The most effective modern threat hunting is done using Tactics, Techniques, and Procedures (TTP). TTP’s are descriptive and characterize exactly what adversaries are doing and how they are doing it. Though TTP’s are abstracted from specific observed instances within individual incidents, they are generally applicable in developing contextual understanding across incidents, campaigns, and threat actors. TTP-based threat hunting allows you to cast a wider net because normal behaviors are easily filtered out of results, cutting through the noise and reducing alert fatigue. Most importantly, TTP’s allow you to hunt for the unknown.
What is the MITRE ATT&CK Framework?
MITRE, a not-for-profit company operating multiple federally funded research and development centers, created a globally-accessible knowledge base of Adversarial Tactics, Techniques, and Common Knowledge (Procedures). This knowledge base, released in 2015, is known as the MITRE ATT&CK Framework. The MITRE ATT&CK knowledge base is represented as a matrix of tactics, techniques, and procedures, based on possible attack stages of the adversary. There are 11 tactics describing why an attacker performs an action and over 232 techniques aligned with corresponding tactics, which describe how an attacker executes the given tactic.
How Exabeam Employs the MITRE ATT&CK Framework
Exabeam’s solution detects behaviors that are abnormal for a given account, such as logging in from a new device or different IP Address. Each irregular behavior adds to an account’s risk score; when the risk score reaches 90, it is considered an active attack. To proactively detect potential threats, the solution looks at these anomalous account behaviors combined with adversary techniques from the framework. Exabeam is the first SIEM vendor to have a new technique approved by MITRE and added to the knowledge base.
Currently, Exabeam’s solution covers 51 MITRE ATT&CK techniques across all 11 tactics and they are continually working to add new models. The solution helps analysts to prioritize which techniques they should be on the lookout for, in order to identify and respond to attacks in the most efficient way possible.
To learn more about the MITRE ATT&CK framework and how Exabeam can assist in your organization’s threat detection and remediation, reach out to the Vandis team at (516) 281-2200 or firstname.lastname@example.org for a free consultation.
For more information about Exabeam and how their solutions can assist your security team with threat detection, contact Vandis at (516) 281-2200 or email@example.com.