Aligning the LogRhythm NextGen SIEM Platform with the MITRE ATT&CK Framework

Contributors to this blog include Dan Kaiser and Brian Coulson.

The MITRE ATT&CK framework is quickly becoming a focal point in the security world — and for good reason. This framework provides a consistent, industry-wide standard on which you can assess the effectiveness of your security monitoring and alerting capabilities.

When coupled with a SIEM solution, the MITRE ATT&CK framework allows you to effectively test your security monitoring environment against attack techniques to validate that your technology and rules are truly working and alert you to the right anomalous behavior.

To this end, LogRhythm Labs is developing a MITRE ATT&CK module designed to detect and alert to anomalous behavior on a per-technique basis. With the LogRhythm MITRE ATT&CK module, you can ensure that you’re catching every threat that hits your network.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is “a globally accessible knowledge base of adversary tactics and techniques based on real-world observation.” The acronym stands for Adversarial Tactics, Techniques, and Common Knowledge.

ATT&CK categorizes adversarial behavior into Tactics, Techniques and Procedures (TTPs). Tactics can be thought of as goals. For example, an adversary may have the goal of Credential Access, meaning an attacker may try to obtain credentials and use them in a greater effort to reach their ultimate, nefarious objectives.

Meanwhile, Techniques can be thought of as the high-level methods used to achieve the goal. For example, an adversary may look for Credentials in Files. Procedures are the specific steps that an adversary uses to execute the technique. For example, the advanced persistent threat group known as APT3 has a tool that can locate credentials in files on the file system, such as those from Firefox or Chrome.

How Can the MITRE ATT&CK Framework Help You?

ATT&CK gives security professionals a common language for describing adversarial behavior, mitigation guidance against adversarial techniques, a coverage map against which to measure detection (or penetration) capabilities, and a reference model for security vendors to describe their product offerings.

MITRE ATT&CK can have several applications in your organization, such as:

  • When running penetration tests or Red Team/Blue Team exercises, you can map the planning and results of the exercise to ATT&CK.
  • When developing detection rules in your security product, you can use ATT&CK as a roadmap for the rules you need to create.
  • If you have a threat hunting program, you can use ATT&CK techniques as inspiration for your hunting hypotheses.
  • When comparing security vendor products, you can use its coverage of ATT&CK as a point of comparison.

This isn’t necessarily a numerical comparison in the sense of “vendor X detects 35 ATT&CK techniques and vendor Y detects 37.” MITRE itself has an evaluation (not certification) program, and in it vendors can demonstrate detection of a given technique in five different ways: Telemetry, Indicator of Compromise, Enrichment, General Behavior, and Specific Behavior.

What is the MITRE ATT&CK Module?

LogRhythm Labs is developing a MITRE ATT&CK module with various releases on the horizon. The ATT&CK module is a collection of AI Engine rules and Web Console dashboards built to detect and illuminate adversarial behaviors on a per-technique basis.

How the LogRhythm SIEM Supports ATT&CK Techniques

AI Engine rules from products such as LogRhythm UserXDR and LogRhythm NetworkXDR are focused on behavioral detections and organized around the Cyberattack Lifecycle. These rules will detect an ATT&CK technique being executed but the detection will not be specific to that technique.

For example, our UEBA module includes a rule named “Compromise: Abnormal Process Activity.” This is a trend rule that compares processes launched by a user in the current seven days to those in the prior seven days, and triggers an alarm if there is a significant variation between these two time periods. This rule could detect the execution of many ATT&CK techniques — as many of them involve detection of unusual processes, such as T1193, T1192, T1106 and T1003. However, if the rule fired, it would not be clear from the alarm card which ATT&CK TTPs were employed.

Compromise: Abnormal Process Activity Figure 1: “Compromise: Abnormal Process Activity” from the UEBA module

For this reason, Labs has decided to develop AI Engine rules that are specific to ATT&CK techniques. Our existing modules focus on security-relevant scenarios and detection of anomalies – the MITRE ATT&CK module focuses on specific techniques.

Let’s illustrate this idea with a scenario: If an adversary compromises Bob’s account, the adversary may use Bob’s credentials to run commands such as “arp -a”, “ipconfig /all” and “nbtstat -n” to discover the networking configuration of the machine. The real Bob never runs “arp -a” (or any command-line parameters for that matter), so the Compromise: Abnormal Process Activity AIE rule triggers.

While this is excellent, the alarm is not mapped to ATT&CK. With the LogRhythm ATT&CK Module enabled, you will also see an Event marked for the System Network Configuration Discovery technique.

What is the Roadmap for the MITRE ATT&CK Module?

As of this writing, ATT&CK Enterprise contains 223 techniques. LogRhythm Labs intends to release AI Engine rules to detect all of them. The initial offering contains 18 rules to detect the following techniques:

Initial offering contains 18 rules for detection of these techniques

Figure 2: Techniques for which the LogRhythm Labs’ initial MITRE ATT&CK Module offers rules to detect

LogRhythm Labs plans to release new batches of rules on a monthly cadence.

LogRhythm NextGen SIEM is the Best Tool to Ensure MITRE Coverage

You may have seen the ATT&CK blog regarding Visualizing ATT&CK, which includes a visualization of the ATT&CK techniques mapped to Data Sources. The 12 (of 50 total) data source types listed represent a wide range of technologies: Endpoint Detection and Response, AntiVirus, Network Intrusion Detection Systems, Data Loss Prevention, etc.

Excerpt of the MITRE ATT&CK Techniques Mapped Figure 3: Excerpt of the MITRE ATT&CK Techniques Mapped to Data Sources chart

With support for over 900 log source types, the LogRhythm NextGen SIEM is the ideal place to collect, normalize, analyze, and correlate these disparate log sources to achieve a holistic view of your ATT&CK coverage.

For example, consider technique Exploit Public-Facing Application, which addresses taking “advantage of a weakness in an internet-facing computer system or program to cause unintended or unanticipated behavior.” The primary use case is SQL injection. MITRE recommends using packet capture, web logs, web application firewall logs and application logs as data sources. You can detect SQL injection with any of these log sources, but you may also find that this is a noisy detection.

In fact, there may be frequent internal and external vulnerability scans against your public-facing application. How can you cut down on the false positives? The answer is to correlate log sources. In this case, you might want to correlate SQL injection attempts with new processes on your public-facing server or new network connections originating from your public-facing server.

The LogRhythm NextGen SIEM Platform’s alignment to the MITRE ATT&CK Framework will not only allow you to identify visibility gaps within your network, but it will also give you the confidence you need to ensure all systems are a go.

Sneak preview of the upcoming MITRE Web Console Dashboard Figure 4: Sneak preview of the upcoming MITRE Web Console Dashboard

With the LogRhythm MITRE ATT&CK modules, you can run automated tests to validate your AI Engine rules and ensure your system is appropriately alerting you to threats so nothing slips through the cracks. Several ATT&CK simulation tools exist including Red Canary’s Atomic Red Team and MITRE’s own Caldera.

One Compliance Module to Rule Them All: Consolidated Compliance Framework

User Threat Detection—There’s a Module for That

Catch the Next WannaCry or NotPetya Ransomware Attack Before Damage Occurs