In the cyber security industry, there is a tendency for threat detection efforts to be measured solely for efficiency rather than genuine effectiveness.
Statistics routinely collected and assessed as part of network monitoring include events per second, alerts and false positives, with success often benchmarked by the time to detect, respond and recover.
Incorporating scenario-based testing into the threat detection process allows organisations to obtain additional insight into the effectiveness of detection and response controls and procedures by benchmarking performance against the attributes of specific types of attacks.
The MITRE ATT&CK Framework
Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a model developed by MITRE that describes the tactics, techniques and procedures (TTPs) utilised by adversaries to compromise and traverse networks. The framework is open and community supported, allowing any organisation to utilise and contribute to it.
“A curated knowledge base and model for cyber adversary behaviour, reflecting the various
phases of an adversary’s lifecycle and the platforms they are known to target” – MITRE
ATT&CK intelligence is gathered through a combination of MITRE research and offensive security engagements such as penetration testing and red teaming. The framework does not claim to be comprehensive, rather it is an approximation of what is publicly known, inviting continual contribution.
The ATT&CK framework is divided into 11 groups of TTPs. These tactic groups provide details about typical intrusion types and the computer network defence (CND) technologies, processes and policies used to defend against them. Each group is comprised of a broad and regularly updated set of tactics, as detailed in the ATT&CK matrix.
Scenario-based testing in threat detection
The 11 ATT&CK tactic groups do not necessarily follow a linear sequence. Given that adversaries will likely utilise a range of TTPs throughout the course of an attack, no one tactic is more important than the next. Defenders must be prepared to detect and respond to any and all types of threat.
An effective way to utilise the MITRE ATT&CK framework to enhance threat detection and response is to assess each tactic group on a case-by-case basis. By exploiting a specific set of techniques for each tactic group, Red Team ethical hackers are able to evaluate the performance of Blue Team CSOC analysts, highlight gaps in coverage and identify risks which require mitigation.
Example attack scenarios that could be assessed:
• Gaining access to a network and harvesting credentials via a phishing campaign
• Abuse of legitimate tools provided by operating systems to establish a persistent foothold, pivot throughout the environment, and obtain sensitive information
• Exploitation of software vulnerabilities and misconfigurations to increase privileges
• Exfiltration of sensitive information from the network via protocols that are widely used in the environment
Methodology of a scenario-based assessment
Conducting regular assessments against ATT&CK tactics allows organisations to measure the performance of their threat hunting, breach detection and incident response procedures against the latest attack techniques.
A scenario-based exercise aligned to the MITRE ATT&CK framework, and designed to assess the performance of an organisation’s Blue Team, will typically follow the process below:
1. Identify TTP(s) to test
2. Gather information about technologies and processes in place at target organisation
3. Devise attack scenario using select TTP(s)
4. Launch attack to simulate threat
5. Detect and respond to TTP(s)
Red and Blue Teams
6. Evaluate performance and provide guidance on implementation
Stage 6 is a particularly important phase of the assessment process. Continuous review and improvement of threat detection techniques and processes is essential to ensure blue teams are prepared to defend against genuine attacks and capable of swiftly identifying and eliminating them to limit the damage and disruption they cause.
The challenges of scenario-based testing
Regardless of size or industry, all organisations need a high level of red and blue team expertise to effectively combat cyber threats. The reality for many businesses, however, is that they lack the people and resources necessary to implement a scenario-based testing approach.
Many small and mid-market businesses don’t have a dedicated security team at all, and the responsibility often falls on already stretched IT personnel. Others have invested heavily into their in-house security operations, but don’t have the red team knowledge necessary to evaluate their effectiveness.
An outsourced security service can help to ease these worries by providing organisations with the specialist expertise and technology required to address their security needs. Organisations utilising outsourced CSOC services will also benefit from threat intelligence gained from the detection of events on other client networks, which is difficult to achieve for an in-house SOC.
Buyers should look for a service provider with experience in offensive security, capable of fostering a collaborative ‘purple team’ approach between red and blue team resources and integrating scenario-based testing into threat detection processes.
A specialist Managed Detection and Response (MDR) service that offers scenario-based testing can deliver significant benefits over a traditional managed security service, helping to maximise threat detection and incident response capabilities.
Why choose Redscan?
Redscan is an award-winning provider of cyber security services including MDR, Red Team Operations and CREST-accredited Pen Testing.
By utilising our deep knowledge of offensive security, alongside the latest security tools, technologies and scenario-based testing frameworks, we help organisations to identify, hunt for and eliminate threats and vulnerabilities across their networks and endpoints. Redscan Labs, our threat research and analytics division, utilises the ATT&CK framework to help provide actionable insight to improve the quality and effectiveness of our services.
Whether you are looking to incorporate scenario-based testing into your existing security operations, or invest in a fully outsourced service, you can be confident that Redscan will provide the high-quality insight and advice you need to significantly improve your organisation’s cyber security posture.