BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Introduction
  • Purpose
  • What Is the MITRE ATT&CK™ Framework?
  • What is EDR?
  • What is NTA, NBAD?
  • Why a Unified Approach is the best for Detection coverage across MITRE ATT&CK TTPs
  • Complete Visibility & Capability

13_MITRE ATT&CK

Introduction

The MITRE ATT&CK™ Framework has rapidly become the de-facto go-to among cyber security teams looking for a structured and proactive approach to improving threat detection. For many security professionals, using the ATT&CK™ Framework means taking a close look at each of over 240+ tactics, techniques, and procedures (TTPs) and trying to figure out which tool in their patchwork of solutions is most likely to detect or block any given threat.

Purpose

MITRE provides an evaluation framework for Endpoint Detection and Response (EDR) platforms to test their standard deployments against a subset (56) of the TTPs listed. However, no such evaluation yet exists for a unified Defense Platform like BluSapphire.

This whitepaper attempts to provide a high overview of how BluSapphire combines EDR, NTA, NBAD enabling detection of a broad range of TTPs catalogued By MITRE ATT&CK.

What Is the MITRE ATT&CK™ Framework?

MITRE ATT&CK™ is a categorized repository and knowledge base of adversarial tactics and techniques based on the threat activities seen in the real-world. MITRE ATT&CK™ was started in 2013 to catalogue observed tactics, techniques, and procedures (TTPs) in use by advanced persistent threats (APTs) around the world. Many of the TTPs included in the framework are in use by far less sophisticated attackers as well, and the structure of the framework is usable by organizations of all sizes and security postures for identifying gaps in security coverage.

Since sophisticated TTPs that work well tend to enter the mainstream attack vernacular, the ATT&CK™ matrix offers companies tremendous value and helps them improve their detection and investigation coverage.

What is EDR?

Endpoint Detection & Response capability is important to detect suspicious behaviors at the endpoint computing stack. This usually entails monitoring, logging of all activities at both system and user stack looking for potential malicious activity, that usually goes unnoticed by signature-based systems. The Achilles heel of EDR based systems is, it needs to be installed on every single endpoint on the network.

There is zero-visibility of an endpoint does not have EDR installed. In most Enterprises, this is always challenging due to dynamic nature of Infrastructure, sensitivity of operational systems, Industrial Control Systems, Thin Clients and varying operational requirements.

BluSapphire employs an agentless model for response and remediation that does NOT need to be installed on every endpoint in your organization.

What is NTA, NBAD?

Network Traffic Analysis (NTA) and Network Behavior Anomaly Detection (NBAD). To detect suspicious traffic organizations and security leaders are looking at Behavior based traffic analysis tools. This complement and in many cases can replace traditional signature-based network solutions.

NTA and NBAD also help enterprises detect suspicious traffic that other security tools are missing. Most of these tools require a SPAN port to monitor traffic and use Behavioral techniques to detect suspicious traffic. Most solutions also heavily depend on SSL-Decryption to work, and this becomes the Achilles heel, as it impacts scalability and efficacy of detection.

BluSapphire does not rely on SSL Decryption and hence easier to deploy and scale, while offering higher detection and response capabilities. BluSapphire while relying on network behavior-based techniques also employs signal intelligence techniques to understand and detect malicious traffic. In most cases, SSL-Decryption is only good for compliance monitoring, and NOT effective for Threat Detection. Threat Actor(s) almost always use their own encryption for Data Ex-Filtration, Command and Control.

Why a Unified Approach is the best for Detection coverage across MITRE ATT&CK TTPs

Individually, each approach (EDR/NTA/NBAD) has their limitations. NTA and NBAD while looking at the single source of truth (network data), suffer from lack of context. EDR systems rely heavily on being installed on the endpoint, which means that they are blind to activity on the network and any systems that they are not installed on. Also, most modern attackers use exploits like those reportedly stolen from the Equation Group by the Shadow Brokers hacking group, can hide their activity from EDR systems and/or disable them, and prevent them from reporting.

We strongly contend that a Unified platform that cuts across the limitations of EDR, NTA and NBAD is the best overall approach for detecting Threat Actors TTPS across the entire MITRE ATT&CK Matrix.

Complements security analysts with and End-to-End visibility that encompasses Network, Endpoint, System and User activities seamlessly, answering “Who”, “What”, “When”, “Where”, “Why”, “How” and most importantly “What Next”.

Because it offers the ease of deployment of NTA & NBAD systems while combining the context and response capabilities of an EDR. Additionally, it complements security analysts with and End-to-End visibility that encompasses Network, Endpoint, System and User activities seamlessly.

BluSapphire offers a Unified Platform that is built ground up with this approach in mind, while enabling Agentless Response and Remediation. It is the only way to detect and understand all the links in the attack chain, across multiple stages, from Initial Access & Execution to C&C and Exfiltration, including Lateral Movement among other. This allows us to put together a complete picture of “Who”, “What”, “When”, “Where”, “Why”, “How” and most importantly “What Next (Response & Remediation)”.

Complete Visibility & Capability

Gartner Research published March 18th ,2019 introduced the concept of SOC Visibility Triad. A lot of SOC teams in-house or outsourced suffer have always suffered from a lack of visibility. “SOC Visibility Triad” was introduced to reflect on what capabilities a SOC team needs to augment their visibility.

1. SOC Visibility Triad1

The report also does not reflect on the difficulty nor on the complexity involved in integrating these disparate technologies in-order-to accomplish this goal. The report also does not talk about the complex integrations required for response and remediation across the enterprise.

Security Teams that deploy BluSapphire’s Unified Defense Platform, have a superior advantage of achieving complete visibility based on SOC Visibility Triad, but also provides a solution that comes pre-integrated thereby reducing the Time-To-Detect and Time-To-Respond. MSSPs are thereby empowered to Go-To-Market early, while their competition is still

Faster Detection coupled with Faster Response & Remediation leads to a Resilient SOC improving efficiency while reducing costs.

piecing together the puzzle. This Approach helps security team answer the questions:

1. Did another asset being to exhibit anomalous behavior, after communicating with a potentially compromised asset?

2. What service & protocols were used?

3. What other assets or accounts may be compromised?

4. Has any other asset contacted the same external C&C address?

5. Has the user account been used in unexpected ways on any other devices?

2. SOC Visibility Triad using BluSapphire

A Unified Approach leads to unprecedented visibility, reduces Time-To-Detect, Time-To-Analyze and Time-To-Respond.

Methodology: MITRE doesn’t yet offer a formal evaluation for Unified Platform products, so this coverage has been validated with existing BluSapphire customers and POC experiences, product engineering, threat research, and internal testing.

To assure alignment with MITRE's criteria, we have considered their recommended data sources, detection methods, and mitigation steps for each TTP in determining if BluSapphire could provide any of the recommended coverage.

Access Tokens

File Monitoring

Process use of network

Anti-virus

Host network Interface

Sensor health and status

API monitoring

Kernel Drivers

Services

Authentication Logs

Loaded DLLs

SSL/TLS inspection

Binary file metadata

MBR & VBR

System calls

BIOS

Netflow

Third-party application logs

Browser extensions

Network Device Logs

User Interface

Data Loss Prevention

Network Protocol Analysis

Windows Error Reporting

Digital Certificate Logs

Packet Capture

Windows Event Logs

DLL Monitoring

PowerShell Logs

Windows Registry

EFI

Process command-line parameters

WMI Objects

Environment Variable

Process Monitoring

MITRE ATT&CK Detection Data Sources

*Data Sources that are greyed out are not collected by BluSapphire.

BluSapphire can consume over 90% of the Data Sources recommended for detection by MITRE.

In the next section, we will look at MITRE Technique detection coverage by BluSapphire’s Unified Cyber Defense Platform.

PreviousLinux Package InstallationNextMITRE ATT&CK Coverage by Tactic

Last updated 8 months ago