How to Get Broader, Deeper MITRE Attack Coverage by Using EDR and NDR Together

Network TTPs are critical for post-compromise, pre-breach detection & response

istock 1166334015 1
iBrave

The MITRE ATT&CK Framework has rapidly become the go-to lens through which security operations teams view their ability to detect attacker tactics, techniques, and procedures (TTPs). The ATT&CK Framework comprises 266 (and counting) TTPs across 12 tactic categories from initial compromise through maintaining persistence, defense evasion, and finally impact, spanning the course of a full cyberattack campaign.

When enterprise SecOps teams start using MITRE ATT&CK, they gain a clearer view of which attack tactics they're able to detect, and which might fly under the radar or evade their defenses and eventually lead to a breach. Understanding these gaps in their defenses makes it easier to understand where to invest security budget, and how to update policies and procedures to fill those gaps.

Currently, the MITRE ATT&CK Framework is heavily weighted towards endpoint-centric attack tactics. Detection and investigation of a large percentage of the TTPs cataloged in the framework require visibility into files and processes on individual endpoints. Endpoint detection and response (EDR) is an area of heavy investment for security teams, and it makes sense that they want industry standards and frameworks to both scrutinize and validate the effectiveness of their programs. However, many crucial TTPs, especially in the later stages of an attack campaign, are easier to detect on the network.

Network-Centric TTPs Can Make The Difference Between a Compromise and a Data Breach

When an attacker has compromised your network and begins to move laterally, hopping from endpoint to endpoint, you need to move quickly to prevent them from maintaining a foothold, staging, and eventually exfiltrating critical data in a way that represents a potentially irreversible data breach.

Defense Evasion

If an attacker is inside the environment, that means they've likely already circumvented some defenses. A few common ways to do this would be:

  • Deleting or altering activity logs to mask suspicious behavior
  • Hijacking or injecting attack behavior into unmonitored processes to evade endpoint security
  • Stealing valid credentials and using them for unauthorized purposes

Many times, endpoint security, next-gen AV, or firewalls will catch these tactics. But attackers know it only has to work once for them to get the toehold they need, so they keep trying and keep developing new tactics for bypassing these security mechanisms.

In all of these cases, the attacker buys themself time to expand their footprint in the target environment. Security teams that have the ability to detect what happens after these behaviors are in a much better position to reduce the amount of time the attacker has to complete their goals.

This is where network detection and response (NDR) comes in.

The Asymmetric Battle and How Covert Defenses Can Help

Why are attackers able to circumvent established security mechanisms so effectively, and what can a savvy security team do next?

There are two issues here. One is the asymmetry inherent in the relationship between attackers and defenders. An attacker only has to get past the perimeter once to make their job much, much easier. Few, if any, companies have the same level of security visibility inside their environment as they do at the edge, though that's changing. The second is that perimeter and endpoint security mechanisms are visible to the attacker. A quick scan of a compromised laptop can reveal whether or not that laptop has an endpoint protection agent on it, and whether its activity is being logged. If an attacker knows which defenses lie in wait for them, they can plan ahead and aim for the gaps.

Network detection and response addresses both of these challenges. Because NDR platforms observe all communications across the inside of a network, in the East-West corridor, they are able to detect unusual lateral movement, suspicious behavior by users, and new, unauthorized devices as soon as they connect. Because NDR platforms ingest data passively, an attacker has no way of knowing whether their behavior is being watched, nor any mechanism for altering the configuration of the observation. They may attempt to evade detection by encrypting their traffic, but that traffic can be decrypted for analysis, or simply blocked if unauthorized, out-of-policy encryption schemes are detected.

These characteristics make NDR a fantastic mechanism for detecting and investigating the kinds of behaviors that attackers do after they get that one moment of success they need to bypass perimeter-focused defenses.

What Makes Some MITRE ATT&CK TTPs Network-Centric?

extra post 2 image 1 ExtraHop

Each MITRE ATT&CK tactic listing includes a list of data sources that are useful for determining the best way to detect and investigate that particular tactic. Looking for TTPs that list network protocol analysis, SSL/TLS inspection, network device logs, and packet capture is a good way to identify which TTPs are better to detect and investigate using network traffic. Examples include:

  • Remote Access Tools (T1219)
  • Remote File Copy (T1105)
  • DCShadow (T1207)
  • And dozens more

While network-centric TTPs appear in all 12 of the main Technique Categories in the MITRE ATT&CK Framework, they are more heavily concentrated in certain categories, including:

  • Lateral Movement
  • Credential Access
  • Command & Control
  • Data Exfiltration
  • The reason for this is that, once an attacker has compromised an environment, they have likely already evaded other safeguards in place to prevent them from doing so. Because network detection and response consumes data passively and is not visible to the attacker, they cannot evade or disable it in the same way. Security teams can count on NDR as a covert line of defense that will continue to be effective even when an attacker believes that they're in the clear.
  • Endpoint detection and response and audit logging are both vital tools for any security operations team. They can catch many of the TTPs attackers try in the early stages of an attack campaign. For the latter stages, NDR is the best approach to ensure that a compromise doesn't progress into a full-on data breach.

For a more detailed analysis of which MITRE TTPs are best detected via the network, check out our white paper on the topic.

Copyright © 2020 IDG Communications, Inc.