As cloud applications and services gain prominence amongst organizations, adversaries are evolving their toolset to target these cloud networks. The surge in remote work and teleconferencing presents unprecedented opportunities for nefarious activities. Enter the MITRE ATT&CK Framework, also known as an MITRE ATT&CK Matrix—a treasure trove for defending cloud infrastructure and on-premises infrastructure against the newest adversary tactics, techniques, and procedures (TTPs). Security teams leveraging this framework are better equipped to counter MITRE ATT&CK tactics and cyber threats and adapt to the ever-changing cyber landscape.
Demystifying MITRE ATT&CK
MITRE ATT&CK stands for adversarial tactics, techniques, and common knowledge. It’s a curated knowledge base that categorizes and describes the series of actions an adversary might take after gaining access to a computer network. This knowledge is the culmination of extensive real-world observations and is shared in a format that your security team and professionals can easily understand and apply.
The MITRE ATT&CK framework isn’t just a collection of abstract concepts; it represents actionable threat intelligence. Here are a few reasons why it’s so respected:
- Detail-oriented: The framework doesn’t just list out TTPs. It provides detailed explanations, real-world examples, and potential mitigation strategies and detection methods for each technique.
- Evolving nature: The cyber landscape is ever-changing. MITRE ATT&CK is not static; it’s continuously updated to reflect new findings, ensuring that security professionals always have the most current information at their fingertips.
- Universal applicability: The framework caters to small-scale businesses, large enterprises, and government entities. Its organized structure and comprehensive coverage make it an excellent resource for enhancing any organization’s security posture.
Content evolution of Sumo Logic’s Cloud SIEM
MITRE’s vast repository is foundational for developing Sumo Logic’s Cloud SIEM content. Our approach is twofold:
- Gap analysis: We assess techniques, identifying those that require enriched coverage based on the available log data.
- Frequency of technique usage: Gleaning feedback from diverse sources, like Sumo Logic Special Operations, our customer base, field teams, and the insights from our Cloud SIEM solution, we identify which techniques adversaries commonly deploy.
To maintain a clear overview of our coverage and real-world technique utilization, all our rules are meticulously aligned with MITRE. Additionally, customers can seamlessly tag their custom rules with specific MITRE ATT&CK techniques, enabling a more structured and comprehensive approach to threat detection and response.
Visualizing threats with MITRE ATT&CK Coverage Explorer
The MITRE ATT&CK™ Coverage Explorer by Sumo Logic is a strategic cybersecurity tool providing a comprehensive view of adversary tactics, techniques, and procedures (TTPs) covered by rules in the Cloud SIEM system. By mapping your detection capabilities to this matrix, you can identify areas of strength, uncover gaps in your defenses, and prioritize enhancements based on the evolving threat landscape. Often presented as a heat map, Coverage Explorer offers a color-coded representation of coverage levels, providing security teams with an at-a-glance understanding of their readiness against potential adversary behaviors. This visual tool powers informed decision-making, facilitating a proactive approach to cyber defense.
This dynamic page allows users to assess threat detection capabilities in three ways:
- Recent activity – Shows coverage for your organization based on signals received over the last 180 days.
- All community activity – Determine what coverage you’re missing compared to other customers using Cloud SIEM.
- Theoretical coverage – Shows coverage for your organization if all data ingested worked perfectly and all enabled rules generated at least one Signal. This view can help you determine what custom rules would be most valuable to implement
Visualizations, filtering options, and export features empower security practitioners to optimize rule effectiveness, evaluate data sources, and strategically align defenses with the industry-standard MITRE ATT&CK framework.
Explore Sumo Logic’s Cloud SIEM solution
Sumo Logic empowers SOC teams to better defend against cyber threats and modernize security operations with Cloud SIEM. This cloud-native SIEM solution provides holistic visibility into your organization’s security posture. Automatically surface the actionable insights your analysts need to secure your organization’s cloud journey, manage the changing attack surfaces and bring innovation to your SOC. Learn more about how to make the most of SIEM.
As cloud applications and services become more and more common amongst organizations, adversaries will continue to evolve their toolset to target and penetrate cloud networks. With the rise in remote employees and teleconferencing, cloud computing for organizations has never been so important. Cloud computing can provide access to resources from all over the world, which is great for both good and bad actors. The MITRE ATT&CK Framework provides a multitude of ways to defend both cloud and on-prem infrastructures against the latest adversary tactics, techniques, and procedures (TTPs). Security teams that utilize the ATT&CK Framework will have a leg up on the bad actors and are able to measure their defenses to evolve with the constantly changing threat landscape.
What is MITRE ATT&CK?
MITRE is a knowledge base of adversary tactics and techniques based on real-world scenarios. This library of information is used across the cybersecurity community from the private sector to government entities. MITRE provides a visual representation of these tactics and techniques using their MITRE ATT&CK Enterprise Matrix. These tactics are structured based on the attack lifecycle from left to right – starting with Reconnaissance and ending with Impact. Each tactic is further broken down into multiple techniques and sub-techniques. These are the details and specific actions adversaries take within each tactic using real-world examples and supporting documentation.
Content Development
The vast knowledge base MITRE provides is one of the many ways Sumo Logic’s Cloud SIEM content is developed. Given the amount of adversary information contained in the MITRE ATT&CK Framework, we take two main approaches when prioritizing tactics and techniques to focus on:
- Gap Analysis – Understanding what techniques lack coverage or could have deeper coverage based on log source availability.
- Frequency of Technique Used – We gather feedback from our Sumo Logic Special Operations (SpecOps) service, our customers, and our field teams, as well as Signals and Insights produced in our Cloud SIEM Enterprise product. By doing so we can understand which MITRE techniques are being used more frequently by adversaries than other techniques.
To measure both our MITRE ATT&CK coverage as well as tactics and techniques seen in actual customer environments, we align all our rules to MITRE. This directly ties into our content evolution when it comes to the two approaches mentioned above.
Roadmap
Since the gap analysis and technique frequency is a constant evolution, it’s just as important to remain up-to-date as MITRE releases new versions. We recently updated our “heat map” and content alignment to take into account ATT&CK v8. Version 8, released on October 27, 2020, came with the PRE-ATT&CK migration into Enterprise-ATT&CK, which led to two new tactics being added to the framework – Reconnaissance and Resource Development. Our next priority for keeping our MITRE Framework up to date, is adding additional alignment down to the sub-technique level for our Sumo Logic Cloud SIEM content.
MITRE ATT&CK is a great framework for categorization of attack tactics, techniques, and procedures. Learn more about MITRE ATT&CK and how Sumo Logic leverages it to help secure your digital transformation.
MITRE ATT&CK Heat Map
The visual outcome of using MITRE ATT&CK to develop content is producing a heat map that outlines the techniques we have low, medium, and high coverage for. This heat map is produced using MITRE’s ATT&CK Navigator tool.
