<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">

How Exabeam Uses the MITRE ATT&CK Framework to Categorize Active Threats

Before you can effectively mitigate an active cyberattack, you must conduct a comprehensive investigation.

No two cyberattacks are exactly alike. In fact, there is enormous variety in the type, extent, and technical process behind different attacks. 

This complicates the response capabilities of security operations teams. Once you successfully detect a threat, there is no one-size-fits-all solution for mitigating it. Every response playbook is designed for a particular type of attack, and using the wrong playbook is like taking medicine for an illness you don’t have – while ignoring the one you do! 

Doctors group diseases into categories based on their characteristics and pathologies. This helps them diagnose diseases accurately and identify the appropriate treatments. Cybersecurity professionals work in a similar way, categorizing cyberattacks according to the technical vulnerabilities they exploit, and the kill-chain they rely on. 

MITRE ATT&CK  is one of the industry’s most reputable and comprehensive frameworks for categorizing threats. It is a universally accessible database of cybercriminal tactics and techniques gleaned from real-world observation. This makes it an incredibly valuable tool for SIEM developers, vendors, and users.


What Information Does MITRE ATT&CK Data Contain? 

The MITRE ATT&CK framework contains comprehensive lists of detection criteria and data-driven indicators that suggest certain types of attacks. These lists are assigned to 14 different Tactics categories, with more than 180 Technique subcategories distributed between them.

These categories are:

    1. Reconnaissance 
    2. Resource Development 
    3. Initial Access 
    4. Execution 
    5. Persistence 
    6. Privilege Escalation 
    7. Defense Evasion 
    8. Credential Access 
    9. Discovery 
    10. Lateral Movement 
    11. Command & Control 
    12. Collection 
    13. Exfiltration
    14. Impact

This provides cybersecurity professionals with a comprehensive taxonomy of cyberattack techniques. 

Using the MITRE ATT&ACK framework, analysts can quickly correlate suspicious alerts to larger patterns of behavior. This helps point investigations in the right direction and reduces the amount of time it takes to deliver positive outcomes.

For example, Brute Force is a technique that falls in the Credential Access category. MITRE ATT&CK provides a comprehensive list of tools and procedures cybercriminals use to break into victims’ accounts grouped together by the basic premise of a Brute Force attack. These are all attacks that systematically guess passwords until reaching the right one.


Exabeam Provides Security Professionals with MITRE ATT&CK Insights

Since the MITRE ATT&CK framework contains a highly structured set of data, it’s an excellent candidate for integration into the SIEM workflow. Sophisticated SIEM platforms like Exabeam correlate observed user and entity behaviors against MITRE ATT&CK data automatically, providing security personnel with a fast, reliable way to categorize suspicious activities in real-time.  

Exabeam also allows users to write custom rules based on MITRE ATT&CK data. This enables security teams to develop unique policies that apply specifically to their organizations, taking their unique security posture into account.  

Creating custom rules is a demanding and complex task.

It requires input from highly experienced security analysts with deep knowledge of the underlying company. Many security-oriented enterprise leaders entrust custom rule creation to a reputable managed detection and response partner like Castra, who then takes responsibility for monitoring and adjusting those policies moving forward. 

Custom rules can take the form of “one-hit-wonders", but thanks to today’s machine learning-enabled risk scoring systems there is a trend towards making them more nuanced. 

Partners like Castra review the frequency, occurrence, and reliability of scenarios, resulting in variable condition rules that add risk to the user timeline dynamically. For example, the key parts of a custom Exabeam rule might read like the following:

Score = "if((alert_severity='2'),10.0,(if((alert_severity='4'),30.0,(if((alert_severity='6'),50.0,(if((alert_severity='8'),90.0,(if((alert_severity='10'),200.0,10.0)))))))))"
RuleExpression = "countbyif(src_dest_alert, asset, (source='FireEye Endpoint Security (HX)' && !contains(toLower(alert_type), 'acquistion') && !inList(user,'fe_service')), 'security-alert')=1"
RuleLabels { scenario = ["3rd Party Security Alerts"] mitre = ["T1027.005"]}

The first section of this rule has multiple layers of “if” statements giving scores to different levels of alert severity. The next section specifies the way the rule is expressed and what source it pulls its data from – in this case, FireEye Endpoint Security. Finally, the rule is labeled and given a specific MITRE label. In this case, the label corresponds to the Indicator Removal from Tools sub-technique, which is part of the larger Obfuscated Files or Information category.


What Does MITRE ATT&CK Data Look Like During a Real-World Security Incident?

For an enterprise environment with a capable managed detection and response vendor using Exabeam, the process is simple. 

  • First, Exabeam detects suspicious activity. It collects the relevant log data, correlates it with MITRE ATT&CK framework data (along with data from other sources), and generates an alert. 
  • This data shows up right alongside the alert itself. The analyst responding to the alert can immediately see what tactics and techniques that alert suggests. 
  • The investigation process begins. Exabeam provides visibility into every part of the IT environment that may have been impacted. This provides additional insight and may generate additional alerts as the attack unravels. 
  • The security analyst responds to each level of the attack using data provided by Exabeam, interpreted through the MITRE ATT&CK framework, and guided by their own experience and knowledge.


Make the Most of Exabeam: Invest in Human Expertise

The MITRE ATT&CK framework is undoubtedly a valuable tool for orchestrating incident response effectively. Exabeam is a powerful platform for gathering and interpreting data that informs that response. Yet the success of that response still relies on the experience and judgment of a human analyst. The better-trained your analysts are, the more comprehensive your security posture becomes. 

Learn how Castra customizes Exabeam's Fusion SIEM for our customers.


Castra is a managed detection and response vendor that specializes in building and managing custom Exabeam deployments for enterprise organizations. Our team of expert security analysts routinely demonstrates their capabilities in detecting and mitigating security risks using tools like these.

Find out how Castra can help you safeguard your enterprise from cyberattacks. Schedule your demo, now!