Mitre Mapping
Name
Module Code and Name
Instructor
Date
Mitre Mapping
Often, the first step in protecting networks and data is to figure out how attackers might act. This information is very important for network defenders to find and stop intrusions because they depend on it. The MITRE ATT&CK (Advanced Tactics and Computer Hacking Tactics and Techniques) system is a knowledge bank that can be accessed anywhere in the world (Kwon et al., 2020). It is based on real observations of the tactics and strategies of opponents. The ATT&CK knowledge base is used to build specialized threat models and methods for businesses, the government, and the community of cybersecurity product and service providers. ATT&CK is free, available to anyone, and can be used by any company on the planet. Its goal is to get communities to work together to make better cybersecurity. In their analysis, Al-Shaer, Spring, and Christou (2020, p.3) define the MITRE ATT&CK architecture as one that shows how a security attack can be done in many different ways. It shows the common strategies, operational procedures, and tactics used in sophisticated, persistent attacks on business networks. Successful ATT&CK applications should provide a clear and consistent set of mappings that can be used in reporting for detection, response, and mitigation, as well as for making adversary profiles and analyzing activity trends.
For network protection, analysts can choose their own starting point when using Mitre Mapping based on the information they have and how well they know ATT&CK. One example is the difference between the words tactics and techniques. The first step in getting rid of areas of possible intrusion is to be aware of it. Looking for signs of attack is different from looking for signs of compromise, malware file hashes, URLs, domain names, and other traces of a previous attack (Georgiadou, Mouzakitis, and Askounis, 2021). The first step of a mitre mapping pprocess is to look for signs of how the attacker interacts with different platforms and applications to find a pattern of strange or suspicious behavior (Kwon et al., 2020, p. 107). At this point in the process, analysts try to figure out how the initial breach happened and how the post-breach activity was done.
In the second stage, behavior analysis is done in order to determine how best to protect networks. More research might be needed to get the background information needed to understand why an opponent or program might be acting in a hostile way. Analysts have to look at the original source reports to see how the behavior was described. There are also reports from security groups, government cyber groups, international CERTS, internet sources that may be helpful in the mapping process (Tatam et al., 2021). Even though not every enemy operation can be broken down into methods and sub-techniques, a mix of technical details can show the overall behavior and goals of the enemy. The analysts have to look for words that will help them figure out what is going on. In reports, it is common to look for key verbs that point to aggressive behavior. Analysts can use terminologies such as to execute a command, make a connection, create a scheduled task, and send a connection request.
The next step is to figure out what strategies have been used. Analysts must carefully look over the report to figure out how the enemy attacked and where it was going as a whole within a network. The first step in this process is to figure out the opponent’s plan, which is also called their goals. Focus on your opponent’s goals and what drives them instead of their techniques. A common operational strategy is to look for signs that could show if the target wanted to steal, trash, or improve their rights (Hacks et al., 2021). After the mapping is done, analysts must look at the definitions of strategies to see if the behaviors seen could be interpreted as taking a certain approach. If analysts know how the attack went, they may be able to figure out what methods or sub-strategies an attacker used.
The next thing for analysts to do is to decide what methods will be used in accordance to the network they operate in. Analysts must look at the technical details of how the opponent plans to reach their goals when they are mapping. This comes after figuring out what the enemy is doing. For example, in order to know how to respond, analysts need to know how the attacker got in the first time. One of the most important things to think about is whether or not access was gained through spear phishing or a third-party remote service (Ahmadjee et al., 2022, p. 7). The next step in mitre mapping is to narrow down the options by looking at the report and judging the behaviors that have been seen. Analysts can only map down to the strategy level if they don’t have enough information to come up with a good plan, and this level of analysis doesn’t give any information that can be seen. Analysts are taught to see a foe’s tactics and sub-techniques as parts of their playbook, not as separate things they do on their own. Opponents often use the information they get from each operation to decide what techniques to use next in the attack cycle. So, the tactics of an attack are often linked together.
The fifth step of mapping is to list all of the different sub-techniques that are used within a network. Analysts should read through the descriptions of the sub-techniques to see if they match the information in the report. When there is alignment, it usually means that the current sub-technique is right. Because the reporting isn’t always clear, Pell et al. (2021) notes that it may not be able to figure out the exact sub-technique in some cases. When there isn’t enough information to find a sub-method, you should only map everything to the parent technique. If it’s hard to figure out what a sub-technique is, it might not always be there. The new information could either confirm a mapping or show that more research needs to be done on an alternative mapping (Georgiadou, Mouzakitis, and Askounis, 2021, p. 3267). There is always a chance that a certain behavior points to a new technique that ATT&CK hasn’t looked into yet. This is very important to keep in mind.
Finally, at the end of the mapping process, it should be possible to compare the results to what other analysts have found. Analysts must work with other analysts to improve their maps, since mapping is a group activity. Working on mappings with other analysts is helpful because it gives you a wider range of perspectives and sheds light on other points of view. This may help you become more aware of possible analyst bias. Using a methodical approach that includes peer review and consultation can help people share different points of view, learn more, and improve performance as a whole (Pell et al., 2021). Peers could look at a report with notes on the proposed strategy, methods, and sub-techniques to map TTPs that were missed in the first study. If this method is used, the mapping work of the whole team might be more consistent.
Reference List
Ahmadjee, S., Mera-Gómez, C., Bahsoon, R. and Kazman, R., 2022, ‘A study on blockchain architecture design decisions and their security attacks and threats’, ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 31, no. 2, pp.1-45.
Al-Shaer, R., Spring, J.M. and Christou, E., 2020, ‘Learning the associations of mitre att&ck adversarial techniques’, In 2020 IEEE Conference on Communications and Network Security (CNS) (pp. 1-9). IEEE.
Georgiadou, A., Mouzakitis, S. and Askounis, D., 2021, ‘Assessing mitre att&ck risk using a cyber-security culture framework’, Sensors, vol. 21, no. 9, p.3267.
Hacks, S., Butun, I., Lagerström, R., Buhaiu, A., Georgiadou, A. and Michalitsi Psarrou, A., 2021, ‘Integrating security behavior into attack simulations’, In The 16th International Conference on Availability, Reliability and Security (pp. 1-13).
Kwon, R., Ashley, T., Castleberry, J., Mckenzie, P. and Gourisetti, S.N.G., 2020, ‘Cyber threat dictionary using mitre att&ck matrix and nist cybersecurity framework mapping’, In 2020 Resilience Week (RWS) (pp. 106-112). IEEE.
Pell, R., Moschoyiannis, S., Panaousis, E. and Heartfield, R., 2021, ‘Towards Dynamic Threat Modelling in 5G Core Networks Based on MITRE ATT&CK’, arXiv preprint arXiv:2108.11206.
Tatam, M., Shanmugam, B., Azam, S. and Kannoorpatti, K., 2021, ‘A review of threat modelling approaches for APT-style attacks’, Heliyon, vol. 7, no. 1, p.e05969.
