CyberWire Daily - CSO Perspectives: Pt 2 – Mitre ATT&CK: from the Rick the Toolman Series.
Episode Date: December 27, 2021In this “Rick the Toolman” episode, Rick interviews Steve Winterfeld, from Akamai, on the current state and future of the Mitre ATT&CK Framework. For a complete reading list and even more informat...ion, check out Rick’s more detailed essay on the topic. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
When I started the Rick the Toolman series, the very first question I got from the fan base was,
who was going to be my Al Borland?
If you all remember, in the 1990s TV show Home Improvement,
Tim the Toolman, played by Tim Allen and based on his stand-up comedy routines,
was the host of a local PBS-like TV show that focused on home improvement projects
similar to the real PBS show This Old House,
hosted by Bob Villa. Tim's sidekick in the show was Al Borland, played by Richard Karn,
and was there for comedy relief by pointing out the mistakes Tim made on the various fixer-up
projects they both tried to do on the show, and had a number of running gags that lasted throughout
the eight TV seasons, like Al's love of Bob Villa, or whenever Tim would suggest something stupid or unsafe, Al would say,
I don't think so, Tim.
And Al's continuous need to hug Tim when Tim didn't want them.
Fans of this CSO Perspectives podcast and the newish Rick the Toolman series
had some thoughts about who should be my sidekick. So when I needed an expert to help me discuss one of the tools, the MITRE ATT&CK
framework, I thought I would reach out to one of the names mentioned the most in all of that fan
mail. His name is Steve Winterfeld, the advisory CISO for Akamai, and my best friend. He might be
my Al Borgman.
My name is Rick Howard, and I'm broadcasting from the CyberWire Secret Sanctum Sanctorium Studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor.
And you are listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.
senior security executives wrestle with on a daily basis.
Before we start the interview, I need to make one small correction to the previous Rick the Toolman episode we did on the MITRE ATT&CK framework.
In that episode, I said that MITRE runs six U.S. government FFRDCs, or Federally Funded
Research and Development Centers, that study a broad range of topics.
I also said that the ATT&CK framework came out of
the National Cybersecurity Center of Excellence, FFRDC, sponsored by the National Institute of
Standards and Technology, or NIST. It turns out that's not correct. Oh no! I had lunch with Richard
Struess the other day. He's the director of the Center of Threat-Informed Defense at MITRE
Ingenuity, and he informed me that although MITRE does a lot of good work for the National
Cybersecurity Center of Excellence, the work MITRE did inventing and building the ATT&CK framework
was purely a MITRE project. In other words, MITRE saw a need for something like the ATT&CK framework
and just built it themselves, and good on them for doing so. With that little correction made, let me bring Steve Winterfeld in here,
the Akamai Advisory CISO.
All right.
So, Al, how does it feel to be nominated by my show's fan base
to be my sidekick, my Al Borland?
Well, Tim, I will tell you that there are a couple things
that I have in common with Al.
The first is constantly wondering how you get yourself into circumstances and trying to explain to you how things work.
Exactly.
The other thing is I think you enjoy my hugs as much as Tim enjoys Al's hugs on the show.
I can vouch for that, my friend.
I can totally vouch for that.
We're talking about the MITRE ATT&CK
framework on this episode. And that thing's been around since 2013. And when it came out,
we all thought it was revolutionary, you know, a different way to operationalize threat intelligence.
But here we are eight years later, and most organizations have yet to operationalize it.
And let me just ask you this. Am I right about that? Or has my observations been wrong? Do you see more people operationalizing the MITRE ATT&CK
framework? Operationalize is an interesting word. So the framework has 218 techniques
flowing across 14 different categories. And as you try to say operationalize that, that's a huge thing. So
I've seen Fortune 500 companies look at this and try to operationalize it. And that's where my
experience leveraging this will come from. But for the smaller organizations, I think the most
common way they've tried to operationalize it is ask their vendors how the vendors have mapped
their capabilities back to this. But that's a big chunk to bite off unless you've got a fairly
robust team that includes pen test team, threat intelligence, and a security operations center.
Well, I agree with that, but what makes it so hard? I mean, I agree that's what's happening,
okay, but why is it so hard to do that?
It's just big?
Is that the only reason?
Well, and it's manual.
It is a spreadsheet that you go reference.
It's not something you automate.
It's not something you pull into DevOps currently.
You know, it's not six taxi or, you know, something that you leverage.
It's a process.
And when you go out and try to leverage a process, that's much more difficult.
So I agree that nobody has done that,
but you were a big information security executive
in your last gig.
How did you use the MITRE ATT&CK framework?
So I want to bring up four use cases.
All right.
The first is the board is going to say,
how mature is the SOC operations?
Well, that's, you know, what standard do you measure against?
And so you can take the SOC and say, we use the MITRE ATT&CK framework,
and we've scoped out all those that are relevant techniques that our SOC should be able to detect.
And remember, some of these are for different environments.
Some of these may be process-driven,
so not belonging to the SOC.
So let's say of the 218,
we've determined 150 of these
our SOC should be able to detect.
Let me back up on that, Al,
because that means you can actually collect telemetry
that you can decide that you can see, that kind of thing, and then actually make a decision about what to do about it.
Is that what you mean?
Well, Tim, let me walk you through that.
And so the way I would go through all 150, the goal would be to say, to have the red team to do a life cycle of an incident.
So the red team would go in and conduct the attack that should be discovered.
And then you would say, was it discovered? Was a log created? Was the log moved over to the
security operations center? Did they take action on that for remediation? And was notification done?
Your blue team operations here, the red team would notify the blue team they'd done it.
The database personnel would validate that there was a log. The incident response team would see
if that came in and was actually an incident was created, an investigation and remediation done.
And so for each one of these 150, then you could go do a life cycle validation and tell how mature you were.
And again, depending on the type of technique, this would be across multiple tools. So you can
see just validating, you know, the first 10 has a lot of effort. Well, I mean, everybody I know
jumps right to red team, blue team, purple team operations. And I agree that that set of intelligence that's sitting in the MITRE ATT&CK wiki is invaluable for that kind of effort.
But most people don't have red teams.
Small, medium-sized companies or organizations, you know, they don't have the resources to do that kind of thing.
But my question to you is, is there no value in tracking the adversaries behind those techniques and procedures?
The MITREs are tracking 125 the last time I counted.
And is there no value knowing that APT1 is in your network or not?
Does that not help you?
That's my second use case, actually, perfect lead-in, is when you go and say, so APT29, what techniques do they use?
you go and say, so APT29, what techniques do they use? You want to pull the techniques ideally out of the 218 MITRE has. And so now you've got a documentation process of how you're going to
validate that. So then your consultant, your red team, whoever's doing that can then go through
and do all of this. And for the smaller
companies, you can do a tabletop exercise walking the team through on this first one, what controls
do we have in place? Do we believe those controls are effective? So it may be more of a tabletop
exercise for measuring your maturity. But cycling back to the very beginning, I think APT and measuring your
maturity are two great use cases. Go back to what you said earlier, though. We were both agreeing
that small and medium-sized organizations, many don't have the resources for this kind of thing.
And so a tabletop exercise you were suggesting, what about just insisting that the vendors that
you use in your security stack give you this functionality.
Wouldn't that be a thing to push on?
Yeah, and I had mentioned that earlier is, in fact, yes, that's a great idea as far as asking your vendors.
Part of that also goes to understanding, you know, my third use case is scoping out an environment.
You may want to say, which one of these techniques are focused on endpoint or on a cloud environment or on my edge?
If I want to look at how I'm protecting my edge, let's say 20 of these are actually focused on similar firewall, web application, and API capabilities.
And then you may go back to your vendors that provide those and say,
which of these 20 do you take advantage of? Or you can go back and just ask all your vendors,
have they mapped to this? And when they haven't, then maybe ask them, map to these 20 for me.
I also like that scope environment because when we go back to an exercise,
it's a quick way to say, okay, let's focus on the
edge. Which ones are edge-based? Let's do both a technical and a tabletop environment. And I can
go back to the board and say, this is our first round of maturity is an environment, not necessarily the entire load. I'll bring up my last use case because it kind of parallels that.
Easy for you to say.
Yeah, please feel free to edit that out, which you won't.
I won't.
The last use case I wanted to talk about is using the ATT&CK framework as a training program.
Yes.
I was at an actual MITRE conference
and listened to a talk on this. And it's really well done where you can say, my junior analysts
need to be familiar with these 20 techniques. Tier two needs to know these 75 and the tier three
should know these 150. Oh, what a great way to measure.
I never thought of that before.
Yeah, interesting.
Yeah, which is why I was giving props to the talk
because I really liked the way,
and you can almost, again,
as you have auditors coming in,
especially if you're in a regulated industry,
this is something you can test on
and certify your team.
And auditors love certification.
So kind of a black belt program for your analysts in the SOC, right? Here's the things you have to
know to be a white belt. And here's the thing you have to know to be a green belt, that kind of
thing. Yeah.
MITRE rolled out the ATT&CK framework in 2013 and has added significant upgrades to it about every two years since.
One of their upgrades included deep dives on special data islands and use cases they call matrices.
In other words, they take a look at special ATT&CK vectors like cloud deployments, containers, industrial control systems, and mobile devices,
and just focus on the tactics and procedures adversary groups use against those environments.
They even had a matrix called Pre-Attack that covers preparatory techniques bad guys perfect
before the attack begins, like leveraging vulnerabilities
in the Common Vulnerabilities and Exposures Database, or CVE.
They also wrote out a companion program called CAPEC, C-A-P-E-C, designed to help
red teams. You know, the MITRE has also done CVEs. Great job there. MITRE has done an industrial
control system focused version. And I like that for not only the SCADA environment, but also
thinking about the IoT environment, it's probably more appropriate.
And finally, they're working right now on an insider threat version of the ATT&CK framework.
The other thing is, if we're talking about pen test teams,
the framework MITRE built for pen test team is actually the CAPEX,
the Common ATT&CK Pattern Enumeration and Classification.
And that was the one designed for red teams to use to have a consistent methodology or a framework by which they do their attacks.
Okay. Well, I want to go back to something you said before, because I push back on this
all the time, and I think I'm really in the minority on this. You were just mentioning
all of those techniques. These are technical things that have no relation to each
other unless you tie them together with the MITRE ATT&CK framework. And so what I want to see in my
environment, okay, I want to see a report that says APT29 uses 100 things. We only see two firing
in your network, so it's likely they're not in your network. But if you see 80 of them,
they're in your network. And maybe you should 80 of them, they're in your network. And maybe
you should run around and do something to stop them from being successful. And you and I are also
fans of another framework, the cyber kill chain. I love the cyber kill chain as a flow to kind of
do war gaming and saying, you know, it's the perfect counterpoint to an APT exercise.
And if you look at these, you know, the first technique of the 14 is reconnaissance.
And then you look down here, privilege isolation is number six.
Number 10 is lateral movement.
Number 13 is exfil.
Number 14 is impact.
These are really mapping back to the cyber kill chain.
And so that's another great technique to both do a kill chain exercise
because you can pull techniques from each one of the columns
to have a complete exercise.
The reason I want to get to this is when you're just listing the techniques,
these technical things, and you block, let's say, half of them
because that you were able to do, you have no idea if an adversary group can be successful in your organization.
But if you deploy these things in relation to how the adversary traverses the kill chain,
you deploy all the things you can do across the entire chain, as opposed to a technique
with no relation, then you might know if there's an adversary coming into your environment.
One of my frustrations with the framework is, like I said before,
there's 125 adversary group patterns with unique names,
as of like last week sometime.
And they do track a handful of criminal groups,
but the ATT&CK Wiki mostly tracks nation-state activity.
Just by my loose count of just
watching the news in this last year, there's about another hundred criminal groups with unique names
that we should be tracking too. And where do we get that kind of information if it's not here in
the MITRE ATT&CK framework? Well, and some of this also goes back to doing a risk assessment.
For a while, we were talking about those JavaScript attacks, those Magecart attacks.
And then the next thing we were talking about was the extortion campaign that went industry by industry.
Now we're talking about ransomware.
And then for a few weeks, we were talking about supply chain.
And as you talk about these different larger ones, you can do two things.
And as you talk about these different larger ones, you can do two things. One, you can say, when I'm talking about ransomware, what are the common elements of the ransomware APT attackers? And it may be something like phishing. You know, that's a common element. And that's something you can get your hands around and take quick action on. If you think about where you're vulnerable, where the biggest
activities are, that is another technique that I think can be successful. One of the great
innovations of the Lockheed Martin kill chain model, which is kind of strategic, and then the
extended version of the MITRE ATT&CK framework, which is I call operational, is we've realized
that every adversary out there has to do the same thing. They have to
traverse the kill chain. So whether or not you're a criminal group or a hacktivist group or an
espionage group, it doesn't matter. They still have to do those things. So that model in our head
should be easy to produce. And it feels weird to me that we're in 2021 and here's a minor attack
intelligence collection that just does espionage groups and
i'm just frustrated by that yeah i don't disagree and and the same you know our controls are fairly
narrow i have dlp which just fixes this or yeah i have certain aspects that are very narrow so
both on the threat side we we've got specific on the control side. And then within this, we've made
14 lanes of how we're defending it. Yeah, we made it more complicated than it is, right?
But that comes back to the fact that we have so many different environments and so many different
priorities across different industries. And then when you start mapping in compliance,
different industries. And then when you start mapping in compliance, it gets even more complex.
And I will highlight that you want to make sure if you talk about using the TAC framework,
it's a reference framework. I would be very careful to not put it in your policy as a required,
because then somebody can come in and look at all 200 plus and start evaluating against all of them.
And how you're not doing it.
Right.
And so I would be very careful in how you use this as a reference tool.
Just like I coach people on the cyber kill chain is,
it's a great, you know, war gaming or reference tool.
Same with the SASE framework.
All of these, just be careful how you say you're using it.
I don't want you to get caught sideways by an auditor.
Well, Al, we've kind of run the MITRE ATT&CK framework through the ringer.
Anything else that we missed that you want to point out?
I think the last thing would be around safety, Tim.
Well, you know me too well, Al,
because I'm going to get hurt doing this stuff for sure.
As always, I appreciate the time.
It's been a great session.
Thanks, Steve.
Thanks for coming on, and I appreciate it.
We'll talk to you soon.
That was Steve Winterfield, the advisory CISO for Akamai.
And for this episode, at least, my Al Borland, or sidekick, for the Rick the Toolman series.
Oh yeah!
And that's a wrap, not only for this episode, but for the entire season, season seven of CSO
Perspectives. And while I'm talking about it, that's a wrap for this crazy year of 2021.
perspectives. And while I'm talking about it, that's a wrap for this crazy year of 2021.
What a year! There has been so much contention in the world these days, so do me a favor. Take this time over the holiday break and decompress. Find your inner zen. Be nice to crazy Uncle Joe and
his stories about contrails and the impending invasion of Cthulhu. And please, please, please,
take a moment and be extra kind to your neighbors.
We've all had a tough year and we could all use it.
And finally, let me leave you with a special holiday wish
from my favorite poet laureate and my personal life coach,
Dr. Seuss' The Grinch, and I quote,
Welcome Christmas, bring your cheer,
cheer to all the who's far and near.
Christmas Day is within our grasp,
as long as we have hands to grasp.
Christmas Day will always be just as long as we have hands to grasp. Christmas Day will always be just as long as we
have we. Welcome Christmas as we stand, heart to heart and hand to hand, end quote. Truer words
could never be spoken. So happy holidays, merry new year, and we will see you again on the backside
in 2022.
The Cyber Wire CSO Perspectives is edited by John Petrick
and executive produced by Peter Kilby.
Our theme song is by Blue Dot Sessions,
remixed by the insanely talented
Elliot Peltzman,
who also does the show's mixing, sound design, and original score.
And I am Rick Howard. Thanks for listening.