Signal the ATT&CK: Part 1

15 March 2018

Building a real-time threat detection capability with Tanium that focuses on documented adversarial techniques

I’m Paul, one of the Cyber Threat Operations team at PwC, and I lead our Endpoint Threat Detection service. I spend a lot of my time helping clients enhance their endpoint threat detection capability and maturing their threat response processes. Wietze is one of our Endpoint Detection and Response Analysts, and has co-authored this article. His job comprises of event monitoring and triage, but also research and development to improve and streamline our hunting and detection capabilities.

Our clients are increasingly recognising that to remain poised and ready to tackle cyber threats head on, they need to proactively look for and identify adversary activity in their environments. Over the last 9 months, we have been exploring, and integrating into our threat hunting techniques, the use of the MITRE ATT&CK™ matrix, a knowledge base for cyber adversary behaviour, and MITRE’s CALDERA, a system designed to simulate cyber adversary behaviour.

We have written a technical research article, in which we present our approach of using the knowledge within the ATT&CK matrix to build and test a set of detection techniques within the Tanium platform, in part using a Detect feature known as Signals. By using the power of near real-time visibility into endpoints, we are able to embed a repeatable programme of work in our daily operations to proactively identify and address gaps in our own detection capability, and which can then be deployed to our client engagements and transferred to our clients’ in-house security teams.

Our article focuses on one particular threat group as an example, APT32, also known as Ocean Lotus. We outline how the ATT&CK matrix helps us to enhance our threat detection capability, and demonstrate how we verify this using an ATT&CK-based testing framework. By setting out our approach, we hope to also demonstrate how you can improve your organisation’s endpoint threat detection capability.

For more information on how we can help your organisation, please contact Paul Bottomley and Wietze Beukema.

Paul Bottomley | Endpoint Threat Detection and Response Lead
Profile | Email | +44 (0)7808 799134

 

More articles by Paul Bottomley

 

Wietze Beukema | Endpoint Threat Detection and Response Analyst
Profile | Email | +44 (0)7850 908221

 

More articles by Wietze Beukema

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.