ThreatQuotient Expands Integration with MITRE ATT&CK Framework to Offer Full Support for Customers
May 2019 by Patrick LEBRETON
ThreatQ Adds Support for Mobile and PRE-ATT&CK in Response to Rapid Customer Adoption
ThreatQuotient™ announce that the ThreatQ™ integration with MITRE ATT&CK™ now includes support for PRE-ATT&CK and Mobile. Together with Enterprise ATT&CK, the three-pronged framework creates an end-to-end attack chain that examines and assesses an adversaries’ actions. Since first integrating with MITRE ATT&CK in early 2018, ThreatQuotient has helped customers integrate the framework in their workflows to achieve a holistic view of their organisation’s specific attack vectors and what needs to be done to effectively defend against adversaries.
Attacks are happening with increasing velocity, and the average cost of a data breach has risen to $3.86 million, according to the 2018 Cost of a Data Breach Study by Ponemon. As more organisations begin to accept the likelihood that they will be breached, the security industry is placing greater emphasis on technologies, tools and processes to accelerate detection and response. However, this is not always done with collaboration in mind. When combined, the ThreatQ platform and MITRE ATT&CK framework enables expansive and shared understanding across teams and technologies, allowing faster response when an event occurs.
ThreatQuotient has long believed that the ability to accelerate security operations starts with having a thorough and proactive understanding of the actors, campaigns and TTPs targeting an organisation. There are three main ways an organisation can use the integration of ThreatQ and MITRE ATT&CK to their advantage:
1. Reference and Data Enrichment
Aggregate data from the framework into ThreatQ and search for adversary profiles to answer questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply? Security analysts can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment.
2. Indicator or Event-Driven Response
Use ThreatQ to correlate data from the ATT&CK framework with incidents and associated indicators from inside the organisation’s environment. Security analysts can then automatically prioritise based on relevance to their organisation and determine high-risk indicators of compromise (IOCs) to investigate. With the ability to use ATT&CK data in a more simple and automated manner, security teams can investigate and respond to incidents and execute appropriate courses of action for more effective detection and more efficient threat hunting.
3. Proactive Tactic or Technique-Driven Threat Hunting
Pivot from searching for indicators to taking advantage of the full breadth of ATT&CK data. Threat hunting teams can take a proactive approach, beginning with the organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if related data have been identified in the environment. For example, they may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential IOCs or possible related system events in my organisation? Are my endpoint technologies detecting those techniques?