The MITER ATT & CK framework has become a valuable tool for security teams to identify gaps in their threat detection capabilities. When ExtraHop added MITER ATT & CK mapping in our Reveal (x) product interface, our customers were thrilled. Many immediately wanted to learn more about how network data is used for threat detection and response.
In the latest update, version 9, MITER updated ATT & CK to include new attack techniques and provide a better understanding of the network as a data source, with input from ExtraHop. Previously, network data was under-represented in the ATT & CK framework. Most Tactics, Techniques, and Procedures (TTPs) relied on endpoint monitoring and activity logs (both important and still heavily represented) for threat detection and response. By bringing this expertise to the MITER ATT & CK framework, ExtraHop will help security teams fill one of the biggest gaps in security and visibility tools: the network.
ExtraHop continually strives to help its customers secure their environments more effectively. Our expertise and long history in identifying detectable cyberattack behavior on the network has led us to be the first and only Network Detection and Response (NDR) provider to be listed as a contributor to the MITER ATT & CK framework. We were also the first NDR product to natively integrate ATT & CK into our product interface. The NDR is an essential tool for detecting and responding to modern advanced threats, and we continue to invest in research and development to help SOC regain the advantage over attackers.
Attackers cannot hide in the network
Recent high-impact cyberattacks, such as SUNBURST and the DarkSide ransomware attack, have highlighted major gaps in the threat detection and response capabilities of many organizations.
Attackers have become more sophisticated at evading detection by endpoint detection and response (EDR) agents and log-based security information and event management (SIEM) solutions. Additionally, endpoint and log-based solutions can be difficult to deploy with full coverage. The proliferation of remote working, IoT, and cloud adoption has exacerbated the difficulty of obtaining and maintaining comprehensive security coverage.
Attackers evaded detection by avoiding secure or monitored endpoints. This gave them enough dwell time to establish their persistence, move sideways, and ultimately cause much more damage than they would have done had they been detected earlier.
Extensive use of common network protocols for command and control, lateral movement and data exfiltration makes DarkSide and SUNBURST attacks highly detectable on the network. These attackers used commonly abused and under-monitored protocols such as DNS and RDP for command and control and lateral movement, which can be detected with the proper deployment of NDR.
NDR does what other tools can’t: covert detection of unknown threats
The NDR does not replace the SIEM or the EDR, which have essential roles to play. NDR provides visibility into activity that these other tools cannot. Additionally, NDR is the only security tool that operates completely covertly. Attackers can know if there is an EDR agent on an endpoint they are attacking and can choose to try another path. Forwards regularly clear or modify activity logs to reduce or eliminate SIEM visibility.
Attackers cannot tell if their network traffic is passively monitored. They can’t tell if their network transactions are being decrypted or if their C2 traffic is being reported by behavioral models.
In addition, network traffic is universal in the enterprise. Even notoriously insecure and rapidly growing IoT devices, which cannot necessarily support a monitoring agent or activity logging, cannot avoid talking over the network. Attackers who attempt to exploit the growing attack surface caused by IoT and remote devices can still be intercepted with NDR.
The network is the next frontier in cybersecurity
The inclusion of more network attack behaviors in the ATT & CK framework serves as both a useful tool and a strong signal for SOC teams: NDR is a vital tool for SOC. Without NDR, you have a blind spot that attackers know how to exploit. ExtraHop continues to identify more ways to detect attack techniques on the network, and we are working with MITER to include this information as part of the ATT & CK framework so that security teams around the world can benefit.
Over the past few years, security teams have focused heavily on operationalizing their EDR and SIEM solutions. As more advanced threats take advantage of network blind spots, the importance of NDR as a foundational tool and data source for SOC will increase. SOC teams that stay ahead of the curve in adopting NDR will find themselves gaining the upper hand over attackers and providing a competitive advantage to the companies they defend.
To quote Rob Joyce, director of cybersecurity at the National Security Agency: “[An attacker’s] The worst nightmare is this out-of-band network outlet that really captures all the data, understands the abnormal behaviors that are happening, and someone is paying attention. You need to know your network. Understand your network, because [the attacker] goes.
To learn more about updates to the MITER ATT & CK framework, including network-centric techniques and contributions from ExtraHop, read MITER Release Notes for MITER ATT & CK v9.
This three minute video will provide you with a quick overview of how MITER ATT & CK is integrated into the user interface of the Reveal (x) NDR product.
Our white paper on the MITER ATT & CK framework will give you a deeper dive into attack tactics, techniques and procedures detected by Reveal (x) NDR.
Hunt threats with Reveal (x)
Investigate an attack live in the full ExtraHop Reveal (x) product demo, network discovery and response for the hybrid enterprise.
Copyright © 2021 IDG Communications, Inc.