Organizations have various methods to secure their infrastructure against malicious attacks, with one of the well-known frameworks being the Mitre ATT&CK framework. The Mitre ATT&CK framework helps security operations center (SOC) teams understand the tactics and techniques that adversaries use to target organizations, as well as how to defend against them. In her book “Aligning Security Operations with the MITRE ATT&CK Framework,” author and SOC manager Rebecca Blair provides valuable insights on implementing the framework to overcome the challenges associated with it.
In Chapter 6 of her book, Blair focuses on mapping and prioritizing the Mitre ATT&CK framework to identify and eliminate any security coverage gaps. She emphasizes the importance of logging and how a lack of proper security logs can be a significant issue. Security responders rely on logs to investigate alerts and identify any suspicious or malicious activities. However, if logging is insufficient, there may be compromised activities occurring without the organization’s knowledge. To address this issue, Blair suggests determining the necessary logs based on the organization’s infrastructure and work structure. By prioritizing missing logs based on potential detection rules and effort required for ingestion, SOC teams can ensure comprehensive coverage.
Blair provides an example of a table that lists missing logs, including the data sources, vendors, specific products, priorities, sizes, and additional notes. This table allows SOC teams to work with relevant teams and implement necessary integrations or forwarders to capture the missing logs. However, it is essential to consider cost and technical constraints when addressing logging challenges. Limited logging often occurs due to cost, particularly for smaller organizations. In such cases, Blair recommends exploring open-source solutions like Elastic, Logstash, and Kibana (ELK) stack as a more cost-effective alternative.
Mapping limited logging to the Mitre ATT&CK framework reveals numerous areas where it can have an impact. Depending on the data, missing zero-trust VPN logs, authentication logs, guard duty logs, and vulnerability scans can be mapped to various tactics such as external remote services, remote services, lateral tool transfer, valid accounts, account manipulation, and network service discovery. It is crucial to identify all relevant tactics and ensure proper coverage for mitigation and implementation.
Another common security flaw that Blair has encountered is a lack of security training or immature security training in smaller companies. She emphasizes the importance of yearly training and exercises like phishing simulations to enhance employees’ cybersecurity awareness. Mapping this issue to the Mitre ATT&CK framework reveals tactics like phishing, spearphishing link, phishing for information, and account manipulation. This demonstrates the broad reach of training and the need to consider the potential blast radius of an attack when mapping it to tactics.
The third security flaw Blair highlights is the misuse of Access Control Lists (ACLs), particularly when ACLs are less restrictive than they should be or open to the internet. This is a common issue, especially among development teams that frequently stand up and tear down instances. To address this flaw, she suggests mapping it to tactics such as permission groups discovery, network service discovery, adversary in the middle, and remote service session hijacking. Blair emphasizes that overly permissive ACLs and weak authentication increase the overall risk of compromise for an organization.
Considering these three security areas, Blair suggests categorizing them on a quad chart based on their prioritization. Logging is categorized as high-effort and high-impact due to the significant effort required for integration and ingestion, but also the significant visibility and detection capabilities it provides. ACLs are mostly high-effort and high-impact, requiring monitoring solutions and policy creation to address the common security flaw they represent. Security training is categorized as low to mid-effort with a moderate impact since there are various solutions available for implementation, and its impact depends on the organization’s commitment to training.
In conclusion, Blair’s book provides valuable insights into implementing and aligning security operations with the Mitre ATT&CK framework. By mapping and prioritizing the framework, SOC teams can identify and address security coverage gaps effectively. The examples provided by Blair highlight common security flaws and their mappings to relevant tactics, emphasizing the importance of logging, security training, and Access Control List (ACL) management.