MITRE ATT&CK & D3FEND: Step-by-Step Guide to Closing Security Visibility Gaps
In this article, summarized from a recent managed detection and response webinar, we’ll explain what MITRE D3FEND is, how it complements the MITRE ATT&CK framework, and you can use it to identify and close gaps in security visibility.
It’s no secret that cybercrime is on the rise with attacks happening more frequently and for higher and higher profits. Tuning our threat detection and response capabilities is more important than ever. But, as with most things in cybersecurity, that’s easier said than done.
One of the primary roadblocks to better threat detection is understanding your security visibility priorities and any gaps you may have within that visibility. Trying to get visibility into every single thing happening in your environment, however, is expensive, and for most organizations, impossible.
Fortunately, there are some really valuable frameworks out there like MITRE ATT&CK and MITRE D3FEND that can help streamline threat detection capabilities. These are free tools that anyone can use in order to prioritize detection and close security visibility gaps.
Table of contents
What is MITRE D3FEND?
MITRE D3FEND is a new project from MITRE, the creators of the well-known ATT&CK framework, that establishes relationships between attack techniques, countermeasures and digital artifacts. From the MITRE website:
D3FEND is a knowledge base, but more specifically a knowledge graph, of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques.
The D3FEND matrix
The D3FEND matrix categorizes countermeasure techniques into five stages of defense:
- Harden – application hardening, platform hardening, credential hardening, message hardening
- Detect – network traffic analysis, process analysis, file analysis, platform monitoring, identifier analysis, message analysis, user behavior analysis
- Isolate – network isolation, execution isolation
- Deceive – decoy environment, decoy object
- Evict – credential eviction, process eviction
Each countermeasure is mapped to related MITRE ATT&CK techniques as well as any artifacts generated by the associated ATT&CK techniques. For example, the MITRE ATT&CK initial access technique of “Spearphishing Attachment” (T1566.001) would produce a MITRE D3FEND artifact of “Inbound Internet Mail Traffic” (D3FEND Artifact):
MITRE D3FEND vs MITRE ATT&CK
D3FEND is a fairly new project that MITRE says is still in an experimental phase. We still find it incredibly valuable, especially when used in conjunction with the ATT&CK framework to prioritize security visibility requirements – and in the future, potentially even guide organizations in improving their resiliency by reducing attack surface.
MITRE ATT&CK – A knowledge base of attacker tactics and techniques
If you’re familiar with the ATT&CK framework, which I’m assuming at this point most of us are, you know that it’s an offensive model that looks at relationships between known threat actors, the techniques they used to perpetrate their attacks. Additionally, MITRE has categorized techniques into “tactics” which map roughly to stages in the cyber-attack killchain. MITRE also provides some (somewhat limited) guidance around mitigations and data sources to leverage for detection and mitigation, but those really just scratch the surface and have been fairly focused on endpoint telemetry.
MITRE D3FEND – A knowledge base of cybersecurity countermeasure techniques
D3FEND is the defensive counterpart to MITRE ATT&CK, providing countermeasures that can be implemented to harden defenses and detect, isolate, deceive, and evict attackers from the environment.
The connective tissue between the two frameworks are the digital artifacts that particular attack techniques generate. The techniques attackers use will produce some kind of digital evidence such as logs, network traffic, newly created user accounts, changes to email rules or application configurations, etc. Knowing which artifacts to look for allows us to implement the appropriate security visibility to detect threat actors abusing those techniques. Additionally, understanding where an attack technique falls – within an attack killchain – allows us to prioritize countermeasures and disrupt attackers as early as possible.
A Step-by-Step Guide on How to Use MITRE frameworks to prioritize and close security visibility gaps
Step 1 – Define your cybersecurity threat model.
First things first, you’re going to need a threat model. Without this, you’ll end up spinning your wheels trying to stop every potential threat to your organization. Threat modeling allows you to narrow in on the actual threat actors that may be targeting your organization based on factors like industry sector and geographic presence. Knowing those adversaries, you can better understand their objectives and which MITRE ATT&CK techniques and tactics they might use against you to compromise your environment and achieve their objectives.
At minimum, your threat model should accomplish the following five things:
- Provide you an understanding of threat actors targeting potentially targeting your organization
- Provide you an understanding of threat actor objectives (corporate espionage, financial gain, data theft, causing physical harm, etc) and a rough understanding of how threat actors attack (which techniques & tactics they use)
- Mapping ATT&CK techniques to your technology stack – and understanding which are applicable to your environment (do you use containers? If not, techniques related to Docker containers are not applicable)
- Understanding your attack surface
- Some details regarding remediation and risk reduction steps
Step 2 – Prioritize high overlap cyber-attack techniques based on the killchain stage, using MITRE ATT&CK
With your threat model defined, you should have a good understanding of the types of threat actors targeting your organization, and you can start to identify where there is a high overlap of MITRE ATT&CK techniques these different threat actors using at each stage of the killchain.
Let’s say your threat model identifies APT28, more commonly known as Fancy Bear, as a threat actor that may be targeting your organization. You can reference the MITRE ATT&CK database to find the common techniques leveraged by APT28 to perform reconnaissance, gain initial access, establish persistence, etc.
Unless you’re very lucky, there’s not just one threat actor targeting your environment. So the next step is to cross-reference the techniques used by Fancy Bear with the techniques used by other threat actors to see if there are any techniques with really high overlap.
At Kudelski Security, we’ve developed a tool that helps speed up and visualize this cross-referencing step. In the example below, we can see that 42 of the threat actors we think are targeting our organization are leveraging Spearphishing Attachments to gain initial access. If we can prevent or detect a technique that’s very early on in the attack chain, then we have a much better chance of reducing the overall impact to the organization. For that reason, maybe Spearphishing Attachments should be our highest priority from a security visibility and detection perspective.
Once we’ve gotten really good at detecting Spearphishing Attachments, we may want to move on to detecting users clicking on Spearphishing Links, then maybe Drive-by Compromise and so on. If you can understand where attackers are succeeding and the techniques that they’re using, you can prioritize what your visibility should be.
Step 3 – Understand data requirements for technique detection and create a data checklist
Once you’ve got your list of offensive techniques prioritized, you need to understand the data that’s required to potentially detect each technique.
This is usually where we see the most failures when it comes to threat detection. Either you’re collecting too much data, or you think you’re collecting everything you need to when in reality, really valuable logs (which may not be enabled by default) aren’t even turned on or being collected. This is often the case in standard Windows Active Directory Environments. We talk a lot more about this in our blog “Four Roadblocks to Faster Threat Detection & Response.”
Going back to our Spearphishing Attachment example, the MITRE database will tell us what data we need to collect in order to detect Spearphishing Attachments. According to MITRE, we should be collecting data related to:
- File creation
- Application log content
- Network traffic content
- Network traffic flow
The above list of data is a good example of the “Endpoint centric” nature of MITRE ATT&CK data sources. At Kudelski Security we’ve begun to expand on the data sources required for detection. As an example, to detect Spearphishing attachments we may also want data from email servers, email security gateways, and potentially things like Office 365 email audit logs.
This becomes our data checklist. If we’re already collecting this data or at least have the ability to collect it, then we know we have what we need to detect this specific technique. Your objective here is to better understand the data you’re sending to your security visibility tooling, identify any gaps you might have and then start closing those gaps.
You will have to balance how easy the data is to collect with how valuable the data is in detecting an attack. Of course, you’ll want to tackle any low hanging fruit. Enabling object access and change logs in Active Directory is pretty simple. Making a change across HTTP web server in your environment when you don’t have centralized configuration management capabilities is not.
Ultimately, you’ll have to decide if the juice is worth the squeeze. If a complicated change could give you better visibility into your overlapping techniques, it may be worth considering.
Step 4 – Prioritize your attack mitigations, using MITRE D3FEND
As the saying goes, the best offense is a good defense. With steps 1-3 complete, it’s time to think about how you can prevent these types of attacks, applying mitigations or countermeasures designed to stop specific techniques from evening working in the first place. Let’s look again at the MITRE D3FEND countermeasure database for the Spearphishing Attachment technique. You can see that there are 18 potential countermeasures that could either harden, detect, deceive or isolate the attack.
That’s a lot to take on at once, so we recommend prioritizing mitigations with these four things in mind:
- Mitigate techniques early in the killchain – the earlier in an attack campaign you mitigate, the less impact to your overall environment
- Prioritize based on value and ease of deployment – don’t tackle the hardest thing first, even if it’s the most valuable
- Leverage available audit modes and early adopters – Some mitigations may impact the way your users are used to working. Your job is to reduce risk while also ensuring your business can still function. Leverage “audit” modes of preventative tooling to understand the potential impact of a mitigation and identify things you need to whitelist.
- Consider user experience – build a process internally to handle exceptions to your mitigations
Get in Touch
We find both the MITRE ATT&CK and MITRE D3FEND frameworks really valuable and have incorporated them into our managed threat detection and response capabilities. Our team uses data from both in the internal tool we’ve built to help our team execute threat modeling and identify data requirements as outlined in this post. Though the tool is not a requirement for what we’re recommending, it can help streamline efforts.
If you’re interested in learning more about the tool or our managed threat detection and response capabilities in general, get in touch with our team here.