The year 2020 shattered every record when it came to security Incidents and data breaches on private businesses and governments. The changing digital landscape is becoming a challenge to all as the threat actors have advanced themselves beyond the traditional type of attack like phishing campaigns to more sophisticated techniques. To successfully fight against them it’s imperative companies must implement the best cybersecurity practices.
The Pandemic caused nightmares for all security professionals and made them reconsider their organization’s security posture & critical infrastructure. Some alarming statistics of cyberattacks include:
• FBI’s IC3(Internet Crime Complaint Center) reported a 300% increase in cybercrimes reported on their portal - IMCGrupo • Data breaches in the healthcare industry increased by 58% in 2020 – Verizon
• In April 2020 alone google blocked around 18 million phishing emails & malwares related to coronavirus -Google
• Cloud-based cyberattacks increased by more than 600% in the mid of April 2020 – FintechNews
It is believed that the best way to detect and mitigate adversaries is to understand their tactics, techniques, and procedures. Firstly, to understand a framework in simple terms consider a framework as a physical skeleton that gives flesh of the human body a structure in the same way cybersecurity frameworks comprise of knowledge base with best practices to help organizations minimize security gaps in their critical infrastructures. It also helps them to identify sensitive areas which impose a risk of data breaches and other possibilities of compromise by threat actors.
Frameworks ease the tasks like defining the processes, procedures that security professionals must do to assess, monitor, and mitigate cybersecurity risks. frameworks out there make the lives of stakeholders easier up to some extent as it helps in creating a blueprint of a cybersecurity program in an organization and implement certain underlying tasks more efficiently. It complements existing security operations like:
• Prioritizing critical improvement activities • Identifying security gaps • Understand current security posture/status • Look for new/revised standards
There are many popular cybersecurity frameworks to name a few like NIST CSF, MITRE ATT&CK, MITRE D3FEND, ISO/IEC 27001 & 27002, CIS Controls.
From merely phishing attempts, DDOS to APT’s and ransomware in this evolving threat landscape security leaders need to utilize each available tools & techniques to defend their organizations. This is where frameworks like MITRE ATT&CK & D3FEND come into play.
MITRE is a non-profit organization that works with U.S Government & private industries with a vision to solve vital global challenges. It provides technical and engineering assistance to federal governments with their state-of-the-art solutions backed by highly skilled research teams to fight global concerns not only in the digital world but also in the battlefield, healthcare industry, and many others. They also helped Govt departments during the 9/11 attacks by lending their team’s expertise and contributing advanced technology to assist in relief & recovery at the world trade center.
When talking about MITRE it would be unfair to not discuss its one of the most successful projects MITRE ATT&CK. MITRE developed a framework known as “ATT&CK” in 2013 which stands for Adversary, Tactics, Techniques, and Common knowledge. It provides a matrix of common tactics, techniques, and knowledge base that bad guys can use to compromise a company including – Initial access, privilege escalation, evading defense mechanisms, and lateral movement. The framework is based on TTP’s (Tactics, Techniques & Procedures).
• Tactics – It defines the goal of an attacker “WHY” for example credential access– To get initial access
• Techniques – Consider these as “HOW” of an attack for example – Threat actor may dump the credentials to achieve unauthorized access
• Procedures – These are specific methods bad actors may use for example – Using PowerShell to inject malicious code into an executable file.
Below is the MITRE ATT&CK framework matrix starting from horizontal columns left to right there are different tactics. Under each column header techniques and sub-techniques are stated which help in accomplishing the attack tactic.
The ATT&CK framework provides a holistic view of security posture and is one of the most definitive resources of a cybersecurity plan. It is used as a prime resource by threat hunters, blue teamers to classify, prioritize security gaps and ensure the right mitigations are in place.
It is necessary for the security engineers to know what are the threats and how bad actors are going to use them in order to exploit a critical infrastructure or corporate network but at the same time, it becomes essential to have knowledge about how they are going to address these threats from a technical/engineering perspective.
MITRE framework released the D3FEND framework in the month of July this year. It creates a knowledge base of counter-measures against cyberthreats and its funding efforts were backed by NSA (National Security Agency). D3FEND solves the problem of security professionals as mentioned above by providing them with the various counter techniques which can be accumulated by security architects to design a defensive and resilient security plan. It complements the ATT&CK framework which means D3FEND framework techniques can be applied to counter the practices detailed in the ATT&CK framework.
Below is a glimpse of the MITRE D3FEND Framework
As we look at the above framework all the defensive techniques have been grouped horizontally starting from left harden, detect followed by others. You can view the whole framework in detail at d3fend.mitre.org
At last, I want to conclude with my point of view that cybersecurity is similar to a game of cat and mouse because of the evolving nature of cyberattacks as well as defensive measures but if we talk about the cybersecurity frameworks not only MITRE but others as well, they surely give an edge to security professionals over the adversaries by identifying security gaps and prioritizing the defensive measures to minimize the exposure of probable attack vectors.
This article was first published on Medium