Introduction

The MITRE ATT&CK™ Framework has rapidly become the de-facto go-to among cyber security teams looking for a structured and proactive approach to improving threat detection. For many security professionals, using the ATT&CK™ Framework means taking a close look at each of over 240+ tactics, techniques, and procedures (TTPs) and trying to figure out which tool in their patchwork of solutions is most likely to detect or block any given threat.

Purpose

MITRE provides an evaluation framework for Endpoint Detection and Response (EDR) platforms to test their standard deployments against a subset (56) of the TTPs listed. However, no such evaluation yet exists for a unified Defense Platform like BluSapphire.

This whitepaper attempts to provide a high overview of how BluSapphire combines EDR, NTA, NBAD enabling detection of a broad range of TTPs catalogued By MITRE ATT&CK.

What Is the MITRE ATT&CK™ Framework?

MITRE ATT&CK™ is a categorized repository and knowledge base of adversarial tactics and techniques based on the threat activities seen in the real-world. MITRE ATT&CK™ was started in 2013 to catalogue observed tactics, techniques, and procedures (TTPs) in use by advanced persistent threats (APTs) around the world. Many of the TTPs included in the framework are in use by far less sophisticated attackers as well, and the structure of the framework is usable by organizations of all sizes and security postures for identifying gaps in security coverage.

Since sophisticated TTPs that work well tend to enter the mainstream attack vernacular, the ATT&CK™ matrix offers companies tremendous value and helps them improve their detection and investigation coverage.

What is EDR?

Endpoint Detection & Response capability is important to detect suspicious behaviors at the endpoint computing stack. This usually entails monitoring, logging of all activities at both system and user stack looking for potential malicious activity, that usually goes unnoticed by signature-based systems. The Achilles heel of EDR based systems is, it needs to be installed on every single endpoint on the network.

There is zero-visibility of an endpoint does not have EDR installed. In most Enterprises, this is always challenging due to dynamic nature of Infrastructure, sensitivity of operational systems, Industrial Control Systems, Thin Clients and varying operational requirements.

BluSapphire employs an agentless model for response and remediation that does NOT need to be installed on every endpoint in your organization.

What is NTA, NBAD?

Network Traffic Analysis (NTA) and Network Behavior Anomaly Detection (NBAD). To detect suspicious traffic organizations and security leaders are looking at Behavior based traffic analysis tools. This complement and in many cases can replace traditional signature-based network solutions.

NTA and NBAD also help enterprises detect suspicious traffic that other security tools are missing. Most of these tools require a SPAN port to monitor traffic and use Behavioral techniques to detect suspicious traffic. Most solutions also heavily depend on SSL-Decryption to work, and this becomes the Achilles heel, as it impacts scalability and efficacy of detection.

BluSapphire does not rely on SSL Decryption and hence easier to deploy and scale, while offering higher detection and response capabilities. BluSapphire while relying on network behavior-based techniques also employs signal intelligence techniques to understand and detect malicious traffic. In most cases, SSL-Decryption is only good for compliance monitoring, and NOT effective for Threat Detection. Threat Actor(s) almost always use their own encryption for Data Ex-Filtration, Command and Control.

Why a Unified Approach is the best for Detection coverage across MITRE ATT&CK TTPs

Individually, each approach (EDR/NTA/NBAD) has their limitations. NTA and NBAD while looking at the single source of truth (network data), suffer from lack of context. EDR systems rely heavily on being installed on the endpoint, which means that they are blind to activity on the network and any systems that they are not installed on. Also, most modern attackers use exploits like those reportedly stolen from the Equation Group by the Shadow Brokers hacking group, can hide their activity from EDR systems and/or disable them, and prevent them from reporting.

We strongly contend that a Unified platform that cuts across the limitations of EDR, NTA and NBAD is the best overall approach for detecting Threat Actors TTPS across the entire MITRE ATT&CK Matrix.

Complements security analysts with and End-to-End visibility that encompasses Network, Endpoint, System and User activities seamlessly, answering “Who”, “What”, “When”, “Where”, “Why”, “How” and most importantly “What Next”.

Because it offers the ease of deployment of NTA & NBAD systems while combining the context and response capabilities of an EDR. Additionally, it complements security analysts with and End-to-End visibility that encompasses Network, Endpoint, System and User activities seamlessly.

BluSapphire offers a Unified Platform that is built ground up with this approach in mind, while enabling Agentless Response and Remediation. It is the only way to detect and understand all the links in the attack chain, across multiple stages, from Initial Access & Execution to C&C and Exfiltration, including Lateral Movement among other. This allows us to put together a complete picture of “Who”, “What”, “When”, “Where”, “Why”, “How” and most importantly “What Next (Response & Remediation)”.

Complete Visibility & Capability

Gartner Research published March 18th ,2019 introduced the concept of SOC Visibility Triad. A lot of SOC teams in-house or outsourced suffer have always suffered from a lack of visibility. “SOC Visibility Triad” was introduced to reflect on what capabilities a SOC team needs to augment their visibility.

Faster Detection coupled with Faster Response & Remediation leads to a Resilient SOC improving efficiency while reducing costs.

A Unified Approach leads to unprecedented visibility, reduces Time-To-Detect, Time-To-Analyze and Time-To-Respond.

Methodology: MITRE doesn’t yet offer a formal evaluation for Unified Platform products, so this coverage has been validated with existing BluSapphire customers and POC experiences, product engineering, threat research, and internal testing.

To assure alignment with MITRE's criteria, we have considered their recommended data sources, detection methods, and mitigation steps for each TTP in determining if BluSapphire could provide any of the recommended coverage.

MITRE ATT&CK Detection Data Sources

*Data Sources that are greyed out are not collected by BluSapphire.

BluSapphire can consume over 90% of the Data Sources recommended for detection by MITRE.

In the next section, we will look at MITRE Technique detection coverage by BluSapphire’s Unified Cyber Defense Platform.