Alerting

- 2 mins read

So You Want To Build A SOC

Or How To Lose Your Mind In 10 Weeks

A number of companies I’ve worked for have security tools in place, but they’re almost always half-configured, half-utilized, and no one has a good idea what’s missing or what should be there. Luckily, there’s a solution, or at least a tool that can help us move towards a solution.

The MITRE ATT&CK Framework

Enter the MITRE ATT&CK Framework. Originally published in 2013, the MITRE Org provides an assessment framework for Enterprises, Mobile, and Industrial Control Systems. The framework maintains a list of Adversarial Tactics, Techniques, & Common Knowledge. As well as, common mitigation and detection techniques.

This framework is broken down into multiple categories, detailed below, covering different aspects of an attack and allowing you to recognize the flow of an attack and communicate with others in a common vernacular.

Categories

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

Within each category is a series of techniques (delimited by T numbers e.g.; T1531 and further broken down into sub-techniques. These techniques each also include Procedures, behaviors used by specific threat actors, and Mitigations or Detections.

Working with the MITRE ATT&CK Framework

It’s a great idea to share this framework with your SOC, Architects, Engineers, and Threat Hunters. (I’ve even taught executives!) As a quick way of introducing these, I’ve often had junior team members or interns present each category over a series of weeks to various audiences. This helps build their own knowledge, allows them to practice their presentation skills, and gave them exposure to other teams and groups they might otherwise not meet.

Once everyone’s speaking the same language and familiar with the framework, we can start to use this in the naming of rules, controls, design documents, etc…

And now that we’re all speaking the same language, we can start to see where we have detection, prevention, and alerting, the 3 pillars of a good defensive strategy.

Heat Mapping Our Defenses

The framework can also be easily exported and worked with as CSV or Excel sheet. In this case, we’re going to use the framework as a heat map for where we’re solid, and where we’re deficient in our defenses.

A screenshot of the MITRE ATT&CK Framework in LibreOffice Calc A Screenshot of the MITRE ATT&CK Framework in LibreOffice Calc

Can I See It?

Log Sources

Can I Stop It?

Technical Controls

Administrative Controls

Can I Alert On It?

Start Documenting