ThreatQuotient, a leading security operations platform innovator, announced that the ThreatQ integration with MITRE ATT&CK now includes support for PRE-ATT&CK and Mobile. Together with Enterprise ATT&CK, the three-pronged framework creates an end-to-end attack chain that examines and assesses an adversaries’ actions.
Since first integrating with MITRE ATT&CK in early 2018, ThreatQuotient has helped customers integrate the framework in their workflows to achieve a holistic view of their organization’s specific attack vectors and what needs to be done to effectively defend against adversaries.
Attacks are happening with increasing velocity, and the average cost of a data breach has risen to $3.86 million, according to the 2018 Cost of a Data Breach Study by Ponemon. As more organizations begin to accept the likelihood that they will be breached, the security industry is placing greater emphasis on technologies, tools and processes to accelerate detection and response.
However, this is not always done with collaboration in mind. When combined, the ThreatQ platform and MITRE ATT&CK framework enables expansive and shared understanding across teams and technologies, allowing faster response when an event occurs.
“Every organization can derive value from the MITRE ATT&CK framework to measure, improve and extend the capabilities of their security operations. To yield the greatest success, security teams should use the framework to have a complete understanding of what they are trying to protect against,” says Ryan Trost, CTO & Co-founder at ThreatQuotient.
“Whether mapping the attack tactics or techniques against your defenses to more accurately assess your risk posture; connecting active adversaries to their own respective TTPs to ensure internal battle cards are accurate and distributed; or simply gauging your organization’s higher probability threat risk areas and providing your red team better ‘real world’ objectives ThreatQ’s integration of the ATT&CK framework provides teams an out-of-the-box capability.
“As an organization’s capacity to use ATT&CK data evolves, the ability to dig deeper into the framework will allow a company to gain even greater value…but at their own pace. This is great for the industry and will hopefully play a cornerstone role as organizations defend themselves against attacks.”
“The MITRE ATT&CK knowledge base provides a common language for the cybersecurity community to use when describing adversary behaviors,” said Katie Nickels, MITRE ATT&CK Threat Intelligence Lead. “We continue to be inspired by the ways the entire community is using ATT&CK to improve their defenses.”
ThreatQuotient has long believed that the ability to accelerate security operations starts with having a thorough and proactive understanding of the actors, campaigns and TTPs targeting an organization.
Reference and data enrichment
Aggregate data from the framework into ThreatQ and search for adversary profiles to answer questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply?
Security analysts can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment.
Indicator or event-driven response
Use ThreatQ to correlate data from the ATT&CK framework with incidents and associated indicators from inside the organization’s environment. Security analysts can then automatically prioritize based on relevance to their organization and determine high-risk indicators of compromise (IOCs) to investigate.
With the ability to use ATT&CK data in a more simple and automated manner, security teams can investigate and respond to incidents and execute appropriate courses of action for more effective detection and more efficient threat hunting.
Proactive tactic or technique-driven threat hunting
Pivot from searching for indicators to taking advantage of the full breadth of ATT&CK data. Threat hunting teams can take a proactive approach, beginning with the organization’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if related data have been identified in the environment.
For example, they may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential IOCs or possible related system events in my organization? Are my endpoint technologies detecting those techniques?