What You Can’t See: Visualizing and Addressing MITRE ATT&CK Coverage Gaps with Threat Navigator
In this blog post, Marie Singleton and Pascal Reymond outline the onboarding process and core ideas behind Threat Navigator, Kudelski Security’s technology that enables clients to understand, visualize – and remediate – their security visibility & threat detection gaps. Delivered as standard for all clients of our Managed Detection and Response platform, Threat Navigator aligns closely to the MITRE ATT&CK Framework.
Table of contents
- See how Threat Navigator helps you cover your MITRE ATT&CK gaps
- Step one: Determine your overall coverage…or lack of coverage
- Step Two: Determine what your security priorities are
- Step three: Determine what coverage gaps you should prioritize
- What about the remaining security coverage gaps?
- What if the information is not accurate?
- Step Four – What should I do with the information I have? How, practically, do I close the gaps?
- Where do we go from here?
There’s an old expression – based very loosely on Socrates – that says: “you don’t know what you don’t know”. In the security world, this adage has been adapted to “you don’t know what you can’t see” and a whole industry has been built around helping organizations gain true visibility into their threat landscape. The focus is on helping them understand what they should be looking at (their security visibility priorities) and whether they have the technology set up to enable that or not (the gaps in their visibility).
Get this right and you get security posture right. Easier said than done. Trying to obtain this visibility in a way that is both easy and consumable is no easy task.
Kudelski Security’s Threat Navigator aims to help clients by answering this difficult challenge.
Engagements with clients will usually go through different steps, starting with determining the clients’ coverage (or lack of coverage) up through the final step to determine how to close the priority gaps.
Step one: Determine your overall coverage…or lack of coverage
Our reference to visualize the coverage will be the MITRE ATT&CK Framework. Using this framework, your coverage will be demonstrated by which techniques you have visibility and detection capability against. The techniques you can cover are determined by:
- The technology you are using (EDR, SIEM, …)
- The detection rule capability of the technology
- The data sources that can help trigger those detections rules.
- Other qualitative factors taken into consideration such as the detection rule quality (false positive rate, …), ability to investigate, …
Step Two: Determine what your security priorities are
To answer this question, we need to consider the client context and, in particular, what are the potential techniques that Threat Actors might use against you. Some of the information can be calculated such as:
- The client’s industry vertical
- The Threat Actors known to target this vertical
- The Techniques used by those threat actors
- Other factors taken into consideration are based on client’s full context – more on this a bit later
In this example, the prioritized technique is highlighted in blue (while the non-prioritized technique is gray).
Once you have compiled your coverage and your priorities, you have a full overview of your priority gaps (each card represents a MITRE Tactic and each circle an individual MITRE Technique).
So, problem solved?
Well, that would be too easy, right?
This initial outcome already provides you a good first idea of your priorities, but not the full picture yet. There are still few answers that are missing, which leads to the next step: deciding what gaps you should prioritize.
Step three: Determine what coverage gaps you should prioritize
There are different approaches to prioritizing your coverage gaps. The approach we have taken with the Threat Navigator is to show a priority based on the number of Threat Actors using a particular technique. Although other approaches might also work, this is an interesting and quantitative method to represent the priority in an easy consumable way.
What about the remaining security coverage gaps?
As mentioned earlier, the Threat Navigator will show you the top 5 gaps on the landing page. However, you will still have the ability to review at the full list of remaining gaps in the “Recommended Actions” section.
In this section, the “Open” tab will show you all your potential gaps based on the internal calculation made; however, this method might overlook some client specificity. This is why we provide the user the ability to make some decisions such as:
- Prioritize a technique: A technique gap might be low on the list, but for the user, it might be of particular importance, so we allow a user to prioritize a technique to ensure they always have an eye on it.
- Dismiss a technique: On the other hand, a technique might not be relevant for the client (for any number of different reasons), which is why we’ve built a workflow to allow the user to “dismiss” a technique while providing additional information on this decision. In future reporting, the reason for dismissal will always be noted for reference.
What if the information is not accurate?
The coverage, the gaps, and the priority are all determined by the processed client data and the implemented logic… but what if the information is not complete or accurate?
Although we aim to provide the best coverage and gap information possible, there are still a few ways that the data might not be fully representative of client situation, such as:
- Client may have other security tools, not managed by Kudelski Security, which might cover some gaps.
- Client may decide that a particular gap is covered (or not covered) and, therefore, want to show a refined representation of its security posture.
- Client may think that some Threat Actors are under- or overrepresented.
So, how do we solve that?
This is probably one of our favorite features in the Threat Navigator: Client-Modified Coverage.
Clients can easily switch from the Kudelski Security gap calculation to their modified gap calculation, making the Threat Navigator not a vendor specific tool, but a true client tool.
Let’s review what you can modify:
- Any technique (and sub-technique) can be easily overridden by editing the coverage status. In doing so, the user can add a comment to explain the rationale (which will be stored in reporting). Other users will be able to see who modified the technique, when it was modified, and what the reasoning behind the decision was.
- Let’s say that you have a data source that is not activated in the Threat Navigator (maybe it’s managed by another vendor or Kudelski Security just doesn’t have the information). You can simply edit any data source that will adapt your coverage.
Threat actors & vertical(s)
- What if you operate in more than one industry vertical and you believe that some Threat Actors are targeting you in particular? The Threat Navigator allows you to change those parameters and review how it modifies your gaps.
Step Four – What should I do with the information I have? How, practically, do I close the gaps?
Now that you have defined the best representation of your gaps, there are few things you can do.
The first thing you can do is download your coverage (in CSV or ATT&CK Navigator format) to manipulate the data in your system the way you want.
An advantage of the CSV download is that it will provide you all the additional details you may need (such as why a technique has been marked as covered/not covered, by whom, and when).
The second thing you can do – and arguably the most important thing – is understanding how you can cover those gaps. To answer this question, it’s important to recognize the different scenarios that can arise:
- A data source is missing.
- This should be your number one focus. Is there any data source that you have and that is currently not used to cover those gaps? The Threat Navigator helps you determine those potential data source for each technique.
- There is a technology limitation.
- It may happen that some of the technologies may have a limitation in their coverage capabilities. It may be such that a rule is active for technology A but not for technology B. Our detection team does their best to bridge a technology gap, but it could happen.
- No rule exists to efficiently cover a technology.
- This is the least preferred scenario, but it is possible that no data source and/or rules are currently available to cover a technique. The next phase of our Threat Navigator aims to compile all client data to efficiently highlight what are the most common gaps and way to cover them efficiently.
Where do we go from here?
At Kudelski Security, we are particularly excited by the value Threat Navigator will bring our clients. An innovative, dynamic approach to visualizing your threat coverage gaps drives us all forward to a more secure future.
Request the Threat Navigator demo and see for yourself!