enablement and deployment of our detections to customers. This also includes our Security Content Management team, which manages all of the alert detections that we create at a global scale rate.
We focus on the MITRE ATT&CK framework because it is the best standard available to measure detection coverage in your security operations center. MITRE is not industry specific, and it’s used for both government and private sector organizations. As the name says, MITRE is attack-based, it maps an attacker’s perspective.
MITRE is comprised of tactics and techniques that an adversary could take to launch an attack on your network. Whether that’s data exfiltration, ransomware, or email compromise — all of those things are covered within the framework and MITRE breaks down all of the various ways and stages that those types of attacks can occur. At Deepwatch, we base our detections on MITRE because it is the most effective way to approach detections.
Changing Threat Tactics and Techniques
MITRE is a dynamic, constantly evolving framework. The MITRE community is constantly updating that framework, primarily on a bi-annual basis. They have also developed those frameworks to apply to the Internet of Things (IoT) space and, more recently, the Artificial Intelligence (AI) space.
As new tech, tactics, and techniques emerge based on successful attacks happening, and as networks expand and more people move to cloud, there will be new attacks that will be developed against those types of networks or those types of areas that need to be safeguarded. Detection teams have to quickly identify new vulnerabilities, and not every security team has the resources to keep up.
AI is a great example of the threat landscape expanding. Today we’re not just defending cloud networks, we’re not just defending on-prem networks, we’re not just defending traditional networks. We are not just defending networks. We now have to defend this new landscape, where new tools are created every day.
NIST vs MITRE in Detections
NIST, as another example, is more of a program framework, and covers the entire scope of cybersecurity. Detection is one piece of NIST, but there are also prevention, incident response, and now even governance. In Detections, we go beyond NIST direction on detection, focusing on MITRE ATT&CK to go really deep into the types of tactics and techniques that can be utilized. An organization then has a roadmap in SecOps, one that shows where they are most vulnerable, which data is most valuable–the crown jewels–and how to spot the latest attacks.
Using ATT&CK we anticipate the most relevant tactics and techniques that MITRE catalogs, building detections on what can be seen in the wild. We develop detections to cover these types of tactics and techniques so that we have the relevant and necessary alerts to take actions.
Detections and the SOC
There are a lot of different teams that comprise a SOC. Detection Engineers, the Content Engineering team, they’re all engineering detections. There are also human Analysts, and Threat Hunters. So all of these teams are all focused on the detection aspect of a SOC. In the case of Deepwatch, you have a team that is developing detections with customers, understanding what their challenges are, what their “crown jewels” of data and systems are, then developing a detection roadmap they can execute together.
Not Just Alerts
Detection creation is not just about creating and fine tuning alerts. There are many different ways that a detection can be developed. It can be developed into a targeted hunt, or it can be developed into a correlation based alert. It can be developed into a single source alert. A single source alert example would be Mimikatz, to look for signs of Mimikatz. A correlation based alert looks at a full attack chain, looks for patterns and anomalies across the various MITRE ATT&CK tactics, then sends detail on an attack chain to an analyst for review. Here they’re looking at multiple detections of compromise to see their impact on other areas of vulnerability.
Threat Hunting and Intelligence
Detection engineers focus on what we call the “known knows,” whereas the threat hunting team focuses on “known unknowns.” Based on intelligence, the threat hunting team can make that intelligence actionable by hunting for different types of MITRE ATT&CK tactics and techniques based on relevant intelligence of what is happening, what is being exploited, and what attackers are attempting to do in the wild. That intelligence and ATT&CK details behind a detection come together in our Security Center.
It’s very difficult to paint an investigation with a broad brush set that makes sense. It takes the collaboration of detection engineers, analysts, threat hunters, every role that makes up the SOC. Working with Deepwatch, within the managed detection and response service are people creating detections, based on the MTIRE ATT&CK framework, whether that’s via a detection engineer or a threat researcher that becomes a threat hunt, a threat detection, and ultimately turns into a meaningful alert.
Threat intelligence is the basis for everything we do in cyber operations. So from our threat, intelligence flows our detections, whether via alerts or via the necessary hunting grounds that a threat hunter is going to search. As intelligence emerges, there is urgency behind findings that requires immediate action.
Deepwatch Detections
Deepwatch customers get all of the innovation that you would expect from a modern SOC, and all of those advances. In addition, they have a detection engineer who partners with them on their detection roadmap. Combined with data from our customers and our own curated playbooks, we help them identify and prioritize detections based on their unique environment and use cases.
As your security expert, we understand the data customers need for detection coverage. We provide a team of analysts that are able to act on timely and actionable intelligence for the customer. We perform investigations and find what could potentially be true bad in a customer environment.
A threat hunter could find a vulnerability or a misconfiguration, two things that could lead to an attack. They then have the time to perform those deep dive investigations and provide intel to the customer, so that they can make the necessary changes to ensure that they’re now protected from those types of attacks in the future.
Global Detections
Deepwatch can deploy coverage to those types of areas at scale. So for example, a few years ago there were many businesses or entities impacted by the Log4J vulnerability. We were able to use our intelligence team to quickly gather all the indicators of compromise associated or seen having been exploited in that type of vulnerability and deploy coverage to our customers. We have the resources, the expertise, and time to address these kinds of urgent responses.
If you don’t have an understanding of your landscape, it creates huge gaps in your ability to detect the true bad. MITRE is always changing, always in review. Understand that as the threat landscape increases, as attacks become more complex and interconnected, it is difficult to see the complete picture.
This is not an easy task for any organization, but you do need to know your asset and identity coverage before you can really start developing a detection plan. What are your network boundaries? What are the vulnerable areas? Where do, as I mentioned, your crown jewels by in order to start developing a detection strategy? Once you have that information, then you can take the wider attack framework and start applying it to your organization.
Detection is multifaceted. It isn’t just one to one alerting. You have to layer in correlation. You have to understand what you know, given your team of analysts, and the right alerting level for your team to be effective. Also consider the benefits of converting detection into hunting grounds for a threat team in order to have a well balanced SOC.
Correlations
Correlation based learning is what we call our Dynamic Risk Score. We essentially perform correlation based alerts or dynamic risk values. We will see a number of individual events that we think could lead to a security incident. With these correlations we can see highly suspicious chains of alerts instead of just presenting one alert without additional context to an analyst. This provides them a fuller picture of the attack chain, or pattern that an analyst can then take and investigate.
They may actually see that we have an attack pattern playing out within your network. Swift action needs to be taken in order to stop it. An example would be a security alert creation on its own. Security groups are created in networks throughout a company’s normal course of business. But if you take that security group creation and are able to correlate with other alerts, maybe an EDR alert, some unusual admin activity potential, a lateral movement, so not just a group created, but we see that there has been some privilege escalation of accounts going on, we recontextualize the alert with additional enrichment.
Future Detections and the SOC
When we consider what it means to be cyber resilient from a detection standpoint, we must move away from viewing detection coverage through the prism of alerting alone and consider all the threat detection components of a SOC. Security teams should be driving solutions on how these components would best be suited to provide effective detection coverage across the MITRE ATT&CK framework. With the trends around transition to cloud and emergence of AI, threat landscapes are as in flux as they have ever been and will continue to pose new and unknown challenges for data security.
Carolyn Terranova is the Director of Threat Operations at Deepwatch, which oversees threat lifecycle management across Vulnerability, Threat Hunting and Threat Detection. She has held several security roles in investigations, analysis and detection, with over 5 years of operations experience at Deepwatch.
Share