How Sumo Logic’s Cloud SIEM Uses MITRE ATT&CK to Develop Content

As cloud applications and services become more and more common amongst organizations, adversaries will continue to evolve their toolset to target and penetrate cloud networks. With the rise in remote employees and teleconferencing, cloud computing for organizations has never been so important. Cloud computing can provide access to resources from all over the world, which is great for both good and bad actors. The MITRE ATT&CK Framework provides a multitude of ways to defend both cloud and on-prem infrastructures against the latest adversary tactics, techniques, and procedures (TTPs). Security teams that utilize the ATT&CK Framework will have a leg up on the bad actors and are able to measure their defenses to evolve with the constantly changing threat landscape.

What is MITRE ATT&CK?

MITRE is a knowledge base of adversary tactics and techniques based on real-world scenarios. This library of information is used across the cybersecurity community from the private sector to government entities. MITRE provides a visual representation of these tactics and techniques using their MITRE ATT&CK Enterprise Matrix. These tactics are structured based on the attack lifecycle from left to right – starting with Reconnaissance and ending with Impact. Each tactic is further broken down into multiple techniques and sub-techniques. These are the details and specific actions adversaries take within each tactic using real-world examples and supporting documentation.

Content Development

The vast knowledge base MITRE provides is one of the many ways Sumo Logic’s Cloud SIEM content is developed. Given the amount of adversary information contained in the MITRE ATT&CK Framework, we take two main approaches when prioritizing tactics and techniques to focus on:

• Gap Analysis - Understanding what techniques lack coverage or could have deeper coverage based on log source availability.
• Frequency of Technique Used - We gather feedback from our Sumo Logic Special Operations (SpecOps) service, our customers, and our field teams, as well as Signals and Insights produced in our Cloud SIEM Enterprise product. By doing so we can understand which MITRE techniques are being used more frequently by adversaries than other techniques.

To measure both our MITRE ATT&CK coverage as well as tactics and techniques seen in actual customer environments, we align all our rules to MITRE. This directly ties into our content evolution when it comes to the two approaches mentioned above.

Roadmap

Since the gap analysis and technique frequency is a constant evolution, it's just as important to remain up-to-date as MITRE releases new versions. We recently updated our “heat map” and content alignment to take into account ATT&CK v8. Version 8, released on October 27, 2020, came with the PRE-ATT&CK migration into Enterprise-ATT&CK, which led to two new tactics being added to the framework – Reconnaissance and Resource Development. Our next priority for keeping our MITRE Framework up to date, is adding additional alignment down to the sub-technique level for our Sumo Logic Cloud SIEM content.

MITRE ATT&CK is a great framework for categorization of attack tactics, techniques, and procedures. Learn more about MITRE ATT&CK and how Sumo Logic leverages it to help secure your digital transformation.

MITRE ATT&CK Heat Map

The visual outcome of using MITRE ATT&CK to develop content is producing a heat map that outlines the techniques we have low, medium, and high coverage for. This heat map is produced using MITRE’s ATT&CK Navigator tool.

To learn more about Sumo Logic’s Cloud SIEM solution check out this overview, and to see it in action I encourage you to watch this one minute video.