INTRODUCTION:
🔒 “Securing Dreams: MITRE Meets ServiceNow” 🔒
In the world of cybersecurity, I wear two hats: one labeled "ServiceNow Enthusiast” and the other “Cyber Defender.” My job isn’t just about paychecks; it’s about turning my passion into action.
Recently, we decided to embark on a mission: to blend MITRE (our cryptic detective) with ServiceNow (our IT powerhouse). Think of it as mixing ancient scrolls with modern workflows. Our threat intelligence team already speaks MITRE, but now we’re inviting it to our ServiceNow party. For this journey I decided to break into two acts.
🌟 Act I: Decoding MITRE
In Part 1, we’ll demystify MITRE. No jargon—just plain talk. Imagine decoding secret messages: tactics, techniques, and procedures. It’s like learning a new language, but with fewer coffee stains.
🔐 Act II: MITRE in ServiceNow
Part 2 takes us backstage. ServiceNow isn’t just a tool; it’s our digital guardian. With MITRE by its side, it orchestrates defenses, patches holes, and dances with zero-day gremlins. We’ll configure MITRE within ServiceNow, enriching our incident management.
🚀 The Grand Finale: Our Shared Vision
So, fellow dreamers, let’s break the cyber code together. The MITRE x ServiceNow adventure awaits. And that stolen image? It’s our compass—a visual guide as we navigate this digital maze.
Feel free to adjust your cyber goggles. Adventure awaits! 🌠🔍💻
What is Att&ck?
Before we dive into what att&ck is, let's see some of the questions that att&ck can provide better answers on.
- How affective are my defenses in detecting an intrusion from BlackCat, APT19 or Fin7?
- Is the data comprises of logs from monitoring is worth the money we are spending on tools to gather that?
- Do I have overlapping tool coverage?
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Think of it as an encyclopedia describing all different things adversaries can do. Some key things to keep note of is this is not a pie in the sky model or proof of concept thingy its based on real world observations around what adversaries are doing. Its a common language that different cyber security team speaks.
Pyramid of Pain:
Let's understand the famous pyramid of pain by David Bianco
Its all about the idea certain things adversaries do are more or less painful for them to change.
Easy - Hash Value
A hash value is generated by algorithms like MD5 and SHA, and represents a specific malicious file. Hashes provide specific references to malware and suspicious files that are used by attackers for the intrusion.
Simple - IP address
IP addresses are one of the more-fundamental indicators of a malicious attack source, but it is possible to adopt an IP address using a proxy service and frequently change the IP address.
Simple - domain names
There could be a domain name or even a type of sub-domain that is registered, paid for, and hosted. But, there are many DNS service providers that have decently relaxed registration standards.
Annoying - network/host artifacts
Network artifacts are pieces of activity that can identify a malicious user and distinguish them from a legitimate user. Something standard might be URI pattern or C2 information that is embedded in network protocols.
Host artifacts are observables caused by adverse activity on a host that identifies malicious activities and distinguishes them from legitimate activities. Such identifiers include registry keys or values that are known to be created by malware, or files/directories dropped in certain areas.
Challenging - tools
Tools are usually types of software that an attacker will use against you. This can also be a series of tools that are brought with them to interact with existing code or software. Tools include utilities that create malicious documents for spearphishing, backdoors that establish C2 or password crackers, or other utilities that can compromise.
Tough! - TTPs
Tactics, techniques, and procedures are at the top of the pyramid. This is the entire process of how an attacker accomplishes their mission, from the beginning research phase, to the exfiltration of the data, and everything in between.
Adversaries are human too !! - Katie Nickels
Detecting their behavior and TTP's is a best way to find them in our network and break the f**king cyber kill chain !!
Oops sorry if you think the same after hearing Cyber Kill Chain. I highly recommend reading this article.
Basic Terminology:
I always think of learning how to dance. So, lets create an analogies to understand terminologies:
- Matrices: Imagine these as different dance floors at a wild party. Each matrix represents a unique dance floor—Windows, macOS, Linux, and even the mysterious cloud dance floor. 🕺💃
- Tactics: These are like the party themes. You’ve got “Initial Access” (sneaking in through the VIP entrance), “Execution” (showing off your killer dance moves), and “Lateral Movement” (sliding across the dance floor like a pro).
- Techniques: These are the specific dance moves. Picture hackers doing the “Brute Force Boogie” (repeatedly trying to breakdance their way in) or the “Pass-the-Hash Shuffle” (passing secret dance steps to each other).
- Procedures: These are the step-by-step dance routines. Real-world hackers choreograph their moves—like the “SQL Injection Salsa” or the “Phishing Flamenco.”
So, next time you’re at a cybersecurity party, remember: “Matrices, Tactics, Techniques, and Procedures” are just fancy ways of saying “groovy dance floors, party themes, cool moves, and hacker choreography!” 🎉🔐🕺
So how it works in Servicenow (source: ServiceNow Docs)
- The pre-loaded TAXII client connects to the TAXII server to ingest the data collections to Threat Intelligence.
- Existing Security Information and Event Manager (SIEM) integrations ingest their threat data (alerts and events), with relevant TTPs and are associated with security incidents.
- When an IoC is associated to a security incident, Threat Intelligence automatically searches threat feeds for relevant information and sends IoCs to third-party sources such as EDR, Sandbox, or TIP for additional analysis.
- If any third-party source contains the MITRE-ATT&CK information, then Threat Intelligence extracts the technique information and enriches the data in the Threat Intelligence repository for correlation and analysis.
- MITRE-ATT&CK also shares CVE context informationfor each technique. Your security team can review the exploited techniques in Vulnerability Response to determine if your business-critical assets are threatened.
More Information:
If you feel like Sherlock who is in need of more info.Then here are my sources:
- https://attack.mitre.org/
- https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/threat-intelligence...
- https://www.youtube.com/playlist?list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH
- https://www.youtube.com/watch?v=bkfwMADar0M
- https://www2.mitre.org/public/industry-perspective/documents/lifecycle-ex.pdf
- https://www.stationx.net/cyber-kill-chain-vs-mitre-attack/
- https://medium.com/@wintersoldiers/understanding-cyber-kill-chain-mitre-att-ck-framework-and-unified...
What's Next??
🎉🔐🕺 Stay tuned for Part 2: “Mitre in ServiceNow: The Ultimate Cybersecurity Dance-Off!”
In the next episode, we’ll teach ServiceNow to breakdance its way through the MITRE moves. Picture it: ServiceNow doing the “Incident Response Robot” or the “CMDB Cha-Cha.” 🤖💃
So grab your cyber-popcorn, because this party’s just getting started. And remember, if you see a dancing firewall, it’s not a glitch—it’s just zero-day disco! 🚀🎶
Stay groovy, my cyber-friends! 🕺💻
Disclaimer: No firewalls were harmed in the making of this article. But a few outdated antivirus programs did the Macarena. 😜🔥
