Thanks to Sally Vincent and Dan Kaiser from the LogRhythm Labs team for developing the process and guiding content described in this post.
Threat research can be an invaluable asset to security teams when attempting to formulate a proactive stance or reactive response. Whether the subject is a previously undocumented attack type or a new variant of a well-known threat, research can provide much-needed context and insight to help practitioners identify and resolve gaps in their security program in order to avoid being exploited.
However, techniques, methods, and actions found in threat research don’t always easily translate into practical steps you can take to prevent, detect, mitigate, or respond should a particular attack occur. While research can offer up specifics that can educate you on what occurs during an attack, what you really need is a threat hunting framework that transforms those details into concrete strategies and actions based on the cybersecurity frameworks you rely on – including MITRE ATT&CK® and NIST – to make the research truly valuable.
Our LogRhythm Labs team is no stranger to this. In fact, they’ve developed a three-step “Intelligence to Readiness Pipeline” to help make this process easier. Continue reading for an overview of these steps — mapping a report to ATT&CK techniques, vetting techniques, and reviewing the techniques through a Purple Team exercise — including video demos of each step in action from a recent webinar with UWS. And if you’d like to watch the full process from start to finish, you can find the full webinar recording at the bottom of this page, which uses a report on Maze ransomware as an example.
Some threat reports may already have a list of ATT&CK techniques that are relevant to the report. But if that’s not the case, there are two main ways you can translate report content into techniques:
And how do you figure out what keywords to search for? You can get these by either:
Then you can simply search for the tags and/or full sentences to determine the relevant ATT&CK techniques.
Sally and Dan did this with the Maze threat report along with the help of Jupyter Notebook. Get a full sense of their process in this 5-minute video.
Once you have gathered a list of techniques, the next step is to determine which techniques to prioritize in order to best set up your team for success against the threat in question.
There are several ways you can approach technique prioritization. You can base it on:
Once you have vetted and finalized the techniques, the final step is to stage a Purple Team exercise. The goal of this exercise is to increase your coverage of techniques and reduce the detection and mitigation time. A Purple Team exercise is where a Red Team and Blue Team work closely together and run through a series of “open book” exercises. The Red Team simulates the techniques in the environment and the Blue Team demonstrates the techniques that can be detected either through manual hunting or automated analytics.
Below are several best practices when conducting the Purple Team exercise, as suggested by Dan Kaiser:
LogRhythm offers several features that can be useful for Purple Team exercises through our Case Management functionality. Case Management provides a container for all data relevant to incidents varying from playbooks and log evidence to categorizations and auditing. It enables accurate threat detection and response by ensuring that threats are proactively identified, prioritized based on organizational risk, and rapidly investigated within the LogRhythm Platform for streamlined incidence response.
Some of the features that can be particularly useful during a Purple Team exercise include:
Case Tags: Case tags allow you to add categorization to your cases. These tags will then allow you to search for cases more easily and pull performance reporting and metrics per tag.
Case Playbooks: Case playbooks allow you to ensure that incidents are handled in a methodical and repeatable way and procedures can be assigned to individual members of the team.
Case Metrics: Case metrics allow you to measure the timeliness of detection and response and track your improvement over time.
Case Metrics Dashboards: These dashboards allow you to look at aggregated data from individual cases by trend, status, and priority.
Case API: Case API allows you to work with the features of the case programmatically. For example, you can use the case API to query MITRE and populate cases with data source requirements.
To help you visualize the process from start to finish, Dan and Sally presented a full demo of Purple Team exercise using LogRhythm Case Management. Watch the demo here to get the best practices for setting up your Purple Team exercise.
We hope the three-step “Intelligence to Readiness Pipeline” by Sally and Dan makes it easier for your security team to translate threat reports into actionable steps that can prepare your team to defend against potential threats.
If you’re interested in learning how LogRhythm can assist with your threat detection efforts, request more information here.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…