Using MITRE ATT&CK in Splunk Security Essentials

Adversarial Tactics, Techniques, and Common Knowledge, or MITRE ATT&CK, is a knowledge base for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013. The ATT&CK framework was loosely based on the Lockheed Martin Cyber Kill Chain but with vastly more detail. A Tactic represents each stage in the Cyber Kill Chain in the ATT&CK Framework and should be read from left to right in the same way. The horizontal position of the Tactics indicates the stage in the attack lifecycle where the specific Technique is used. For instance, a phishing email is probably near the beginning of an attack and data exfiltration is likely toward the end.

In the last couple of years, the ATT&CK framework has become the most popular cybersecurity framework by a wide margin. Moreover, it has proven helpful for many use cases beyond its original purpose.

The Mitre Corporation updates the framework at least a couple of times per year with new Techniques, objects, and even new matrices. In addition, the framework’s solid foundation means many technology providers can natively adopt it into products, including us here at Splunk. Even Gartner and Forrester include some form of MITRE ATT&CK support in their evaluation of products.

Splunk added support for MITRE ATT&CK in our content library and Splunk Security Essentials (SSE) app around 2018. We mapped our detections with Techniques and Tactics to make it easier for defenders to understand where this type of detection is placed in the attack lifecycle. We added Sub-Techniques, Threat Groups, Platforms, and Software in later versions. Many of these capabilities were added under the moniker Analytics Advisor.

In the current version of SSE, you can use the ATT&CK framework for a wide array of use cases and to answer a wide range of questions:

• Discover new detections to deploy based on a list of Techniques
• Highlight Techniques covered by existing active detections
• Highlight Techniques potentially covered by detections based on the data you have
• How well are we monitoring for the ransomware Babuk based on active detections?
• Which Threat Groups are targeting my industry?
• Which Techniques have been observed in my industry?
• How many Techniques are we covering in the Cloud Matrix with the active detections?
• Which data source is providing me with the most Technique coverage?

Many of these examples rely on additional context and enrichment collected by Splunk Security Essentials as part of the initial setup.

Discover New Detections to Deploy Based on a List of Techniques

1. Navigate to the Security Content page
2. Type or paste the Technique IDs that interest you into the search bar.

SSE includes some predefined sets of Techniques that might interest you, such as the Top 10 Techniques for Ransomware, created by MITRE.

You can also find a visual of the same Techniques on the ATT&CK Matrix.

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select “List MITRE ATT&CK Ransomware Top 10” in the ATT&CK Technique dropdown above the ATT&CK Matrix

^{A subset of the ATT&CK Matrix showing the selected Techniques}

^{The selected techniques and the coverage metrics in the current environment}

Splunk Security Essentials bundles a few other premade lists of ATT&CK Techniques such as the MITRE Engenuity Adversary Sightings Top 15 project. This project has done quantitative research on a large number of Threat Reports for the past years, with more than 6 million Technique usage observations. One of the conclusions of this work is that 15 Techniques represent 90% of all observations. Want to protect yourself against the 90%? Filter the panels as above using this premade list.

Highlight Techniques Covered by Existing Active Detections

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select “Content (Active)” in the “Color by” dropdown

Flip between the panels and tabs to view the current coverage in the environment in different ways

^{The charts show 2% coverage on the ATT&CK Matrix by the six active detections}

Highlight Techniques Potentially Covered by Detections Based on the Data You Have

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select “Content (Available)” in the “Color by” dropdown

Flip between the panels and tabs to look at the current coverage in the environment in different ways.

^{Which source type provides the most potential detection coverage?}

^{The chart shows 73% coverage on the ATT&CK Matrix by the 985 available detections in the environment}

How Well Are We Monitoring for the Ransomware Babuk Based on Active Detections?

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select “Babuk” in the “MITRE ATT&CK Software” dropdown
3. Select “Content (Active)” in the “Color by” dropdown

^{Orange highlighted cells represent the Techniques used by the Babuk ransomware. The blue background color represents the detections available.}

Which Threat Groups Are Targeting My Industry?

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select “Industry: Healthcare” in the “MITRE ATT&CK Threat Group” dropdown

^{Ten Threat Groups are known for targeting the healthcare industry.}

Which Techniques Have Been Observed in My Industry?

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select “Industry: Healthcare” in the “MITRE ATT&CK Threat Group” dropdown
3. Select “Threat Group Selection” in the “Filter” dropdown

^{A subset of the ATT&CK Matrix featuring Techniques that have been observed in the healthcare industry.}

^{The image shows detections and other content available in Security Essentials covering the subset of Techniques that have been observed in the healthcare industry.}

How Many Techniques Are We Covering in the Cloud Matrix with Active Detections?

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select “Cloud” in the “MITRE ATT&CK Platform” dropdown
3. Select “Content (Active)” in the “Color by” dropdown

^{The ATT&CK Cloud Matrix and the active detections in the environment (blue).} 

Which Data Source Is Providing Me With the Most Technique Coverage?

1. Navigate to the Analytics Advisor -> MITRE ATT&CK Framework
2. Select the Chart View tab
3. Select “Data Source” in the “Split by” dropdown
4. Select “Active” in the “Status” dropdown

1. Click the “Selection by Data Source” tab under the “Selected Content” section further down

^{The number of detections and other content available in Security Essentials split by data source.}

Let’s dive into the meaning and use of the word “coverage.”

Coverage means we have at least some content (either available or active) that aligns with the specified Technique.  Furthermore, MITRE ATT&CK only has a portion of “known” threat actors that only capture what has happened and do not project all possible outcomes of things that could happen.

Good coverage, therefore, means we have lots of content covering many techniques. However, this is only part of the picture. Coverage doesn’t tell us how much of the environment is protected. If the data source powering the detection is only available for a small subset of the organization, the level of protection will not be as great. It might even be misleading when only looking at the colors in the matrix without realizing the context.

In conclusion, coverage does not mean completeness.

You’ve made it this far; go and try it out yourself. Splunk Security Essentials is available on Splunkbase, and version 3.7.0 was recently released on Dec. 8, 2022.

To learn more about how MITRE ATT&CK Tactics are mapped to detections developed by the Splunk Threat Research Team, check out the new eBook “Top Cybersecurity Threat Detections with Splunk and MITRE ATT&CK.”

- Johan

Authors and Contributors:

As always, security at Splunk is a family business. Credit to authors and collaborators: Johan Bjerke, Audra Streetman, Ryan Becwar. Feature photo by Torsten Dettlaff from Pexels.