Architecting for the kill chain

MITRE ATT&CK framework can be a great resource for tracking and reviewing the kill chain and methodology used by threat actors, as part of a recent move to security architecture I got interested in how to design defence in depth that is mapped to adversarial threat actors kill chains and MITRE so I could better review where controls were weak and what mitigations could be put in place. Using AttackIQ I found some decent resources.

For this MITRE ATT&CK is a global and free tool, which is an impressive way to look through the different tactics, techniques and procedures used by Advanced Persistent Threat actors worldwide. Tactics are the technical goals under MITRE, techniques are how the goal is achieved and procedures are the specific implementations of techniques. Using this we can identify our crown jewels to protect and identify the procedures and techniques to layer our defences around.

Before we go into MITRE, we need to understand how to help structure our approach for designing our defences. We will be looking at the standard methodology of Plan – Design – Implement – Measure.

Plan

With the plan phase we should review business objectives, and threats (known and assumed) – ideally theses should be tracked as current risks in the risk register, and the resources available to us. Here we look at the frameworks we want to use (SANS CC, NIST CSF), regulatory drivers (NIS-D) and contractual requirements. To ensure it covers our threats we must make sure we gather information through Threat Intelligence or other methods on what our threats are. This information should feed our overall strategy and include:

  • Your organisations security team.
  • Third party sources like MITRE, CISA and Searchlight.
  • Manual searches through Shodan, Google or darknet forums.

For MITRE we can use our teams and understanding of the organisations industry to identify the threats and APTs facing your organisation and then using the TTPs for those groups we can start identifying mitigating controls. A group I picked at random is APT12, here we can see this group uses:

  • Spear Phishing with malicious attachments (Initial Access).
  • Exploitation for Client Execution and Malicious Files (Execution).
  • DNS Calculation and Bidirectional Communication (Command and Control).

Reviewing all the threat groups in MITRE that could target your organisation and try to pick out commonalities its TTP for designing the controls needed. While MITRE can give us the generalised information on adversaries, purple teaming can really build on this to give the business specific context. By linking in your SOC heroes and Vulnerability villains you can produce a better understanding of how the MITRE threats and TTPs can fit within your organisations existing defences which can help build more efficient controls around them.

Breach & Attack Simulator tools can also be used with wargaming and tabletop exercises to help tie together the strategy and highlight gaps that need addressing.

Design

With the strategy of what we need to do completed we must now turn this into a blueprint with tooling requirements, processes defined and drawn up, the operating model that will govern the programme and any other items that need to be considered to protect against the adversaries. The best design would follow a process and people-based approach before looking at tools to supplement and automate the controls.

MITRE can assess this as it lists recommended mitigations for the threat actors TTP’s. While these can be high level it can be helpful to use them as the base of our Design framework. MITRE’s Vendor Evaluations can be used to supplement traditional vendor assessment reviews like Gartner to help tie tooling into the mitigations to specific TTP’s.

Using the BAS tools and wargames from the planning stage we can tie these assessments into our tool assessments to get the right mixture of technologies for the organisation’s threats.

Implement

During this phase we document our policies, procedures and put in place our processes. Staff upskilling takes place, and any tools are acquired and deployed. At each stage of the implementation process and with each new tool that is deployed BAS and Wargames should be conducted for continuous assessments to make sure to tooling selection from the design phase and the strategic decisions from the Planning stage are having the desired effect.

Measure

If it cannot be measured it does not exist. A hard learned lesson by many auditors but a valuable one. After the program has been successfully planned, mapped out and deployed we then must define or SLA’s, KPIs and other metrics to ensure each part is operating effectively – doing this early can ease the turmoil of SOC 2 and other Control Effectiveness audits.

The measure phase is the BAU phase an includes managing, operating, and maintaining the security posture and most have a feedback loop back to the planning phase. Continually reviewing the effectiveness of the controls against new and emerging threats with the expertise of the organisation’s security teams, using wargaming and BAS to assist can ensure security does not stand still and continually improves. TRAM can also be leveraged to improve the mapping as an open-source tool that can tie threat intelligence into MITRE’s ATT&CK framework.