MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Over a series of blog posts, we will demonstrate ATT&CK’s value, how to use it, and turn theory into practise. If you would prefer to get the full guide now you can download here.

Actionable intelligence through automation

The MITRE ATT&CK Framework does a fantastic job of explaining adversary tactics and techniques in detail, giving the industry a better grasp on attacker behaviour and intentions. But to make this information actionable at scale, organisations need a method of understanding and modelling behaviour across their entire digital estate. 

Manually mapping the behaviour of every event, log, or alert in your environment to the MITRE ATT&CK framework is unthinkable. It would be an arduous task, prone to mistakes, and difficult to glean actionable intelligence. 

The power of automation, however, can transform the lives of security professionals. An intelligent system that can understand and distinguish between malicious and benign activity across the organisation also brings many benefits. We are now at a point where security professionals can rely on the automation of detection, classification, investigation, and response. 

From inception, Senseon integrated the MITRE ATT&CK framework into its automated threat detection, investigation, and response platform. The Senseon team were keen to further empower security professionals by arming them with the context to better understand their environments and attacker behaviour. 

Before explaining how this integration works and benefits our customers, let’s understand more about Senseon.

About Senseon

Breaking down the silos

Cyber security vendors want you to think in silos. But organisations don’t operate in silos and neither do attackers.

The cyber security industry has evolved rapidly over the last decade. The divergence and growth of attacks and the increasingly advanced techniques deployed by adversaries has been met with new technological defence capabilities. 

Yet, where the industry falls behind is in its segregation of technology approaches. Rather than deal with the broader challenges head-on, vendors have opted to focus on niches. Tools like NDR or EDR have a single source of intelligence.

As more niche, single-point tools flood the market, our security stacks become bloated, expensive, and difficult to maintain. The deployment of more tools doesn’t necessarily increase your chances of detecting cyber threats. It does, however, increase your workload, cost, and demands a great deal of effort to get actionable intelligence from the disparate data.

Senseon breaks down the silos and removes the gaps between single-point tools by taking a data-led approach to the problem. Senseon’s primary focus is to get the richest sources of information to build a more intelligent system. In turn, this increases the accuracy and efficiency of detection.

Rather than focus on the limitations prescribed by traditional approaches, Senseon uses multiple methods of data collection and multiple detection methods to accurately differentiate malicious from benign activity.

Senseon deploys across the network, endpoint devices, and Investigator Microservices that gather additional external intelligence. All connected. All share intelligence. The result is a far more accurate depiction of the events as they unfold within a customer’s digital estate.

The self-driving system for cyber defence

Senseon’s unique AI Triangulation technology emulates how a human security analyst thinks and acts to automate the process of threat detection, investigation, and response.

Senseon looks at the behaviours of users and devices from multiple perspectives, pauses for thought and learns from experience, to provide accurate and context-rich alerts. The ATT&CK Framework is used by the AI Triangulation to make its output clear and actionable.  

These automated capabilities free security teams from the burden of exhaustive analysis, alert fatigue, and false positives.

How Senseon works

MULTIPLE SENSES

Senseon gathers the richest sources of data from multiple points across an organisation. This provides unparalleled visibility and means that the accuracy of alerts are increased with greater context and understanding.

UNDERSTANDING

Senseon combines the power of machine learning analytics with custom analytics built by our team of experts. The Machine Reasoning Framework consists of supervised and unsupervised machine learning approaches.

AI TRIANGULATION

AI Triangulation thinks and acts like a human analyst. Observations are created when the system’s hypotheses about indications of malicious activity are proven.

SENSEON PLATFORM

Interesting or malicious activity is then prioritised and presented in the user interface for further investigation by the security team. Senseon groups related behaviours, allowing analysts to speed up their investigations.

Watch the video

Find out more about the MITRE ATT&CK Framework and see a product demonstration showing how we have built MITRE ATT&CK into the heart of the Senseon platform.

Senseon and MITRE ATT&CK integration

The Investigate view shows all priority cases that have been automatically generated by the system and require further investigation by an Analyst. Cases are made up of multiple and related security observations that are presented as a sequence of events in the timeline. A security observation is essentially a single event that has occurred within a customer’s environment. 

By showing related security observations in a single case, Security Analysts can quickly understand the relationship between impacted devices and users. Where other technologies would raise an alert for each equivalent security observation, by producing Cases Senseon creates less noise and less alerts for further investigation.

Benefits

• Automates the classification of real events according to techniques in the MITRE ATT&CK framework.

• Increases the speed at which an analyst can review a threat case.

• Provides common language to aid communication among the team.

• Enhances the team’s understanding of various techniques.

• Allows an organisation to understand the techniques they most commonly face.

Within the Investigate view, the Threat Techniques widget shows a natural language description of the technique from the MITRE ATT&CK framework. Cases with several security observations are likely to contain multiple and differing techniques. As an analyst clicks through the various stages of an attack, they can understand how each security observation relates to the relevant techniques that attackers deploy. This further helps to explain the narrative of attacker behaviour. Analysts can click directly through to the MITRE ATT&CK website to find out more about each technique.

Get the full guide

The MITRE ATT&CK framework is quickly becoming the de-facto tool for understanding and mapping attacker behaviour. This must-have resource is a great ally for IT and security professionals looking to enhance their security posture.

This practical guide will show you how to:

• maximise the value of ATT&CK

• turn theory into action

• get results.

About the author

Brad Freeman, Head of Threat Analysis, Senseon

Brad is an expert in his field, with over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Drawing on his extensive industry experience and knowledge, Brad leads the threat analytics team at Senseon, and specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure.