Focus investigations with MITRE ATT&CK insights

Last updated: 29th May 2024

Integrate automated evidence analysis and mapping into your investigations

Understanding an attacker’s behavior and the tactics, techniques and procedures (TTPs) they use is vitally important to any investigation - it provides critical context that allows for more efficient and effective investigations. This context informs what response actions are appropriate, and improves short, and long-term, response outcomes.  

However the threat landscape is growing increasingly complex, and it can be difficult to keep on top of every IoC, malware family, and adversary tricks, particularly given the scope of activities that can be involved in any one investigation.  Luckily, frameworks like the MITRE ATT&CK framework are available to aid analysts and investigators.

What exactly is MITRE ATT&CK?

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques, curated from real-world observations.

It serves as a knowledge base for developing specific threat models and methodologies. These models and methodologies are applicable across the private sector, government organizations, and are integral to the cybersecurity product and service communities.

MITRE ATT&CK was created to address the evolving threats that emerge daily. It maps Indicators of Compromise (IoCs) and brings together various communities to develop enhanced cybersecurity strategies.

Integrating valuable insights into investigations

The MITRE ATT&CK framework therefore offers key information and helps provide signposts for incident responders, hunters and analysts to leverage as they work through an investigation. It’s also really important in helping them better understand how a cybersecurity incident may have occurred.

In addition to providing this important context, the mapping of observed indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) to specific ATT&CK tactics and techniques, helps to speed up the detection and analysis phase, by providing: 

1. Common Language: MITRE ATT&CK provides a common taxonomy and language for cyber security practitioners to describe adversary tactics, techniques, and procedures (TTPs). This common language can be invaluable during incident response to quickly and accurately convey information about the attack to other analysts or colleagues.

2. Attack Characterization: Analysts can use MITRE ATT&CK to help characterize and categorize the nature of the attack. By matching observed behaviors to the framework, analysts can identify the TTPs being used by the adversary.

3. Guidance on Response: The framework can guide analysts in identifying which actions to take to counteract observed TTPs. This might involve specific mitigation measures to prevent further breaches or adjustments to defenses to disrupt ongoing attacks.

4. Prioritization: MITRE ATT&CK can help analysts prioritize their actions based on the tactics and techniques observed. Some actions may be more critical to address immediately, while others can be handled later. This can be a big help to teams where there are resource challenges or teams are geographically dispersed and might need to collaborate.

Threat Intelligence: MITRE ATT&CK can be used to enrich threat intelligence by comparing current incident data with known patterns of adversary behavior. This can help in attributing the attack to specific threat actors or campaigns if they’re known to use certain TTPs.

What is the AIR MITRE ATT&CK Analyzer feature?

AIR includes a suite of incident response investigation capabilities including DRONE, AIR’s automated compromise assessment technology which uses built-in rules to automatically analyze evidence and identify IOCs, anomalies and IOBs . 

DRONE’s MITRE ATT&CK Analyzer is constantly updated based on research from our in-house researchers and threat hunters - known as the Binalyze DFIR Lab - and it incorporates the very latest versions of MITRE ATT&CK. 

With their fingers on the pulse of the cybersecurity ecosystem, the DFIR Lab ensures that AIR’s built-in automated evidence analyzers always include the latest IOCs and Indicators of Behavior (IOBs) to provide detailed insights into the tactics and techniques used by attackers.

This is all about giving you visibility into suspicious activity on your networks and assets. Being able to automate this process means that you can save time on what’s “known”, are able to confidently cut through the noise of evidence, and move more quickly through investigations.

Below, we’ll explore how AIR’s MITRE ATT&CK analyzers and mapping can help you protect your organization from cyber threats.

Like all the other analyzers built into AIR’s DRONE capability (see above),  the MITRE ATT&CK Analyzer enables responders and analysts, like you, to make decisions faster and piece together critical information as part of an investigation.

The integration of the MITRE ATT&CK Analyzer delivers the benefits of additional YARA and Dynamo rules for detecting potential Indicators of Compromise (IoC) or TTPs (Tactics, Techniques, and Procedures). 

As of May 2024, AIR is supporting more than 30,000 IoCs, with additional rules being added constantly by the DFIR Lab team. Keep track of our additions by following our team on X (Twitter) and Linkedin.

Finding overview

Example of the details for an individual finding

Using the MITRE ATT&CK Analyzer helps see the attack stages, the footprints of any attackers, and which of the tactics in MITRE ATT&CK were used.  

By using this option, you’ll have a greater understanding of what the attackers intentions were and what they’ve done in your systems. Categorizing IOCs and malware identified by our automated evidence analyzers against certain MITRE tactics and categories using MITRE ATT&CK mapping makes it even quicker and easier to understand the intent of certain IOCs and start the process towards appropriate remediation.

Findings from the automated analyzers can then be viewed as part of comprehensive, intuitive and efficient investigation experience in AIR’s Investigation Hub. 

Read more about how our automated analyzers are used within the Investigation Hub to move through a malware investigation in our recent blog.

The Investigation Hub consolidates case relevant evidence, artifacts and insights into a single pane of glass. By having everything in one place, it removes the unnecessary and inefficient back and forth of hunting for relevant information, streamlining your investigation and remediation efforts.

To help focus and progress the investigation, AIR’s analyzers organize findings by assigning a level of severity (finding type), suggesting how serious the potential threat is, and signposting areas that need to be prioritized for further investigation.  

• High: A Finding that is rated as high needs immediate attention, in the context of the MITRE ATT&CK Analyzer this indicates specific malware families or TTPS that are considered highly suspicious anomalies that are only ever used by malware.

• Medium: a medium Finding aims to highlight indicators that are more than likely to be used for malicious rather than legitimate purposes.

• Low:  a low finding is intended to indicate that further analysis is needed to determine whether they could be malicious. A good example would be either a password protected archive or macro enabled office document. These file types are typically used for legitimate purposes but have gained popularity amongst bad actors for exploitation.

• Matched: Searches for a specific value requested by the analyst. This can be an IP address, a hash, or any pattern.

What problem does this solve for AIR customers?

During your analysis, the analyzers will quickly and clearly show you any easily compromised assets amongst your total estate of hundreds or thousands of machines. 

You’ll never again have to spend your time hunting for a needle in a haystack.  Findings from AIR’s MITRE ATT&CK Analyzer, working in conjunction with Investigation Hub, free-up time to focus on other key parts of your DFIR investigation process - driving faster remediation and incident response case closures.

Join our upcoming webinar to learn more about how AIR’s Investigation Hub provides the context needed to prioritize next steps in your investigation.