Aligning Security Operations with the MITRE ATT&CK Framework: Level up your security operations center for better security

BIRMINGHAM—MUMBAI

Aligning Security Operations with the MITRE ATT&CK Framework

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Senior Editor: Runcil Rebello

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Prashant Ghare

Marketing Coordinator: Agnes D’souza

First published: May 2023

Production reference: 01280423

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80461-426-6

www.packtpub.com

To my colleagues both past and present, thank you for your mentorship and cooperation. To my friends, thank you for the support and for pushing me to be who I am, especially Tyler and hype-woman Jennifer. To my family, Emily, Alex, and Gadget, thank you for your patience and support; without it, this book would not have been completed. To countless others not mentioned, thank you.

– Rebecca Blair

Contributors

About the author

Rebecca Blair has, for over a decade, focused on working in and building up security operations center (SOC) teams. She has had the unique experience of building multiple teams from scratch and scaling them for growth and 24/7 operations. She currently serves as the manager of the SOC, corporate security, and network operations center (NOC) at a Boston-based tech company, and as a cyber educational content creator for N2K Networks. She previously worked as the director of SOC operations at IronNet, a lead technical validator, a watch officer, and an SOC analyst for various government contractors. She has a bachelor of science degree in computer security and information assurance from Norwich University, a master of science degree in cybersecurity from the University of Maryland Global Campus, and a master of business degree in administration from Villanova University.

About the reviewer

Allen Ramsay has worked in the cyber trenches in 24/7 SOCs for most of his career. He has specialized in network defense and alert triage. He has previously contributed to multiple articles for SC magazine and has been a contributing author to The Rook’s Guide to C++. He has a bachelor of science in computer security and information assurance from Norwich University and a master of science degree in cyber forensics and counterterrorism from the University of Maryland Global Campus.

Table of Contents

Preface

Part 1 – The Basics: SOC and ATT&CK, Two Worlds in a Delicate Balance

1

SOC Basics – Structure, Personnel, Coverage, and Tools

Technical requirements

SOC environments and roles

SOC environment responsibilities

SOC coverage

SOC cross-team collaboration

Summary

2

Analyzing Your Environment for Potential Pitfalls

Technical requirements

Danger! Risks ahead – how to establish a risk registry

Red and blue make purple – how to run purple team exercises

Discussing common coverage gaps and security shortfalls

Summary

3

Reviewing Different Threat Models

Technical requirements

Reviewing the PASTA threat model and use cases

Reviewing the STRIDE threat model and use cases

Reviewing the VAST threat model and use cases

Reviewing the Trike threat model and use cases

Reviewing attack trees

Summary

4

What Is the ATT&CK Framework?

A brief history and evolution of ATT&CK

Overview of the various ATT&CK models

Summary

Part 2 – Detection Improvements and Alignment with ATT&CK

5

A Deep Dive into the ATT&CK Framework

Technical requirements

A deep dive into the techniques in the cloud framework

A deep dive into the techniques in the Windows framework

A deep dive into the techniques in the macOS framework

A deep dive into the techniques in the network framework

A deep dive into the techniques in the mobile framework

Summary

6

Strategies to Map to ATT&CK

Technical requirements

Finding the gaps in your coverage

Prioritization of efforts to increase efficiency

Examples of mappings in real environments

Summary

7

Common Mistakes with Implementation

Technical requirements

Examples of incorrect technique mappings from ATT&CK

Examples of poor executions with detection creation

Summary

8

Return on Investment Detections

Technical requirements

Reviewing examples of poorly created detections and their consequences

Finding the winners or the best alerts

Measuring the success of a detection

Requirement-setting

Use cases as coverage

What metrics should be used

Summary

Part 3 – Continuous Improvement and Innovation

9

What Happens After an Alert is Triggered?

Technical requirements

What’s next? Example playbooks and how to create them

Flowcharts

Runbooks via security orchestration, automation, and response (SOAR) tools

Templates for playbooks and best practices

Summary

10

Validating Any Mappings and Detections

Technical requirements

Discussing the importance of reviews

Saving time and automating reviews with examples

Turning alert triage feedback into something actionable

Summary

11

Implementing ATT&CK in All Parts of Your SOC

Technical requirements

Examining a risk register at the corporate level

Applying ATT&CK to NOC environments

Mapping ATT&CK to compliance frameworks

Using ATT&CK to create organizational policies and standards

Summary

12

What’s Next? Areas for Innovation in Your SOC

Technical requirements

Automation is the way

Scaling to the future

Helping hands – thoughts from industry professionals

Summary

Index

Other Books You May Enjoy

Preface

Hi, infosec professionals! This book is for cyber security professionals that are interested in SOC operations and/or are currently working in SOC operations. It is also for those interested in learning about the MITRE ATT&CK framework and bridges the gap between theoretical and practical knowledge through the use of examples, implementations, and detections.

There are three main portions to this book. They are as follows:

The Basics – SOC and ATT&CK – Two Worlds in a Delicate Balance

Detection Improvements and Alignment with ATT&CK

Continuous Improvement and Innovation

There are various resources out there about different tools that map to MITRE, as well as the MITRE ATT&CK framework, which is fully publicly available online at https://attack.mitre.org/. What sets this book apart is that it takes practical knowledge of how to set up your environment and an in-depth review of the MITRE ATT&CK framework and explains how you can apply that framework to your environment.

Who this book is for

This book is for security professionals of all levels. It is focused on SOC environments but also covers some compliance, purple team exercises, threat hunting, and so on. It can be used to help build new security programs, as well as level up and assess the maturity of your current program.

What this book covers

Chapter 1, SOC Basics – Structure, Personnel, Coverage, and Tools, introduces the landscape of the SOC, which is a critical team in security and can have many different roles and sub-teams. We’ll discuss SOC basics such as alert triaging, creating detections, incident response, and trust but verify, as well as how it can interact with other teams or have sub-teams. This information is important because depending on the environment, you’ll be able to apply different aspects of ATT&CK.

Chapter 2, Analyzing your Environment for Potential Pitfalls, discusses techniques for critically reviewing your processes, coverage, and systems, and provides advice on potential problem areas. By following this, the reader will be able to directly apply it to their environments to look for areas of improvement and avoid any pitfalls; it will also be helpful when looking to implement ATT&CK.

Chapter 3, Reviewing Different Threat Models, reviews multiple different threat models, their use cases, and their advantages and disadvantages. Doing so will allow the reader to apply the one that makes the most sense for their environment; the chapter also provides a comparison point to compare those threat models to ATT&CK.

Chapter 4, What is the ATT&CK Framework?, outlines the evolution of the ATT&CK framework and the various different high-level configurations for types of systems (i.e. cloud, mobile, Windows, etc.). It will also be the first introduction to related use cases.

Chapter 5, A Deep Dive into the ATT&CK Framework, provides a deeper look at the different techniques that are covered by the framework, and potential gaps within the framework. The reader will understand how to rank different techniques and their applicability to their own environments. This will focus specifically on the cloud, Windows, Mac, and network frameworks.

Chapter 6, Strategies to Map to ATT&CK, discusses how to analyze your environment, identify coverage gaps, and identify areas for improvement. Then, we’ll cover how to map those gaps to the ATT&CK framework, to increase coverage and build out maturity in your security posture.

Chapter 7, Common Mistakes with Implementation, presents an overview of common mistakes that I have personally made in mappings and detections, as well as areas where I’ve seen others make mistakes. That way, you can learn from our shortcomings and implement mappings the right way.

Chapter 8, Return on Investment Detections, explains how creating detections and alerts is the bread and butter of any SOC environment. It should not be a surprise to anyone that less-than-stellar detections are created/triggered on a daily basis. This chapter will discuss alerts that we have had the highest efficiency ratings on, as well as the lowest, and how to measure their success.

Chapter 9, What Happens After an Alert is Triggered?, covers how once an alert is triggered, in theory, a set of actions begins. This chapter will discuss the different sets of actions, how to create playbooks, and how to ultimately triage alerts.

Chapter 10, Validating Any Mappings and Detections, argues that the most important step you can take to help yourself is setting up a review process. This can be completed manually, or you can create an automated feedback loop to track the efficiency ratings of your mappings and make improvements when necessary.

Chapter 11, Implementing ATT&CK in All Parts of Your SOC, goes through how to narrow down your environment and prioritize where you need to fix a coverage area. The chapter will then outline how you can implement detections and the ATT&CK framework as part of your overall security posture, and how it can be applied to teams outside of the SOC as well.

Chapter 12, What’s Next? Areas for Innovation in Your SOC, points out some key areas that can take a SOC from basic to mature, covering topics such as scalability and automation. This chapter will include ideas that I had for innovating my own SOC but also interviews with other industry professionals and what they think needs to be done to achieve innovation.

To get the most out of this book

This book can apply to all types of SOC environments, and while no specific software is required, there are multiple examples that use Log Correlation or Security Information Event Management (SIEM) tools, as well as Search Orchestration Automation and Response (SOAR) tools. This book will also cover matrices for multiple operating systems such as Windows, Linux, macOS, network, mobile, and so on, so a base understanding of those types of operating systems and environments would be helpful but not necessary.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/Cy0Jj

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: Screen Capture is carried out by an attacker utilizing the screencap, screenrecord, or MediaProjectionManager commands.

A block of code is set as follows:

index=network_data size= (bytes_out/1024) size>= 100 | table _time, user, size

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: A tactic in the ATT&CK framework for the enumeration of shares can be found at Network Share Discovery.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Aligning Security Operations with MITRE ATT Framework, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/978-1-80461-426-6

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

Part 1 – The Basics: SOC and ATT&CK, Two Worlds in a Delicate Balance

The first part of this book will provide you with the basics. This means that it will cover what goes into a SOC, or Security Operations Center, including the teams and key roles that play a key part in security operations, and some of the teams that a SOC works closely with. Then, you will learn how to analyze your environments for security gaps and gain an understanding of a few different threat models that could be applied to your environment. As a send-off for the first part, we will cover an introduction to the ATT&CK framework, and we will cover it in more depth in the following parts.

This part has the following chapters:

Chapter 1, SOC Basics – Structure, Personnel, Coverage, and Tools

Chapter 2, Analyzing Your Environment for Potential Pitfalls

Chapter 3, Reviewing Different Threat Models

Chapter 4, What Is the ATT&CK Framework?

1

SOC Basics – Structure, Personnel, Coverage, and Tools

In this chapter, we will cover the landscape of what your average security operation center (SOC) looks like. We’ll discuss the structure of the specific roles within the SOC and possible sub-teams that can feed into or be part of the SOC environment. We’ll discuss strategies for alert triage, creating