CrowdStrike Demystifies Threats with MITRE ATT&CK

November 26, 2018

| Scott.Taschler | Endpoint Security & XDR

The MITRE ATT&CK™ framework is an ambitious initiative that is working to bring clarity to how we talk about cyberattacks. CrowdStrike® is proud to support MITRE’s efforts to bring standardization to attack modeling and attack terminology, and using it to deliver more actionable information to security experts. For any technical discipline to transition from “folkcraft” to “science,” it’s critical that practitioners agree on common terminology and language. As an example, over the last two centuries an estimated one billion people have died from “consumption,” “phthisis,” and the “White Plague.” Today, we commonly know these diseases as tuberculosis. Having a common term allows doctors, researchers and other medical professionals to communicate clearly and concisely about this disease and how to treat it. Few technical disciplines are as full of jargon and as reliant on tribal knowledge as the field of cybersecurity. Think for a moment on the simple sentence, “We’ve been hacked.” What is the proper response when you hear these words? Depending on the context, you might need to clean up malware, lock down compromised accounts, restore data from backup or call the authorities. This kind of imprecise language creates ambiguity and inefficiency in our industry and makes it especially difficult for practitioners to communicate clearly with stakeholders outside of the security operations center (SOC). CrowdStrike and other major players across the security industry are lining up behind ATT&CK to help bring order and precision to discussions about cyber threats.

ATT&CK Puts Threats in Context

To help cut through uncertainty and put security detections in context for security analysts and their stakeholders, CrowdStrike has standardized on ATT&CK terminology across the CrowdStrike Falcon® endpoint protection platform. Each detection produced by Falcon is now labeled with the relevant ATT&CK tactic and technique combination, described in clear, conversational terms. This additional context clearly shows not only what happened, but also describes why the adversary is doing it, and how they are looking to accomplish their goal. This helps analysts understand threats more quickly and completely, and to make better response decisions, faster. Having standard terminology helps not only to clearly explain security incidents in the moment, but also makes it possible to categorize observed attacker behaviors and identify patterns and trends over time. Falcon OverWatch™ made very good use of the ATT&CK framework in the recent report “Observations from the Front Lines of Threat Hunting.” In this report, OverWatch categorized thousands of behaviors across a large set of observed targeted intrusion attempts. The activity generated some interesting conclusions. When examined through this lens, OverWatch found that a relatively small handful of techniques were used repeatedly, across a wide range of attacks, by nearly every observed adversary. Common techniques included use of the command line and PowerShell, credential dumping, system owner discovery and several more. Hot spots like these represent “choke points” in the attack lifecycle: steps along the way that nearly all targeted attacks will pass through. When time is short and budgets are limited, these become high-priority places for increased prevention and detection controls. In the process of cataloging observed adversary techniques, CrowdStrike has also been able to identify techniques that, at the time, didn’t fit cleanly into the current ATT&CK framework. By collaborating with MITRE and giving this intelligence back to the community, CrowdStrike is helping to create a more complete and up-to-date picture of adversary capabilities, ensuring our industry is ready to defend against tomorrow’s likely threats.

From Craft to Science

Cybersecurity remains a very young industry, evolving at a fantastic pace. Mature industries such as medicine, manufacturing and finance have had centuries to develop. CrowdStrike remains steadfast in our dedication to driving continuous improvement for our users and the broader community.

Additional Resources

See how CrowdStrike Falcon® protects against real-world adversaries in MITRE’s nation-state emulation testing. Watch an on-demand webcast: “When Adversaries ATT&CK.” Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.