How To Prioritize & Mitigate Threats Using Splunk & MITRE ATT&CK Framework

Ian Murphy - October 2021

splunk mitre att&ck framework


How do you categorize and prioritize the numerous threats?

How do you tackle these threats using existing tools and data?

 

In 2013, MITRE used real-world observations to develop the ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) framework, used to categorize adversarial threats and behaviors. 

It is an open source, comprehensive list of known attacker behaviors, compiled and separated into tactics and techniques, and structured in multiple easy-to-follow matrices.

MITRE ATT&CK takes the adversaries perspective to help organizations understand how adversaries approach, prepare for, and successfully execute attacks. This is beneficial for organizations to adopt the MITRE ATT&CK framework in order to gain insight into attacker behavior so they can improve their own defenses accordingly.

 

Key MITRE ATT&CK Terminology


Let's take a quick look at the MITRE ATT&CK terminology, since these terms can often have different meanings for different organizations.

  • Tactics: Describes the immediate technical goals of the attackers, such as gaining Initial Access, maintaining Persistence, or gaining Command and Control. To successfully complete an attack, attackers must use multiple tactics.
  • Techniques: This describes the methods used by the attackers to achieve a tactic. All tactics in each matrix have numerous techniques associated with them. Some techniques can be broken down further into sub-techniques. 
  • Procedures: Describes either the specific implementations of techniques and sub-techniques or it can refer to specific malware or other tools attackers have used.

 

Example of procedures

 

 

 


How can Splunk help?

Splunk offers numerous ways to utilize the knowledge and experience curated by MITRE. Below we will take a look at how Splunk's Enterprise Security (ES) App and the Splunk Security Essentials App can assist with the deployment of MITRE ATT&CK use-cases.

 


Splunk Enterprise Security (ES) 6.4+ and the MITRE ATT&CK Framework


Use Splunk ES's built-in correlation searches to map specific MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures) to notable events/alerts. As of Splunk ES 6.4+, you can now tag the Correlation Searches with their associated MITRE AT&CK tactic number in the configuration page.

Splunk ES's built-in correlation searches

 

You can then view the resulting Notable Events in Incident Review dashboard that allows you quickly triage, assign, and track issues associated with the MITRE ATT&CK framework.

 

Splunk Notable Events in Incident Review dashboard

Click here for more information

 



Security Essentials 3.1+ and the MITRE ATT&CK Framework


Organizations can utilize the Security Essentials app with embedded MITRE ATTT&CK features to reduce complexity, enhance collaboration within security teams and validate migration and remediation capabilities.

As you can see below, you can use many of the provided filters to zoom in and visualize the MITRE ATT&CK framework and better understand your environment based on the data that is active, available, or not yet available in your Splunk environment allowing you to take action and plan for the future.

Filters within the Security Essentials app with embedded MITRE ATTT&C

 

Security Essentials allows you to subdivide your MITRE ATT&CK Matrix against any of the sub-matrices, i.e. Enterprise, Mobile, and ICS etc.

 

You can also filter on “Show Only Popular Techniques” that filters the ATT&CK Matrix and displays the techniques that 5 or more Threat Groups are associated with. This is a good way of finding the techniques that pose the greatest risk.
Splunk Security Essentials uses bookmarking to track what content is active in your environment which is key to enriching the matrix, content recommendations, ES integrations with Splunk Enterprise Security, Risk-based Alerting RBA, and the Data Availability Dashboard.

“Show Only Popular Techniques” filter

 

With the knowledge of what data you have, you can specify the types of security concerns you’re facing and then use MITRE ATT&CK to filter for the Splunk content related to MITRE Techniques that are associated with many different threat groups.

 

Example of how to specify the types of security concerns you're facing

 

Below is an example of a Correlation Search provided by Security Essentials you can use to implement a particular tactic.

 

Example of a Correlation Search provided by Security Essentials

Click here for more information

 

Arcus Data and the MITRE ATT&CK Framework


Splunk and the MITRE ATT&CK framework are a perfect partnership for security teams looking to improve their security practice.

 

With 100's of Splunk deployments under its belt, Arcus Data is perfectly positioned to help organizations operationalize the MITRE ATT&CK framework unleashing its full potential. Reach out to hello@arcusdata.io for more information.

Email Arcus Data for Support