Collective Security: ESET improves cyber armor with MITRE ATT&CK(TM) knowledge base

Learn More at Gartner US

Frequently referenced and well-regarded as a research leader amongst its industry peers, ESET has joined the call communicated by MITRE’s ATT&CK knowledge base to map the tactics and techniques used by cyber adversaries. Now, by actively participating in the expansion of the industry’s (and academia’s) knowledge base, ESET is also being propelled towards enhanced technical and business achievement.

Where do we see the benefits of participation?
For many years, best practice among security vendors -in large part- meant submitting iterations of products to  third-party testers and sharing detections to VirusTotal to create the conditions for fair comparison of AV products and to foster a secure and well-monitored security environment. This approach was essential to deliver solid intelligence for professionals and consumers alike and led to consistent innovation in cybersecurity technology and research practice.

Effectively, this also provided a type of collective security that helped systematically build and transmit a widening knowledge base of detections of malicious code and campaigns perpetrated by malicious actors. Now however, with stakes so high due to our ever-increasing dependence on, and integration of, IT systems, it has once again become necessary to raise the level of security discourse.

Thus, in an age of targeted attacks and hacking by highly skilled malicious actors, both cybersecurity researchers and R&D Teams across the industry have had to take additional strides to help internal security teams address the threats, and importantly, to help communicate the current threat landscape to their C-level leaders. This in turn helps organizations identify priorities where to invest (money, time, resources) to improve defense.

With this in mind, researchers’ teardowns of specific attack tactics (viewable in the MITRE ATT&CK Navigator), lay bare their structure and functionality, e.g. the techniques used to compromise enterprises. By contributing to this growing knowledge base, ESET helps inform better security practice, and risk assessment, within the security community, as well as organizations and businesses.  

While extant since 2015, more recent outputs from the ATT&CK knowledge base are poised to help government, industry, organizations and end users, benefit from improved threat intelligence. Relevant examples include the 2016 hack of the Democratic National Committee, activities of FIN7 cybercrime gang, and campaigns some have attributed to North Korea that included the notorious Sony Pictures Entertainment hack. To better address similar attacks, ESET took the necessary strides to significantly improve threat visibility for enterprises via our Endpoint Detection and Response solution ESET Enterprise Inspector as well as improved capabilities with our expanded endpoint security suite and security services.

One of complex scenarios mapped to the ATT&CK framework and recently demonstrated by ESET at RSA 2019, offers a tear down of a multi-stage channel attack that leveraged various techniques including: spearphishing, malicious use of removable media, PowerShell, user account control(s), command and control communications, registry modification, and network scanning/endpoint mapping. All of these were leveraged in an attempt to target a lone MacBook on a corporate network via an exploit that would ultimately lead to a ransomware infection.

The scenarios reconstructed in an animated format show (play by play) each step the malware (in question) could have taken when various layers of ESET Dynamic Threat Defense (EDTD) were (purposely) neutralized. In the animation this “lowering of defenses” takes place while offering the viewer visibility over all the action via our ESET Security Management Center dashboard and shows how the remaining layers of protection still actively block/protect against the APT in question.

How does the MITRE ATT&CK(TM) knowledge base benefit vendors and enterprises?
Contributing documentation on attack tactics and techniques provides a thorough “workout” for malware researchers and R&D teams who are constantly fine-tuning ESET’s solutions. However, since the development of frameworks like MITRE’s ATT&CK (there are others) have been invested in, they have also managed to complement “traditional” AV tests by providing actionable common language that can be used by these organizations, their internal security teams, researchers, and security companies to describe an adversary’s modus operandi and steps needed to mitigate the threat.

As such, vendors mapping to the ATT&CK taxonomy not only contribute to a shared knowledge base that allows information security professionals to describe attacks and the techniques using common language, but it means that the researcher’s prowess in mitigating malicious tactics can be rapidly reflected in protective technology and adopted among cybersecurity practitioners. As mentioned earlier, the knowledge base also contributes to improved communication to leadership by security teams around threats, their mitigation and investments into the tools needed to maintain best security practice.

Since March 2019, ESET research articles published on WeLiveSecurity and at research events attended by ESET researchers include a table listing the ATT&CK techniques referenced in the article, along with their corresponding tactic and a description of how the technique is used. This too can help organizations better protect themselves against the threats we document by verifying they have the knowledge and systems in place to counter those techniques. This also helps extend the ATT&CK knowledge base by exhibiting relationships between techniques and groups.

Benefit to ESET?
As of May 29, 2019 ESET research, one of the most heavily referenced sources, has more than 76 articles (mostly via research published on WeLiveSecurity.com) cited across the MITRE ATT&CK website and has two researchers recognized for their contributions, with newly discovered techniques. These ongoing contributions help provide increased recognition and visibility for ESET’s ongoing malware research and offer additional possibilities to transfer knowledge to that close-knit community.

Because of the structured mapping approach required by MITRE, research peers can also rapidly engage to both seek out or share further insight.

ESET’s latest successfully accepted contributions to the MITRE ATT&CK knowledge base relate to our work series on OceanLotus (also known as APT32) (pt. 1, 2) and Ebury, an SSH backdoor targeting Linux operating systems, which is still active and evolving. We continue working on new contributions and are in active communication with the MITRE ATT&CK team to expand the knowledge base even further.

Internally, ESET’s expanded knowledge base can help us improve our own detection capabilities that are critically important for the effective EDR solutions of today and tomorrow.

Thus, the collaborative approach certainly pays dividends to our technology and practice, and simultaneously builds a stronger foundation for the future bulwarks of collective cybersecurity for enterprise built cross the industry.

Learn more about our contributions to the ATT&CK knowledge base