中文
Proactive cybersecurity assessment may be one of the best defenses available against ever-growing cyber threats. One of the areas that has had a significant impact on an organization’s ability to improve overall cybersecurity is tapping into emerging cyber threat intelligence information. Threat intelligence is certainly not a new topic, but there are recent promising technology trends to solve the many challenges in that area.
Gartner defines threat intelligence as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard." The ultimate cyber threat intelligence information would not only give organizations the ability to proactively identify vulnerabilities in the network, but would also offer actions to prevent or hinder the attacks. There are several industry projects and initiatives that take a foundational approach rather than narrowly focusing on certain tools or class of vulnerabilities.
Two recent influential initiatives in this arena include the MITRE ATT&CK and NetSecOPEN frameworks.
MITRE ATT&CK™ (Adversarial Tactics, Techniques & Common Knowledge) is mainly a knowledge base of adversary behavior intended to help those organizations that want to move towards a threat-informed defense. The solution addresses four key use cases: threat intelligence, detection and analytics, adversary emulation as well as assessment and engineering.
MITRE released ATT&CK to the public in May of 2015 and has expanded quite significantly over past few years. It is now in use by many different government organizations and industry sectors. ATT&CK is open and available to any person or organization at no charge, providing shared understanding of adversary tactics, techniques, and procedures. It delivers insight on how to detect, prevent and mitigate attacks, as well as associated groups of malicious actors.
MITRE organizes vulnerabilities using these categories:
Tactics: The “why,” describing goal of the attacker
Techniques and sub techniques: The “how,” describing actions taken by adversary to achieve tactical objectives
Mitigations: Methods of addressing specific technique
Groups: Cluster of adversary activity and tracked by a common name in the security community (such as APT29 which contains the threats associated with the devastating SolarWinds attack)
Approaches taken by industry security frameworks are important components of the toolbox for today’s security specialists. They would probably, however, need to be complemented with other solutions that are part of organization’s cybersecurity. In order to take the benefits of frameworks such as MITRE ATT&CK™ to the next level, it is vital to have these industry framework solutions with linkages to other elements of the network validation offerings (e.g. performance, scalability and cyber threat assessments).
CyberFlood CyberThreat Assessment MITRE ATT&CK Industry Frameworks
CyberFlood (CF) is an emulation-based solution that proactively provides in-depth assessment of network performance, scalability, and cybersecurity posture. CyberThreat Assessment (CTA) functionality within CyberFlood includes real-world attacks, applications, and evasion technique emulations as well as industry security frameworks and sensitive data exfiltration (DLP) scenarios with complete logical network topology to validate end-to-end security efficacy of the security solutions in a pre-production lab and/or sandbox settings.
Furthermore, industry frameworks such as MITRE ATT&CK™ are integrated with CyberFlood inherent capabilities, enabling the Spirent TestCloud content to be organized to align with the framework which helps organizations assess the effectiveness of their security controls safely and continuously to gain insights into threat coverage across those policies.
CyberFlood groups tactics, techniques, and groups of malicious actors, allowing users to assess based on specific breach and attack areas.
Users can map associated test results using MITRE ATT&CK to hone in on problem areas or hacker tactics and techniques of concern.
In summary, using CyberFlood and CTA MITRE ATT&CK industry frameworks as the basis of security assessment and reporting brings real-world global observations and standards to validation of your pre-production networks.
Learn how Spirent CyberFlood CyberThreat Assessment can help in assessing the strength of your organization’s security posture.
