{"id":19010,"date":"2022-05-11T08:00:40","date_gmt":"2022-05-11T16:00:40","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/11\/news-12743\/"},"modified":"2022-05-11T08:00:40","modified_gmt":"2022-05-11T16:00:40","slug":"news-12743","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/11\/news-12743\/","title":{"rendered":"Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&#038;CK\u00ae matrix evaluation for defenders"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Wed, 11 May 2022 16:00:00 +0000<\/strong><\/p>\n<p>The <a href=\"https:\/\/ctid.mitre-engenuity.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE Center for Threat-Informed Defense<\/a>, Microsoft, and other industry partners collaborated on a <a href=\"https:\/\/ctid.mitre-engenuity.org\/our-work\/top-attack-techniques\/\" target=\"_blank\" rel=\"noreferrer noopener\">project<\/a> that created a repeatable methodology for developing a top MITRE ATT&amp;CK\u00ae techniques list. The method aims to facilitate navigation of the <a href=\"https:\/\/attack.mitre.org\/?msclkid=54cd021dc4b511ec89b26e4b6f39ec2f\" target=\"_blank\" rel=\"noreferrer noopener\">ATT&amp;CK framework<\/a>, which could help new defenders focus on critical techniques relevant to their organization\u2019s environment, and aid experienced defenders in prioritizing ATT&amp;CK techniques according to their organization&#8217;s needs.<\/p>\n<p>The ATT&amp;CK framework provides an extensive list of specific techniques that may be challenging to navigate in certain situations. This project aims to help defenders who use the framework focus on noteworthy techniques regardless of the attack scenario or environment. For example, using research on 22 ransomware attacks, the repeatable methodology led to the identification of the top 10 ransomware techniques list.<\/p>\n<p>The project also included the development of a <a href=\"https:\/\/top-attack-techniques.mitre-engenuity.org\/calculator\" target=\"_blank\" rel=\"noreferrer noopener\">customizable, web-based calculator<\/a> that seeks to prioritize techniques based on a defender\u2019s input, making the methodology even easier to apply to different environments and scenarios. As an example of the insights that can be gained from using this calculator, the project found that the following techniques are present in most attacks and environments:<\/p>\n<ul>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/\" target=\"_blank\" rel=\"noreferrer noopener\">Command &amp; Scripting Interpreter (T1059)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1053\/\" target=\"_blank\" rel=\"noreferrer noopener\">Scheduled Task\/Job (T1053)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/\" target=\"_blank\" rel=\"noreferrer noopener\">Impair Defenses (T1562)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1021\/\" target=\"_blank\" rel=\"noreferrer noopener\">Remote Services (T1021)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1543\/\" target=\"_blank\" rel=\"noreferrer noopener\">Create or Modify System Process (T1543)<\/a><\/li>\n<\/ul>\n<p>This methodology considers the continuing evolution of threats, so it supports the creation of criteria that are tailored to an organization&#8217;s unique environment. This enables defenders to continuously identify threat trends and decide where to focus resources for detection coverage.<\/p>\n<h2>Establishing the top ATT&amp;CK techniques<\/h2>\n<p>The methodology for identifying the top ATT&amp;CK techniques factored in three attributes to determine the significance of a technique: prevalence, choke point, and actionability.<\/p>\n<p><strong>Prevalence<\/strong> is the frequency of specific ATT&amp;CK techniques used by attackers over time. A higher frequency of a technique indicates a higher likelihood of it being used in multiple attack scenarios. Therefore, there\u2019s a higher chance of encountering an attack with a high prevalence ranking. Prevalence was determined using <a href=\"https:\/\/ctid.mitre-engenuity.org\/our-work\/sightings\/\" target=\"_blank\" rel=\"noreferrer noopener\">the Center\u2019s Sightings Ecosystem<\/a> project from April 2019 to July 2021, which registered 1.1 million encounters of attacks across the 184 unique ATT&amp;CK techniques. Including prevalence as a criterion aims to cover more attacks with fewer techniques.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"287\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-1-Attacks-over-time-627ad76ff17a7.png\" alt=\"A histogram that presents the number of attacks observed from January 2019 to April 2021, to show prevalence. This chart is originally from the MITRE Sightings Ecosystem project.\" class=\"wp-image-113829\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-1-Attacks-over-time-627ad76ff17a7.png 720w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-1-Attacks-over-time-627ad76ff17a7-300x120.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><figcaption>Figure 1. Attacks over time (MITRE Sightings Ecosystem Project)<\/figcaption><\/figure>\n<p><strong>Choke points<\/strong> are techniques that disrupt an attacker due to them being a point of convergence or divergence. In real-world incidents, choke points manifest as one-to-many or many-to-one behaviors or steps in the attack. The inclusion of this criterion aims to identify the critical techniques that can help link activity throughout attack chains.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"936\" height=\"530\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-2-MITRE-ATTCK-Technique-Process-Injection-T1055.jpg\" alt=\"A diagram illustrating a possible choke point based on many-to-one and one-to-many behaviors in an attack. It illustrates several techniques under many-to-one behaviors that converges to one technique that is the possible choke point, which in turn diverges into one-to-many behaviors.\" class=\"wp-image-113832\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-2-MITRE-ATTCK-Technique-Process-Injection-T1055.jpg 936w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-2-MITRE-ATTCK-Technique-Process-Injection-T1055-300x170.jpg 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-2-MITRE-ATTCK-Technique-Process-Injection-T1055-768x435.jpg 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><figcaption>Figure 2. MITRE ATT&amp;CK Technique Process Injection (T1055) is an example of a possible choke point<\/figcaption><\/figure>\n<p><strong>Actionability<\/strong> is the opportunity for a defender to detect or mitigate a technique. This is based on publicly available security controls (such as <a href=\"https:\/\/learn.cisecurity.org\/cis-controls-download\" target=\"_blank\" rel=\"noreferrer noopener\">CIS Critical Security Controls<\/a> and <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53b\/final\" target=\"_blank\" rel=\"noreferrer noopener\">NIST 800-53 Security Controls<\/a>) and analytics (Splunk detections, Elastic, and Sigma).<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"576\" height=\"358\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-3-Detection-to-mitigation-mapping.png\" alt=\"\" class=\"wp-image-113835\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-3-Detection-to-mitigation-mapping.png 576w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/05\/Figure-3-Detection-to-mitigation-mapping-300x186.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><figcaption>&nbsp;Figure 3. Detection to mitigation mapping (MITRE Top ATT&amp;CK Techniques Methodologies)<\/figcaption><\/figure>\n<h2>Top 10 techniques in ransomware attacks<\/h2>\n<p>Following the creation of the methodology, the top 10 ransomware techniques list was generated to test this new approach in practice. To create this list, Microsoft and the other partners involved in this collaborative effort analyzed prevalent ransomware attacks from the past three years. A total of 22 specific ransomware attacks were studied specifically for their use of ATT&amp;CK techniques. Based on this research, the top 10 techniques in ransomware attacks are:<\/p>\n<ul>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1486\/\" target=\"_blank\" rel=\"noreferrer noopener\">Data Encrypted for Impact (T1486)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1490\/\" target=\"_blank\" rel=\"noreferrer noopener\">Inhibit System Recovery (T1490)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/\" target=\"_blank\" rel=\"noreferrer noopener\">Obfuscated Files or Information (T1027)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1047\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Management Instrumentation (T1047)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/\" target=\"_blank\" rel=\"noreferrer noopener\">Masquerading (T1036)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/\" target=\"_blank\" rel=\"noreferrer noopener\">Command and Scripting Interpreter (T1059)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/\" target=\"_blank\" rel=\"noreferrer noopener\">Impair Defenses (T1562<\/a>)<\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1112\/\" target=\"_blank\" rel=\"noreferrer noopener\">Modify Registry (T1112)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/\" target=\"_blank\" rel=\"noreferrer noopener\">User Execution (T1204)<\/a><\/li>\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/\" target=\"_blank\" rel=\"noreferrer noopener\">Process Injection (T1055)<\/a><\/li>\n<\/ul>\n<h2>Organization-specific top techniques list via web calculator<\/h2>\n<p>This collaborative project also included the creation of a <a href=\"https:\/\/top-attack-techniques.mitre-engenuity.org\/calculator\" target=\"_blank\" rel=\"noreferrer noopener\">dynamic, user-friendly calculator<\/a> for a more customizable, tailored top techniques list. This customizability allows organizations to have unique prioritization based on each organization\u2019s size and maturity.<\/p>\n<p>The calculator takes into consideration various inputs, including:<\/p>\n<ul>\n<li>NIST 800-53 Controls (all NIST controls or specific ones such as AC-2, CA-2, etc.)<\/li>\n<li>CIS Security Controls (all CIS Controls or specific ones such as 1.1, 2.5, etc.)<\/li>\n<li>Detection analytics (<a href=\"https:\/\/car.mitre.org\/analytics\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE Cyber Analytics Repository<\/a>, Elastic, Sigma, Splunk)<\/li>\n<li>Operating systems used in the environment<\/li>\n<li>Monitoring capabilities for network, process, file, and cloud services in the network<\/li>\n<\/ul>\n<p>With this calculator, an organization can create a tailored technique list based on various aspects like the maturity of their security operations and the tools that they use. This can serve as a great starting point for companies looking to evaluate and improve their detection and protection capabilities regarding ransomware activities and prioritize the TTPs that are the most actionable for them.<\/p>\n<h2>Practical applications and future work<\/h2>\n<p>The methodology and insights from the top techniques list has many practical applications, including helping prioritize activities during triage. As it\u2019s applied to more real-world scenarios, we can identify areas of focus and continue to improve our coverage on these TTPs and behaviors of prevalent threat actors. Refining the criteria can further increase results accuracy and make this project more customer-focused and more relevant for their immediate action. Improvements in the following areas can be of particular benefit:<\/p>\n<ul>\n<li>Fine-tuning the choke point analysis by adding machine learning models to visualize and predict all viable paths an attacker could take, which can be used to create a corresponding attack graph. This attack graph could be tied in with the user-implemented filters to identify relevant paths based on an organization\u2019s current functionality. Future integration with the <a href=\"https:\/\/ctid.mitre-engenuity.org\/our-work\/attack-flow\/\" target=\"_blank\" rel=\"noreferrer noopener\">Attack Flow project<\/a> might be a step towards this enhanced choke point analysis.<\/li>\n<li>Developing a metric to identify subjective filters like \u201cDamage Impact\u201d and \u201cSignificance\u201d as they are important when making decisions on covering different attacks.<\/li>\n<li>Performing a comparison of results between this current analysis and global data sets to validate the accuracy of the current findings.<\/li>\n<li>Enhancing prevalence data to ensure a broad and timely data set is driving the analysis. Community contributions to the Sightings Ecosystem project is critical.<\/li>\n<\/ul>\n<p>Insights from industry-wide collaborations like this project help enrich the protection that Microsoft provides for customers through solutions like <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/microsoft-365-defender\">Microsoft 365 Defender<\/a> and <a href=\"https:\/\/azure.microsoft.com\/services\/microsoft-sentinel\/\">Microsoft Sentinel<\/a>. These solutions are further informed by trillions of signals that Microsoft processes every day, as well as our expert monitoring of the threat landscape. For example, our comprehensive view and research into the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\">ransomware ecosystem<\/a> enables us to deliver <a href=\"https:\/\/aka.ms\/ransomware\">cross-domain defense<\/a> against human-operated ransomware, leveraging a <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/zero-trust\/\">Zero Trust<\/a> approach to limit the attack surface and minimize the chances of ransomware attacks succeeding.&nbsp;<\/p>\n<p>In the recent <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/04\/05\/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations\/\">MITRE Engenuity ATT&amp;CK\u00ae 2022 Evaluations<\/a>, Microsoft demonstrated complete visibility and analytics on all stages of the attack chain, with 100% protection coverage, blocking all stages in early steps (pre-ransomware phase), including techniques within the top 10 ransomware techniques list that were tested.<\/p>\n<p>This collaboration and innovation benefits everyone in the security community, not only those who use the MITRE ATT&amp;CK framework as part of their products and services, but also our valued ecosystem of partners who build services on top of our platform to meet the unique needs of every organization, to advance threat-informed defense in the public interest. Microsoft is a research sponsor at the Center for Threat-Informed Defense, partnering to advance the state of the art in threat-informed defense in the public interest. One of our core principles at Microsoft is security for all, and we will continue to partner with MITRE and the broader community to collaborate on projects like this and share insights and intelligence.<\/p>\n<\/p>\n<p><em><strong>Gierael Ortega, Alin Nagraj, Devin Parikh<\/strong><br \/>Microsoft 365 Defender Research Team<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/11\/center-for-threat-informed-defense-microsoft-and-industry-partners-streamline-mitre-attck-matrix-evaluation-for-defenders\/\">Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&#038;CK\u00ae matrix evaluation for defenders<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/11\/center-for-threat-informed-defense-microsoft-and-industry-partners-streamline-mitre-attck-matrix-evaluation-for-defenders\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Wed, 11 May 2022 16:00:00 +0000<\/strong><\/p>\n<p>The Center for Threat-Informed Defense, along with Microsoft and industry partners, collaborated on a repeatable methodology and a web-based calculator, aiming to streamline MITRE ATT&#038;CK\u00ae use for defenders. <\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/11\/center-for-threat-informed-defense-microsoft-and-industry-partners-streamline-mitre-attck-matrix-evaluation-for-defenders\/\">Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&#038;CK\u00ae matrix evaluation for defenders<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[26102,4500,26049,22453,25567,3765],"class_list":["post-19010","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-center-for-threat-informed-defense","tag-cybersecurity","tag-human-operated-ransomware","tag-microsoft-security-intelligence","tag-mitre-attck","tag-ransomware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19010"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19010\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19010"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}