NetWitness Community

A week ago, we released MITRE ATTCK® Coverage Breakdown for RSA Netwitness Threat Content with ‘MITRE ATT&CK® Techniques – RSA Netwitness Threat Content Mapping’ spreadsheet, which documents all MITRE ATT&CK® Tactics and Techniques covered by RSA Netwitness’ Threat Content. We enriched this information with Application Rules, Event Stream Analysis (ESA), and Packet parsers, currently mapped to these Techniques and Sub-Techniques with some additional information. Following up on previous blog post, this blog expands further into top MITRE ATT&CK® techniques and RSA Netwitness’ Threat Content.

From initial days of MITRE ATT&CK® framework, RSA Netwitness’ research and threat content development teams have been actively involved in mapping RSA’s Threat Content with appropriate MITRE ATT&CK® Tactics and Techniques. These are some observations and statistics around MITRE ATT&CK® and its coverage for RSA NetWitness’ Threat Content.

For detailed information about MITRE ATT&CK® techniques covered in this blog refer Techniques - Enterprise | MITRE ATT&CK

The attached spreadsheet, ‘Top MITRE ATT&CK® Techniques - RSA Netwitness Threat Content Coverage’, documents the MITRE ATT&CK® Tactics, Techniques and Sub-Techniques most commonly seen in the analysis of the groups, software, and frameworks involved in some of the more recent highly publicized security incidents (Q1 2020 - Q1 2021). The data, pulled from various open-source intelligence (OSINT) references, has been aggregated with the purpose of providing a general overview for the most frequently reported threats across the cybersecurity landscape. We have enriched this information with the RSA Netwitness’ Threat Content - Application Rules, Event Stream Analysis (ESA), and Packet parsers, currently mapped to these most common Techniques and Sub-Techniques.

Data was gathered from the following sources:

Year End Trend Reports:

‘Year-End Trend Reports Worksheet’ is based on in-depth analysis and research of different environments. This research arms security leaders and their teams with actionable insight into the malicious activity and techniques that are most observed. As mentioned, it also gives in-depth information about Application rules, ESA rules and Lua Parsers for RSA Netwitness Packets, Log and Endpoint.

Recent Breaches:

As we have seen in recent times, security breaches can have far reaching consequences, causing data and financial losses, and affecting an organization’s infrastructure. ‘Recent Breaches Worksheet’ summarizes information for highly publicized security incidents during the documented time frame. It gives an overview about most common techniques which were used in these recent breaches along with RSA Netwitness’ coverage for these MITRE ATT&CK® Tactics and Techniques.

Adversary Groups:

Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are mapped to publicly reported MITRE ATT&CK® techniques and ‘Adversary Groups Worksheet’ summarizes information for large Adversary Groups active during the documented time frame, along with RSA Netwitness’ coverage for MITRE ATT&CK® Tactics and Techniques. The information provided does not represent all possible Techniques use by Groups, but rather a subset that is available solely through open source reporting.

Software:

Software is a generic term MITRE ATT&CK® uses for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK™. Software entries include publicly reported technique use or capability to use a technique and may be mapped to Groups who have been reported to use that Software. ‘Software Worksheet’ consolidates MITRE ATT&CK® information for well-known software/tools used during the documented time frame between Q1 2020 and Q1 2021.

MITRE ATT&CK® Top Techniques:

All results were compiled into the “MITRE ATT&CK® Top Techniques Worksheet” and broken into 3 distinct categories:

1. "Top 25 MITRE ATT&CK® Techniques Overall" - The aggregate totals for each Technique and Sub-Technique witnessed in OSINT. For this section, any occurrence of a Technique or Sub-Technique was treated as unique.

For example, ‘T1059-Command and Scripting Interpreter’ is different than ‘T1059.001-Command and Scripting Interpreter: PowerShell’

2. "MITRE ATT&CK® Most Seen Techniques" - The aggregate total for all Techniques seen. For this section, all Sub-Techniques counted towards their corresponding parent Technique.

For example, ‘T1059.001-Command and Scripting Interpreter: PowerShell’ would count for the total of its parent Technique ‘T1059-Command and Scripting Interpreter’

3. "MITRE ATT&CK® Most Seen Sub-Techniques" - The aggregate total for all Sub-Techniques seen.

All the Threat Content mentioned in this spreadsheet is available to deploy via RSA Live for all RSA Netwitness customers. This contains Application Rules and ESA rules for Packet, Log and Endpoint as well as Packet parsers. These MITRE ATT&CK® meta keys can be populated using latest Investigation feed. For detailed configuration refer RSA Threat Content mapping with MITRE ATT&CK™

Moving forward we can map our other detection capabilities with ATT&CK™ matrix. This will help to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

For previous mappings with ATT&CK™ matrix, refer RSA Threat Content mapping with MITRE ATT&CK™

Other useful posts around MITRE ATT&CK® from RSA:

• FireEye Breach
• UEBA Essentials Hunting Guide
• Endpoint Content
• APT Emulation Using CALDERA
• The Hunt for Web Attacks

Thanks to @DarrenMccutchen and @Anonymous for ‌their valuable contributions.

References:

• MITRE ATT&CK
• 2020 Global Threat Report | CrowdStrike
• THE COMPLETE SECURITY CONTROL VALIDATION PLATFORM
• Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019
• Top MITRE ATT&CK® Techniques - 2021 Threat Report - Red Canary