Leveraging BAS and MITRE ATT&CK for Threat-Informed Defense

In a recent blog, we covered the basics of breach and attack simulation (BAS) and MITRE ATT&CK, including the challenges security teams often face when attempting to utilize the ATT&CK framework and how BAS can help. Now, it’s time to get more specific. In this installment of our latest series, we’ll discuss the ways organizations typically leverage BAS and MITRE ATT&CK for threat-informed defense, including:

• Gap Assessment
• Threat Intelligence
• Detection Engineering 
• Analytics
• Red Teaming 

Assessing Gaps & Security Posture with BAS & MITRE

Assessing your security gaps and overall posture is an excellent way to get started with ATT&CK, providing teams with an understanding of overall coverage. Leveraging a BAS platform like SafeBreach, analysts can identify whether each potential attack vector from the framework applies to the organization and determine if the right solutions are in place to detect and protect against it. 

Security teams can take a couple different approaches to test their posture, including testing specific tactics, techniques, and procedures (TTPs) included in each attack, or running the entirety of an attack from the MITRE framework. Once simulations are complete, teams can remediate any security issues that are uncovered and quickly test again to ensure that the solutions have closed the gap. When first utilizing a BAS platform, it may make sense to run MITRE’s top attacks, or the organization may determine (with the aid of the BAS tool) that there are higher priorities. After the team runs initial tests, they can set these tests to run continuously to ensure security controls are regularly validated. 

BAS platforms will usually provide a way to report on these gaps through dashboards and reports. Once an organization assesses its capabilities and gaps, it can easily communicate these results to key stakeholders to provide them with a high-level view of organizational readiness and make appropriate decisions to improve organizational security posture.  

Augmenting Assessments & Threat Intelligence

Naturally, threat intelligence is key to threat-informed defense. By overlaying intelligence about adversary behavior from ATT&CK with information from a BAS platform about what additional threat behavior the organization can detect and mitigate, security teams can further hone a threat-based awareness of what gaps exist within their networks. 

A BAS solution can truly uplevel an organization’s defenses by drawing from a number of different threat intelligence sources. This includes the ATT&CK framework, but can also include integrations with multiple other tools that specialize in threat intelligence, and—if the BAS solution is really good—original threat research provided by the BAS vendor. 

---

Learn more about leveraging BAS to improve ATT&CK coverage, including common use cases in: Getting Started with the MITRE ATT&CK® Framework and SafeBreach.

---

Prioritize Behaviors with Analytics

Data used to develop threat analytics can be gathered from a number of sources, including:

• Authentication logs
• File and registry monitoring
• Packet capture—especially east-west capture—like that collected between hosts and enclaves in your network
• Process and process command line monitoring

Once a team has this information, they will need to collect that data into some kind of alert logging platform (e.g., SIEM) in order to run analytics against it. This may already exist as part of IT or security operations, or it might be something that the organization needs to develop. Once the data is there, security teams can leverage threat intelligence to prioritize behaviors that they want to detect within the SIEM. Ultimately, the goal with this use case is to be able to detect an attack early in the attack lifecycle and across the entire kill chain.

It’s important to note, though, that suspicious network behaviors don’t always indicate an attack. If alerts were triggered for every potentially suspicious behavior, it would quickly generate a lot of noise, create alert fatigue, and slow down threat detection. By correlating suspicious alerts using the MITRE ATT&CK framework, security teams can quickly identify potentially malicious intent and use the BAS platform to determine viable remediation options.

Leveraging ATT&CK for Detection Engineering

The next step is leveraging the suspicious behaviors to create detections. Detection engineering, which is a continuous process through which engineers evolve and optimize their threat content based on new information, does exactly that. Detection engineers are responsible for reducing the mean time to detect (MTTD) and respond and recover from a threat.

ATT&CK helps detection engineers develop a thorough understanding of attacker techniques and tactics, which in turn allows them to build better detection models. Coupled with the additional threat information from BAS, these models can evolve to match the real-world attacks leveraged by threat actors and even nation states.

To further streamline the process, a best-in-class breach and attack simulation solution will have integrations that allow for automated remediation of the more straightforward security issues, allowing security teams to focus on only the most complex.

Actioning the Framework with BAS & Red Teaming

ATT&CK can be used to test and verify defenses against common adversary techniques by enabling security teams to re-create real world attack scenarios. By leveraging a BAS solution, red teams can run scenarios to test different aspects of an adversary’s TTPs. The red team then follows a pre-made or customized attack scenario while operating on a target network to test how defenses would hold up against the attacks.

With BAS, red teams can test at scale. By automating tests, not only can teams perform hundreds more tests than they would have been able to manually, but these tests can be run continuously. That means that any changes in the network that may produce a new security gap can be caught and mitigated quickly, without taking much time away from other red teaming activities. 

Putting It All Together

While MITRE ATT&CK is a powerful framework to get organizations started on threat-informed defense, it takes a solution like breach and attack simulation to make it feasible to implement. Each organization is unique and has different priorities, tooling, and IT environments. BAS helps security teams shape the ATT&CK framework to suit their needs, augments it with the latest threat intelligence, and allows organizations to test quickly, continuously, and at scale.

To dig a little deeper, download the full whitepaper, Getting Started with the MITRE ATT&CK® Framework and SafeBreach or schedule a demo to see the benefits of BAS and MITRE ATT&CK for your organization.