The RH-ISAC is excited to announce that Splunk, a leader in Security Information and Event Management (SIEM), recently joined the community. You may recognize Splunk as one of the SIEM leaders in solving threat detection, security monitoring and compliance use cases from reading Gartner’s Magic Quadrant for Security Information and Event Management. And for our community members who are already using Splunk to improve their organization’s security posture, we’re exploring workshops that could expand your knowledge of threat detection, investigation, response, as well as a working group to share SIEM best practices, provide roadmap updates, and answer any questions about Splunk products and features.
Finding the right context in which to view your detection coverage is critical in the security domain. Lately, there’s been a lot of buzz around the MITRE ATT&CK Framework and its applications in SIEM deployments. We sat down with Ryan Becwar, contributor of ATT&CK and Consulting Sales Engineer at Splunk, to discuss how to use your SIEM with this framework.
How is the current COVID-19 pandemic impacting the adoption of the MITRE ATT&CK Framework and SIEM capabilities?
Ryan Becwar: We’re seeing an increase in both attack volume and breaches in the past year due to the COVID-19 pandemic. Ransomware is on the rise. Most recently, a leading eyewear manufacturer and retailer fell victim to a ransomware attack that took down its websites and services in Italy and China.
The pandemic has accelerated the shift away from physical stores or restaurants as well as the work-from-home trend to online shopping or home delivery, and threat actors are shifting their efforts to target eCommerce environments and remote workers. These threat actors are using the worldwide concern over COVID-19 to broadly target retail and hospitality industries, as well as consumers with targeted phishing and spear-phishing campaigns. Gamaredon is among the APT groups that have been identified taking advantage of the pandemic to trick targets. This has prompted increased investment in cyber security. Organizations should look to adopt the MITRE ATT&CK Framework for their security programs. By integrating the framework into our SIEM solution, Splunk is strengthening its monitoring rules and incident response capabilities to help organizations discover and remediate attacks quickly.
And with the holiday season fast approaching, I’m expecting to see attacks toward these industries, especially eCommerce, restaurants, and possibly hotels spike in the next few weeks. People will be doing a bulk of their shopping online and earlier this year to ensure they could get items in time and avoid the crowds.
How does the MITRE ATT&CK Framework integrate with SIEMs?
Ryan Becwar: The MITRE ATT&CK Framework can be used by the SOC to better understand the tactics and techniques of adversaries. Being able to understand how your coverage in any particular attack environment stacks up against a known framework, like the MITRE ATT&CK, is valuable to our customers’ security posture. To use the framework to your advantage, use your SIEM and correlation searches to map detections to a specific technique. This gives your organization the ability to use both network and endpoint events and map specific analytics to techniques as you define them. Once you’ve done the heavy lifting of associating the analytics to the tactics and techniques, you can build dashboards and reporting to see which techniques are most frequently used. With this insight, you can prioritize your focus on where you should be developing additional analytics to address potential blind spots.
What are some of the challenges and solutions to using MITRE ATT&CK with a SIEM?
Ryan Becwar: While the MITRE ATT&CK Framework can enhance security operations, managing the volume, sources, and validity of threat intelligence can be a challenge. There are threat intelligence platforms such as TruSTAR, however, and information sharing and analysis communities like the RH-ISAC that organizations are tapping into to correlate threat intelligence and put it to use in their security operations program.
Another challenge is that because ATT&CK is qualitative, meaning you and I can look at the same attack and identify the same attack as different techniques. We all see things a bit differently and that’s fine. By mapping techniques at an organizational level, your team will be operating on the same page.
It’s important to remember that the framework does not include all threat actors and is bound by time. Typically, the adversaries’ goals or objectives don’t change, but when or if they do, the ATT&CK knowledgebase does not capture this eloquently. I would recommend that you leverage OSINT and your own research from other sources to identify these gaps. This is where intelligence feeds from RH-ISAC can assist to enrich your own investigation.
