ServiceNow released a new Security Incident Response integration with the MITRE ATT&CK framework. This article will provide a high-level overview of its purpose and capabilities.
The MITRE ATT&CK framework provides a knowledge base of common tactics, techniques, and procedures (TTP) organizations can access to develop threat models and methodologies against cyberattacks.
By combining this framework with SecOps Incident Response, organizations are enabled to use MITRE information to:
- Speedup the analysis of Security Incidents by leveraging the mapping of TTP’s
- Obtain detection coverage insight of MITRE techniques
- Improve threat hunting capabilities by leveraging relations between TTP’s, SIR’s & observable
Speedup the analysis of Security Incidents by leveraging the mapping of TTP’s
Upon enabling the Threat Intelligence module within Security Incidents Response, MITRE techniques can get automatically or manually related to Security Incidents and Observables. By creating these relations, analysts can leverage the imbedded MITRE ATT&CK view to understand the potential phase of an attack and learn about related TTP’s. This information can then be used to determine:
- Additional investigative actions
- “forensic” proof to look for
- Necessary remediation or mitigative actions
Furthermore, by linking MITRE TTP’s to Security Runbooks, SOC’s can automatically populated required response tasks based linked TTP’s.
Below screenshots briefly demonstrate these capabilities:
MITRE ATT&CK Card Navigator view
MITRE ATT&CK Card list view
Detailed TTP relations view
Obtain detection coverage insight of MITRE techniques
As organizations embrace the usage of MITRE TTP’s for the development of detection models and rules, it has also become vital to understand the effectiveness and gaps of these.
For this purpose, the MITRE ATT&CK integration provides the ability to map tactics & techniques to:
- Your detection tools such as; SIEM, EDR, Proxy Server etc.
- (SIEM) detections rules ingested from for example; Splunk, Sentinel, Qradar etc.
When organization additionally rate their expected coverages per MITRE technique, the built-in MITRE heatmap can be leveraged to provide inside into the actual coverage levels and list the relations with existing Security Incidents, Observables and Detection Rules. An impression of this is demonstrated in below screenshots:
MITRE ATT&CK Navigator heatmap 1-2
MITRE ATT&CK Navigator heatmap 2-2
Based on these heatmaps organizations can better determine the effectives of detection models and properly identify points for improvement.
Improve threat hunting capabilities by leveraging relations between TTP’s, SIR’s & observables
When organizations track TTP’s in relation to Security Incidents and Observables it generates an interesting dataset for performing threat hunting activities on. By proactively searching this continuously updated dataset, TI teams could for example:
Check for the existence of IOC’s of interests
Obtain statistics about the volumes and types of detected TTP’s, SIR’s and Observables
Determine the effectiveness of the existing detection rules
As the MITRE ATT@CK integration comes with OOTB search filters, SOC and TI teams can quickly leverage these to search the dataset on for example:
- MITRE-ATT&CK Adversary Group
- MITRE-ATT&CK Data Source
- MITRE-ATT&CK Procedure (Malware)
- MITRE-ATT&CK Procedure (Tools)
- MITRE-ATT&CK Tactic
- MITRE-ATT&CK Technique
As these filters are also available within the reporting engine, they can also be leveraged for the creation specific dashboard/reporting widgets.
MITRE filter options
I hope this article provided a good overview of the capabilities of the new MITRE integration with ServiceNow Security Incident Response. If you are interested to learn more, please use below link.
