Threat-Informed Defense with the MITRE Sightings Report
The threat landscape is ever-changing, and defenders need to keep up-to-date on the latest threats so we can defend against them. This is largely the reason for the formation of the ConnectWise Cyber Research Unit (CRU). Our team stays up-to-date on the latest threats, builds new detection logic for them as needed, and keeps the rest of the ConnectWise SOC informed. We’ve also made it our goal to help keep the overall MSP community informed of the latest threats so together; we can raise the tide.
Staying current on the latest threats involves more than just watching news, forums, and Twitter; but also includes monitoring and tracking threat actor activity within our own customer base which includes thousands of MSPs and their clients. So when we heard MITRE Engenuity’s Center for Threat Informed Defense was looking for contributors to their new Sightings Ecosystem we eagerly contacted them to see how we could help. And so we are excited to share that they have released their report Sightings Ecosystem: A Data-driven Analysis of ATT&CK in the Wild, which includes data contributed by multiple organizations, including the CRU.
This new report includes an analysis of over 6 million sightings contributed by multiple organizations observed between April 2019 and July 2021. A sighting could include any direct or indirect usage of a technique or malicious software by a threat actor. By focusing on actual sightings, this report can help your MSP answer the question, “What techniques do we realistically need to be prepared to defend against?” After normalizing the data 184 unique techniques were observed; however, only 15 techniques made up 90 percent of those observed with the technique Schedule Task/Job [T1053] accounting for almost 25 percent of all sightings. The report also includes 10 NIST 800-53 controls that will provide coverage of these most observed techniques.
The Top 15 Techniques:
- Scheduled Task/Job [T1053]
- Command and Scripting Interpreter [T1059]
- Hijack Execution Flow [T1574]
- Proxy [T1090]
- Masquerading [T1036]
- Signed Binary/Proxy Execution [T1218]
- Create or Modify System Process [T1543]
- Process Injection [T1055]
- Impair Defenses [T1562]
- Obfuscated Files or Information [T1027]
- Remote Services [T1021]
- Non-Application Layer Protocol [T1095]
- Windows Management Instrumentation [T1047]
- Modify Registry [T1112]
- Ingress Tool Transfer [T1105]
10 NIST 800-53 Controls
- SI-4 System Monitoring
- CM-6 Configuration Settings
- CM-2 Baseline Configuration
- CM-7 Least Functionality
- AC-3 Access Enforcement
- AC-6 Lease Privilege
- AC-2 Account Management
- AC-5 Separation of Duties
- CM-5 Access Restrictions for Change
- IA-2 Identification and Authentication (Organizational Users)
Now that we have an idea of what techniques threat actors are most likely to deploy, the question becomes, what do we do with this data? The report breaks down each technique, providing more details regarding which sub-techniques were observed and perhaps most importantly, lists which security controls will prevent them as well as specific guidance on detection using MITRE Cyber Analytics Repository (CAR) and Sigma. CAR and Sigma provide generic, product-agnostic detection rules that the CRU and other organizations can use to build detection signatures for their own platforms. The CRU has previously relied on CAR and Sigma data to build baseline detection for the most common techniques.
The MITRE ATT&CK® framework includes a list of more than 370 techniques across 14 tactics. Ensuring controls and detection across all these techniques can be a daunting task which is why this data is so valuable by providing us a focused list of 15 techniques to prioritize.
More – Read the Full Report: This report includes up-to-date intelligence based on real-world sightings by multiple organizations, including MSPs. This is reliable, high-fidelity, actionable data that all of us can use, and the CRU is proud we were able to contribute. Read the full report or view the infographic for more information.