Applying Behavior Analytics to the MITRE ATT&CK Framework

Today’s organizations are besieged by more than 350,000 new malware programs every day. Meanwhile, 99% of malware is seen only once before it’s modified and used again. How can today’s cyber defense teams keep pace with such unrelenting attacks?

The answer for more and more organizations is the MITRE ATT&CK™ (Adversarial Tactics, Techniques, and Common Knowledge) Framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Using this framework, it’s possible to pinpoint the gaps in your cyber defenses in advance, rather than finding out about them the hard way – after an attack.

The MITRE ATT&CK Framework consists of the various steps that make up the attack chain – like initial access, privilege escalation, credential access, lateral movement, and exfiltration – along with the techniques that can be used in each stage. By classifying attacks into specific segments, it’s easier for security analysts to see patterns, figure out who launched different attacks, and track how a piece of malware has evolved over time.

The reality of today’s cybersecurity environments is that most companies don’t have clear visibility into all their vulnerabilities. And attackers have long held the advantage. Unlike defenders who must secure their entire IT environment against attack, criminals merely need to find one weakness to breach a target network. But now the MITRE ATT@CK Framework is providing a more even playing field. It gives you a deep dive into your adversaries and their tactics, techniques and procedures based on observations from millions of attacks on enterprises.

And that allows you to take a proactive approach to security by mapping your risks to specific threats and drilling down into the techniques used in those threats. With this information you can determine the actions you need to take to harden your network against identified vulnerabilities.

As the MITRE ATT&CK Framework becomes the gold standard to measure and test detection and response capabilities, more of our customers have come to us requesting that we provide automated threat detection and response for the framework.

The Gurucul MITRE ATT&CK Framework Advantage

Gurucul Risk Analytics (GRA) has added machine learning (ML) models to detect and enable automated responses to tactics and techniques defined by the MITRE ATT&CK Framework.  Our ML models span users and entities across on-premises, cloud and hybrid environments to provide 83% coverage of the more than 350 enterprise MITRE ATT&CK Framework indicators of compromise.

Our customers who use the MITRE ATT&CK Framework confirmed that these new behavior models can detect threats associated with high risk parties including customers, partners and contractors, that evaded signature-based security approaches. With prepackaged behavior model templates in Gurucul STUDIO and threat hunting queries based on MITRE techniques, tactics, and procedures, Gurucul enables intelligent threat hunting.

GRA also provides risk prioritized alerts and automated remediation playbooks based on the MITRE ATT&CK Framework, as well as metrics, dashboards, and reports into our customers’ security posture and maturity against specific MITRE ATT&CK Framework tactics. And it’s all backed by our data science team performing routine enhancement of MITRE ATT&CK Framework models.

Rapid detection of cyber threats is key in preventing cyberattacks that lead to damaging data breaches. The new Gurucul MITRE ATT&CK implementation is our latest tool for keeping you one step ahead of your adversaries.