ThreatQuotient™, a security operations platform innovator, announces that the ThreatQ™ integration with MITRE ATT&CK™ now includes support for PRE-ATT&CK and Mobile. Together with Enterprise ATT&CK, the three-pronged framework creates an end-to-end attack chain that examines and assesses an adversaries’ actions.
Since first integrating with MITRE ATT&CK in early 2018, ThreatQuotient has helped customers integrate the framework in their workflows to achieve a holistic view of their organisation’s specific attack vectors and what needs to be done to effectively defend against adversaries. Attacks are happening with increasing velocity, and the average cost of a data breach has risen to $3.86 million, according to the 2018 Cost of a Data Breach Study by Ponemon.
The security industry is placing greater emphasis on technologies
As more organisations begin to accept the likelihood that they will be breached, the security industry is placing greater emphasis on technologies, tools and processes to accelerate detection and response. However, this is not always done with collaboration in mind. When combined, the ThreatQ platform and MITRE ATT&CK framework enables expansive and shared understanding across teams and technologies, allowing faster response when an event occurs.
“Every organisation can derive value from the MITRE ATT&CK framework to measure, improve and extend the capabilities of their security operations. To yield the greatest success, security teams should use the framework to have a complete understanding of what they are trying to protect against,” says Ryan Trost, CTO & Co-founder at ThreatQuotient.
“Whether mapping the attack tactics or techniques against your defences to more accurately assess your risk posture; connecting active adversaries to their own respective TTPs to ensure internal battle cards are accurate and distributed; or simply gauging your organisation’s higher probability threat risk areas and providing your red team better ‘real world’ objectives ThreatQ’s integration of the ATT&CK framework provides teams an out-of-the-box capability.”
“As an organisation’s capacity to use ATT&CK data evolves, the ability to dig deeper into the framework will allow a company to gain even greater value...but at their own pace. This is great for the industry and will hopefully play a cornerstone role as organisations defend themselves against attacks.” “The MITRE ATT&CK knowledge base provides a common language for the cybersecurity community to use when describing adversary behaviours,” said Katie Nickels, MITRE ATT&CK Threat Intelligence Lead. “We continue to be inspired by the ways the entire community is using ATT&CK to improve their defences.”
Respond to incidents
Threat hunting teams can take a proactive approach
ThreatQuotient has long believed that the ability to accelerate security operations starts with having a thorough and proactive understanding of the actors, campaigns and TTPs targeting an organisation. There are three main ways an organisation can use the integration of ThreatQ and MITRE ATT&CK to their advantage:
- Reference and Data Enrichment - Aggregate data from the framework into ThreatQ and search for adversary profiles to answer questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply? Security analysts can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment.
- Indicator or Event-Driven Response - Use ThreatQ to correlate data from the ATT&CK framework with incidents and associated indicators from inside the organisation’s environment. Security analysts can then automatically prioritise based on relevance to their organisation and determine high-risk indicators of compromise (IOCs) to investigate. With the ability to use ATT&CK data in a more simple and automated manner, security teams can investigate and respond to incidents and execute appropriate courses of action for more effective detection and more efficient threat hunting.
- Proactive Tactic or Technique-Driven Threat Hunting - Pivot from searching for indicators to taking advantage of the full breadth of ATT&CK data. Threat hunting teams can take a proactive approach, beginning with the organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if related data have been identified in the environment. For example, they may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential IOCs or possible related system events in my organisation? Are my endpoint technologies detecting those techniques?
ThreatQuotient’s Neal Humphrey, Threat Intelligence Engineer Director, North America, will host a webinar on May 22, 2019 at 2:00pmET to discuss best practices for applying the MITRE ATT&CK framework effectively and making it actionable.