Malware researcher + threat analyst: Two perspectives on the MITRE ATT&CK™ knowledge base

Next story

In this post, members of ESET’s malware research and malware & threat analysis teams discuss how the “ATT&CK effect” has impacted their practice. First, let’s take a brief look at how ATT&CK aids collaboration, continued learning and innovation at ESET.

What may seem like a frenzy of activity, communications and even hype around the MITRE ATT&CK knowledge base (KB) to some in the cybersecurity industry, for others has become almost second nature. The KB, its common taxonomy and its growing portfolio of well-mapped attack techniques have laid the groundwork for improved collaboration across industries, and among threat analysts, researchers and other professionals working to translate findings into useful practices when operating complex endpoint detection and response products.

The malware researcher
Senior malware researcher Marc-Étienne Léveillé developed Mac and iOS software before he joined ESET but was already very passionate about computer security and aimed at a career in the industry. “Despite gaining a lot of technical knowledge, I was afraid the jargon used by established researchers would differ from what I was using, and I wasn’t sure if the terminology I’d picked up while reading online blogs and articles was actually used by organizations I wanted to join,” Léveillé recalled.

That knowledge gap is something that the ATT&CK KB attempts to fill by providing common taxonomy. Since the descriptions provided by MITRE and its collaborators are quite accurate and respected by seniors in the industry, they are of great benefit to newcomers in research and analysis teams, and even less technical people, allowing them to speak about attack techniques more confidently.

Besides, solving the taxonomy problem pays off in collaboration among teams within the same organization, including: incident responders, researchers, product R&D, and security operations center (SOC) analysts, as well as other IT security professionals.

An extension of that benefit, from Léveillé’s perspective, is that "it structures parts of our output as malware researchers to something digestible by others and even automated systems.” Now, via ESET’s research on WeLiveSecurity, “ATT&CK Techniques” join file hashes, domain names, IP addresses, YARA signatures and other indicators of compromise in the documentation. That extends to plain text, parseable files at ESET Research’s GitHub repository. Subsequently, this broadens the range of people who can consume the parts more easily.

The threat analyst
Senior malware & threat analyst Miroslav Babis started to work with ATT&CK at the end of 2016. “I was part of a team tasked to create the ruleset for our EDR solution, ESET Enterprise Inspector (EEI). We started by processing internal sources and knowledge—mainly our Host-based Intrusion and Prevention System (HIPS) rules and heuristics rules—and expanded it with external open-source data. That’s when I noticed ATT&CK and started to use the KB (even if they call it framework), because it, unlike most other resources, provided contextual information about what attackers can do in your network and how they can achieve it.”

Babis’ utilization of ATT&CK started in 2016, “about two years before it got to its current ‘hype’ state and began to gain serious traction in the cybersecurity industry… and that may be associated with the growing trend of knowledge sharing in the industry, changing from a mindset of closely guarded proprietary knowledge to a more collaborative culture where we share IOCs. Whether this is good or bad is another complex topic.”

Babis’ role has evolved to include technical review of potential ATT&CK contributions and continued work on updating the ever-growing ruleset for ESET Enterprise Inspector. In the latter, he sees value in “ATT&CK’s comprehensive descriptions of techniques and examples of their real-world usage.”

“Internally, I responded by creating a type of ‘visibility’ mapping matrix of things EEI should see, to ATT&CK. I subsequently mapped what EEI is actively monitoring and reporting. By comparing the two, the team determined what EEI is (actually) able to see and were able to identify areas we could improve by closing gaps and further improving the ruleset.”

As MITRE’s ATT&CK framework evolves, Babis still appreciates the influence it has on his frame of reference and how he thinks about creating and recreating rules for EEI. “The threat analysis team’s engagement (with ATT&CK) yields small innovations; for example, we now reference ATT&CK techniques directly into EEI’s rules.”

This enriched explanation in EEI is set to deliver more specific content and better context (thanks to ATT&CK) behind each and every created rule and alarms it triggers. Ultimately, the goal is to help customers use EEI more effectively and efficiently. It should also improve the threat level perspective via “context-risk quantification” for all potential threats.

These features should yield better results, whether they are used by well-trained SOC personnel or a security admin in an understaffed team who is trying to understand all the alarms.

Babis, who passes his ruleset outputs directly to product R&D, highlights the benefits of ATT&CK well: “The biggest influence I see from engaging with ATT&CK is that it imprints an efficient mapping and documentation process on people engaging in activities as diverse as ruleset creation and product functionality, on to descriptions of threats mapped to specific techniques in blogs and research papers.”

Highly useful, but challenges remain
Babis’ and Léveillé’s accounts prove that ATT&CK has yielded dividends for both malware researchers and threat analysts. But challenges remain. One of them is the fact that “there are a limited number of techniques available to describe the malware we analyze. On the other hand, some techniques are very generic and apply to almost every piece of malware; possibly leaving an impression that the information is redundant. Some techniques are even missing, which makes the mapping to ATT&CK impossible,” Léveillé explained. “But after all, ATT&CK is a living thing. This is ultimately why we’ve decided to support the ATT&CK matrix and are submitting contributions to MITRE for its further improvement. Let’s see where this community can take it next.”