MITRE ATT&CK KILL CHAIN

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

The ATT&CK Kill Chain Matrix categorizes technologies techniques and procedures (TTPs) for behavior of adversaries and insider threats. Columns of the ATT&CK Matrix are categories of adversary “tactics” progressing right-to-left from Initial Access to Lateral Movement to ultimate Command & Control. In each tactic category there are a number of named techniques.

MITRE ATT&CK dashboard
ATT&CK MATRIX DASHBOARD
  • ATT&CK prioritizes real-time Indicators of Compromise (IoC) & Incident Response actions
  • Automated mapping of IoC events to adversary behavior in the Kill Chain
  • One-click searches from the ATT&CK dashboard
  • Live updates to the Capture Data Graph, and Critical Alerts List
mitre att%ck matrix
ATT&CK DRIVES INCIDENT RESPONSE
  • Start with red-flag behavior, like Exfiltration or suspect C&C activity
  • Work backward in the ATT&CK Map to uncover penetration and lateral movement
  • One-click search to show IoCs for each step in the Kill Chain
  • Then click thru for all correlated PCAP data
case manager ioc
Case Manager – IOC POLICIES
  • SNORT/SURICATA Rule Sets
  • YARA Malware Rule Sets for Detected Files
  • Threat IPs
  • Defended Assets & Services
  • Active Triggers (BPF-based)
case manager event
Case Manager – Event Search Actions
  • One-click time-based search
  • Text-based search of alerts
  • All IoC events correlated with PCAPs, IPFIX flow records, and sessionized logs
time-based data graph
Time-based Data Graph
  • With legends consisting of key packet capture and data compression statistics.
  • One-Click search from any point in time, will automatically fill in a search request

LOSSLESS PACKET Capture with DATA ENRICHMENT

The immutable ground truth of any critical event – not merely an interpretation. CyberPro provides a performance guarantee of sustained lossless capture rate, for a set of real-time packet analytics (Case Manager) functions, and a specified number of cluster nodes. This means a deterministic guarantee to capture every packet under real world conditions, not just a “best effort” attempt.

  • Lossless packet capture from 1Gbps, to 40Gbps, to 100+Gbps telco interfaces
  • Remote Packet Viewer for wireshark details about packets-in-place at remote sites
  • Time stamping of 150 nanoseconds
  • Real-time IDS alert configurator generates event logs for HTTP, Files, DNS, email, user agents, TLS/SSL, VOIP – all cross-correlated with PCAP & IPFIX flow records
  • Case Manager advanced packet analytics options include real-time event logging & cross-correlation
  • 1000s of Snort/Suricate rules, from prepackaged libraries and user-defined rulesets
  • Sessionaized logging for Email, HTTP, SMTP, Files, DNS, User Agents, TLS/SSL
  • IPFIX flow record logging and search
  • Scalable architecture to meet your speed and/or analytics requirements
  • Federate multiple cluster-based capture systems, for global visibility and PCAP retrieval

Simplified Workflow

CyberPro simplifies your workflow by integrating endpoint behavior and network signature visibility and DPI with a simple pivot to the sessionized network data, enriched metadata and file recovery. Mitigate the nearly 2/3 of breaches per incident that are easy to catch, like administrative issues, by implementing effective, basic cyber practice policies by tracking user agent signature characteristics, email and file exfiltration.

Diagram of simplified workflow
(click to view)
Log Manager Workflow
(click to view)

Log Manager showing HTTP log tab - HTTP session extraction and reconstruction of various files on the web page, including a JPG file showing the original content and metadata file breaking down the JPG file

POLICY-DRIVEN WORKFLOW

The CyberPro user interface (and programmatic REST/API) integrates Policy Management, Case Management, Forensic Investigation, and Open Data Access.
An integrated Case Manager gives visibility to analysts about critical events, and allows quick drill-down to full session logs and full PCAP file content. Real-time IoC Policy Management comes with pre-packaged ruleset libraries, and allows SOC teams to design and upload their own rule sets, including

  • IDS rulesets
  • Malware rulesets
  • ThreatIP lists
  • Defended assets
  • Defended services
  • BPF-based Active Triggers

All policy-driven IoC events can map to MITRE’s open ATT&CK matrix kill-chain categories, for adversary behavior and insider threats.
All policies generation logs/metadata which are compressed, correlated, and instantly searchable.
All policies integrate within a full-featured Case Management User Interface.
CyberPro facilitates the “Spiral-Model” methodology for effective forensic investigations.

Standards-Based Policies

Open Source Rulesets & Data Interfaces:

  • MITRE’s ATT&CK kill-chain matrix — map events to adversary TTP acitvity
  • Snort/Suricata — IDS alert rulesets
  • Yara — File-based malware detection rulesets
  • BPF — User-defined Active Trigger alerts
  • Defended Assets/Services — Flexible user-defined lists
  • TAXII/STIX — pre-packaged ThreatIPs and rulesets, supported via structured cyber threat information
  • Nessus — active PEN test scanning of End Points (optional)
  • Kali — active vulnerability scanning of End Points (optional)

Open Data Access, with standard file formats:

  • PCAP-NG packet data
  • IPFIX netflow records
  • Text/CSV/syslog for enrichment log data

Open Workflow Automation & Orchestration:

  • Full-featured, mature REST/API
  • Custom Workflow Scripting
  • 3rd Party Event/Data/PCAP Correlation

INTEGRATED CASE MANAGEMENT

CyberPro facilitates and automates incident response and threat-hunting for individual investigators, or for a coordinated SOC team. Policies applied to logs/events in real-time are escalated to Active Hunt Cases, either manually or by automated policy management. For example, traffic involving known ThreatIPs, or file checks detecting malware, are automatically escalated. In a similar way, SOC teams may curate their own automated policy rulesets. To further assist analysts to evaluate the relative importance of Active Hunt Cases, any type of alert/trigger/DNS event can be automatically mapped to a TTP category within the ATT&CK matrix.

labor / cost reduction

Combine zero day alerting and pivot for analysis/mitigation and historical post breach forensics analysis including “cyber-espionage,” “point-of-sale intrusions,” and “privilege misuse.” Reduce the cost of network recording software and systems needed for medium and large networks.

Reduce labor needed for identification of indicators of compromise with an easy process to pivot to sessionized data / enriched meta data and reconstruct email and files for review.

Multiple features enable labor / cost reduction including

  • Real-time Data Compression: In-line packet compression is transparent to the user. All packets are compressed as they are captured, and all extracted PCAP files are decompressed. Overall storage amplification up to 10x (depending on percentage of traffic with SSL encrypted or compressed packet payloads)
  • Cluster architecture leverages CPU power over many servers for super-fast query response, while enabling low-cost local-attached storage on a massive scale. Forensic timelines smoothly scale over days, weeks & months.
  • Massive queries over large timelines respond quickly, even as the timeline increases
  • Federated search across multiple CyberPro appliances at diverse geographic locations, without any “concentrators” required

Fast Query / Streaming

  • Fast, Streamed Query Results
    • Every query has the option to return PCAP files, IPFIX records, and/or any log files.
    • All results are streamed in “chunks”, allowing partial results to be analyzed while the remaining query is completed, the first of which appear almost immediately after the query initiates.
  • Historical “look-back” queries based on standard Berkeley Packet Filter (BPF) within a time period.
  • Active Trigger “look-forward” alerts, BPF-based and user-defined, can generate dozens of simultaneous alerts when the target condition occurs.
  • Pre-capture filters (BPF-based) can be changed on-the-fly during capture operations
  • All historical logs searchable by text string
  • Real-time indexing
    • Every packet gets a timestamp and correlation index
    • Every log & alert event is cross-correlated to PCAPs and IPIX flow records
  • Streaming Playback Feature
    • PCAPs that have been searched/filtered/extracted with the CyberPro UI may be regenerated out a 1G copper RJ45 interface to an external device
    • Compatible with ANY 3rd party capture/analysis tool – just like a span/mirror port.

Great for recording, additional packet/signature analysis, or back-testing new firewall policies against real historical traffic.

Threat-IP Detection

CyberPro enables identification, monitoring, viewing, and mitigation of pre-defined Threat IPs as well as user-defined IPs.  CyberPro comes pre-loaded with a known list of Threat IPs; a number of malicious IPs previously identified by trusted sources such as US-CERT, for your protection.

From the CyberPro Case Manager or data graph, users can:

  • Upload/enable, view or delete/disable lists of identified Threat IPs
  • Set alerts based on identified Threat IPs
  • Create Active Defense actions (via user criteria or Suricata rules) to be taken when a Threat IP is identified
  • With one click, view detailed PCAP session information where a threat is identified

When a Threat IP is identified as present in a session, the system generates a severe alert and a pre-defined Active Defense action can be executed or, if one is not available, alert info can be sent to an external server.

Defended Assets & Services

CyberPro enables identification, monitoring, viewing and automatic approval of Defended Assets, which consist of Critical IPs (essential infrastructure) as well as Trusted Asset IPs (host IP addresses defined as safe). Similarly, Defended Services for each critical network application/protocol are defined by port #.

Using the CyberPro Dashboard and Case Manager, users can:

  • Upload, view or delete lists of identified Assets and Services
  • Associate assets or services with the MITRE ATT&CK matrix
  • Set alerts based on identified assets or services
  • Monitor / view sessions containing specified assets/services as the source or destination
  • With one click from the ATT&CK Dashboard, view detailed PCAP session information where an asset/service is identified

Email Search / Extraction

Identify and search email strings and subjects.  Email extraction feature includes sender, receiver, subject line and text reconstruction.

  • SMTP email session logging with body text in HTMP format and file attachment reconstruction from original Mime format
  • SMTP subject, send and receive email address logging

Log Manager email tab showing SMTP email session extraction and reconstruction of email attachment as Excel file with original content and metadata file

CyberPro simplifies the email session logging process with pivot to sessionized search and file recovery.

  • Free form text search capability
  • Clickable by event
  • Second click initiates packet session recovery and file reconstruction
  • Just two more clicks to the reconstructed file and meta data for that HTTP or SMTP email session
  • All viewable and downloadable
list of searchable sessions
(click to view)

List of SMTP emails sessions searchable with time stamp, capture node location, session information, and SMTP email address, sender / receiver. A user can click to get the full session packets, extract email subject / text and reconstruct file attachments in original mime format, PDF, doc, etc.

search window based on selected sessions
(click to view)

Search window based on selected sessions.

reconstructed data
(click to view)

Reconstructed JPG file displayed with the metadata file associated with that graphic image.

File Leakage / Exfiltration

CyberPro enables

  • HTTP, email and file transfer session logging and file identification
  • Identification and reconstruction of files and associated metadata in original mime type for viewing and analysis

File Leakage Session showing logs and pivot to session search and file reconstruction with metadata

TLS / SSL Visibility

Gain visibility into TLS / SSL encrypted sessions. Log and extract sessionized PCAP data via timestamp, capture node and session information for recovery of sessionized packets, then offload them to WireShark using customer provided keys.

Open Data interfaces

CyberPro’s open interface enables use of 3rd party commercial and open source tools from SIEM for additional cyber analytics.

  • Open file formats and data viewers
    • Standard PCAP-NG file and IPFIX record extractions viewable in WireShark or TShark
    • Log files and alerts viewable as CSV or text files in any compatible application such as MS Office.
  • Remote Access to file extractions with Web GUI
  • PCAP playback feature for 3rd party tools

Open REST/API for creating custom workflows to automate Incident Response, Policy-driven data retention, or interface to legacy analytics tools.

Web UI & REST API

  • CyberPro dashboard integrates MITRE’s ATT&CK Matrix methodology to provide quick context for policy-driven IoC events.
  • One-click searches directly from Dashboard areas: ATT&CK Matrix, Capture Data Graph or Critical Alerts. Searches auto-populate with the query request per user context, simplifying the process of finding and viewing critical events and associated PCAP files
  • CyberPro has remote viewers for sessions, packets, IoC events, and even previews for detected files. Data can be viewed without external tools or downloading to the local system. Besides viewing, user also has the capability to create more concentrated and focused searches from the view data available.
  • Comprehensive Case Manager screen with tabs for each IoC policy type, allowing instant search and correlation with PCAP and IPFIX flow records
  • Remote access to manage and control multiple devices including hot-accessible cluster node changes
  • Control of multiple clusters in a global-dispersed federation of capture systems