MITRE ATT&CK: Don't Just Measure and Report... Improve

At Verodin, we’re big supporters of the MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge)model and its focus on cyber adversary behaviors. MITRE ATT&CK is a great security model – not to be confused with a security product or tool. We have a number of customers that work with the MITRE ATT&CK model, which is why we’ve integrated it into the Verodin Security Instrumentation Platform (SIP).

To get full value from the portion of the Kill Chain that MITRE ATT&CK covers across initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and C2, you don’t just want to measure and report on what’s broken–you want to be able to improve.

With Security Instrumentation Platforms like Verodin SIP, it’s not about simply identifying that your security tools are only 20% effective when it comes to mitigating various phases of an adversary’s attacks; it’s about improving those security tools to get the other 80% and keeping it.

Within Verodin SIP, MITRE ATT&CK behaviors are tagged and mapped to ATT&CK Tactic and Technique IDs within the Verodin SIP Content Library. Verodin began this process in 2017 and we continue to tag more behaviors as ATT&CK is updated. In fact, today the Verodin SIP Content Library covers all 11 out of 11 tactics captured in ATT&CK Enterprise with hundreds of actions – and the library is growing.

However, MITRE ATT&CK is just part of a broader behavior matrix within Verodin SIP. Verodin SIP leverages multiple attacks in its matrix predicated on unique behaviors. This approach means that you don’t need to validate your security tools against an ever-increasing number of attacks, but rather, you can measure those security tools against their underlying behaviors.

What this really means is that you can scale. Instead of trying to keep up with every new attack, you can validate and tune your security tools against the underlying attack behaviors. This doesn’t limit you, of course, from validating your security tools against a specific attack for which you need empiric evidence illustrating your security effectiveness, such as when the boss asks, “How protected are we from WannaCry and its variants?” Being able to answer this question with evidence-based data is important.

This is why Verodin SIP is an Open Content Platform allowing you to leverage attacks that ship with Verodin, come with Verodin updates, are pulled in from threat intelligence feeds, ISACs, packet captures, databases of attacks such as malware traffic analysis, or even written in-house. Answering questions about specific attacks are important but being able to scale to address the bigger picture is critical.

For example, there are thousands of SQL injection attacks and CVEs. Some of these attacks are decades old. At any given point each one was a zero-day. However, the underlying behaviors are finite, and it is these unique behaviors that Verodin SIP focuses on for validation within the Verodin SIP behavior matrix. Leveraging behaviors is a very different approach in the security industry but one that is both essential to the MITRE ATT&CK model as well as Verodin SIP.

By validating security tools against behaviors, juxtaposed to CVEs, the constant chasing of zero-days, and analyzing lagging indicators of compromise, your security effectiveness validation, and improvement can finally scale. And yes, Verodin SIP still helps when you need to placate those asking how your security tools fair against the MITRE ATT&CK model.

Too often we think about MITRE ATT&CK, SANS Top 20OWASP Top 10, and others as something we measure against. Then we create a report to illustrate what’s working and what’s not and placate stakeholders. While that’s a nice start, this approach misses out on some terrific value points:

  • Don’t just tell me what’s broken, tell me how to fix it.
  • When I make the fix, let me validate that the fix worked.
  • Once it’s working as desired, let me leverage automation to validate it in perpetuity.
  • Should it ever drift from a known good state, alert me so that I can manage by exception.

By leveraging these capabilities, you are operationalizing and personalizing your security effectiveness measures and improvements. Verodin SIP works across endpoint, network, email, and cloud. While much of the MITRE ATT&CK model is focused on endpoint (which is why Verodin has integrated it into our endpoint behavior libraries), you probably want to construct a very personalized set of tests across endpoint, network, email, and cloud with multiple types of measures so that you can validate the effectiveness of your security tools, improve on the gaps, apply configuration assurance for future changes, and automate the process of monitoring effectiveness on an ongoing basis. But that doesn’t mean you stop caring about reports.

Reporting is essential. This is why Verodin SIP also allows you to illustrate security effectiveness with reports from a technical and business perspective and do so at a point in time or trended over time to show – with zero false positives and results predicated on evidence-based data – your true state of security effectiveness.

You select the tests you want to run, where they are run, and how they are run. You decide to conduct manual, automated, or hybrid validations. Best of all, you execute these real attacks, safely, within your production environment.

These are not attack simulations. The attacks are the real thing. Use what Verodin gives you and add your own, quickly and easily, without having to be a programmer. There is no security risk because of Verodin’s unique Director-Actor architecture that works without attacking your target assets. Instead, Verodin measures the effectiveness of the security tools protecting those assets.

The operational impact is virtually undetectable which is why many Verodin customers with availability requirements at 99.999% trust Verodin SIP not to impact their SLAs. Plus, you don’t need to build some virtual, testbed lab instance that kinda-sorta looks like your production environment because Verodin SIP operates within your production environment.

The “bad guys” don’t use simulated attacks; they use real attacks. They don’t attack your fake, virtual environment; they attack your real environment. That’s why Verodin SIP operates with real attacks, on your real network, against your real security tools, but, most critically, it does all this safely.

What Verodin customers really like is how easy Verodin SIP is to deploy and use. Verodin is typically deployed in hours.  In a short time, you have actionable data on what’s working, what’s not, and how to fix it. We’ve found that over a period of just weeks, most customers have increased their security effectiveness significantly. And the advanced environmental drift analysis capabilities help ensure that what’s working stays that way, so you are not only mitigating risk but you’re actually getting value from your security investments in the long term. Verodin SIP also offers a great way to effectively POC, compare new security tools, and get them working and effective as quickly as possible.

Learn more about Verodin here and request a demo.

back to blog