Intelligent CISO Issue 10 | Page 67

decrypting myths Using the MITRE ATT&CK framework for threat hunting success Threat hunting is a critical discipline. But how do you do it methodically and consistently to drive success? Tim Bandos, VP of Cyber Security, Digital Guardian, introduces threat hunting frameworks, teaches an organisation how to get started with it and how to implement high-fidelity techniques for advanced threat hunting. C yberthreat hunting is a critical discipline that more and more organisations are using to proactively detect attacks before they result in a major breach. But how do you do it methodically and consistently to drive success? MITRE’s ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework is becoming increasingly popular among incident responders and threat hunters and for good reason. techniques and procedures that can be used by threat hunters and incident responders to assess an organisation’s cyber-risk. The aim of the framework is to improve an enterprise’s post- compromise threat detection capabilities by highlighting the actions attackers may have taken. Threat hunters can also leverage the framework to identify specific combinations of techniques that adversaries may use and how effective their existing tools would be in detecting them. There are three ‘flavours’ of ATT&CK: It was created to test the efficacy of systems and improve security before it’s too late. This article will introduce the framework and the key benefits it brings to any cybersecurity operation. What is the MITRE ATT&CK framework? First created in 2013, the MITRE ATT&CK framework is a comprehensive matrix of cybersecurity tactics, | Issue 10 1. Enterprise ATT&CK: A framework of tactics, techniques and procedures used to compromise enterprise networks. This is the most popular framework and the one this article will focus on 2. PRE-ATT&CK: Covering tactics and techniques used pre-compromise 3. Mobile ATT&CK: Covering tactics and techniques used to gain access to mobile devices. 67