A New Resource Helps Thwart Hackers by Analyzing their Actions
Author: Jennifer Larson
Anticipate. Analyze. Attack.
That’s how you defeat cybercriminals.
You anticipate the type of behavior they’re planning. You analyze their actions. Then, if necessary, you attack them.
And fortunately for the people with the job of thwarting cybercriminals, MITRE has developed a resource to help them analyze the actions of those cyber bullies. It’s called the Cyber Analytics Repository, and it helps network defenders detect suspicious behavior that indicates a threat.
Evolving threats require understanding
If there were an Olympics for illegal cyber activity, today’s cybercriminals would take the gold. The agility of malicious hackers—their ability to make rapid changes to how they operate—makes traditional network defense fragile and unsatisfactory. Most of those traditional approaches look for what we call indicators of compromise (IOC). Hackers are able to adapt rapidly—at least on the surface—to avoid detection with those approaches.
Figuring out how to foil a would-be attacker who’s trying to bring down your network could save countless hours of time, energy, and money. It’s a big task, but one good place to start is to have an understanding of the most likely behaviors that cyber adversaries display.
Collecting and sharing such behavioral knowledge with the cyber-defense community is the reason MITRE engineers developed the Cyber Analytics Repository, or CAR. It’s a knowledge base of analytics to help cyber-defenders recognize suspicious actions occurring in their systems.
Working in Tandem with ATT&CK
CAR complements the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK) model, also developed by MITRE. ATT&CK is a framework for describing the actions that attackers take after they’ve gotten inside and compromised a network.
Together, CAR and ATT&CK focus on the detection of possible threats based on observed adversary behaviors. And both are free for the public and government agencies to use.
“When you’re looking at your network to detect attackers, you should be looking at behaviors,” says MITRE’s Craig Wampler, a lead cybersecurity engineer. “CAR is a jump-start for that process. It contains the analytics for behaviors you want to watch out for.”
The analytics that comprise CAR are designed for host-based sensing in Windows environments. Currently, MITRE has released analytics in four different categories: Situational Awareness, Anomaly/Outlier, Forensics, and Tactics, Techniques, and Procedures (TTP).
An organization doesn’t have to implement all of the analytics if it doesn’t want to. Not every analytic is right for every organization. MITRE extensively tested and refined the analytics through a series of targeted cyber games, and not every organization has the resources for that type of full-scale test.
However, MITRE’s Michael McFail hopes organizations will be interested in choosing and adapting the analytics that work best for them. “It’s the sort of mindset that we’re hoping people will adopt,” says McFail, a lead cybersecurity engineer.
Why Being Flexible When Monitoring Suspicious Behavior Matters
When trying to catch an attacker, you want to watch out for their behavior.
That’s because it’s much more effective to monitor suspicious behavior than to look for set characteristics of an adversary. A security solution that relies on identifying indicators of compromise, or IOCs, like malware hashes (a number derived from a string of text that indicates a virus) or malicious domain names, can be easily stymied. You see, IOCs are easily changeable, which makes them harder to detect and use effectively.
But the analytics in CAR can detect patterns of suspicious behavior. Adversaries can change their appearance, but behavioral patterns tend to be similar. There are only so many paths attackers can take, once they’ve found an entry point. This makes CAR a more valuable asset than a security solution relying on those IOCs.
Consider this analogy dreamed up by cybersecurity company Crowdstrike. A bank robber might attempt to disguise himself by wearing a purple baseball cap when he breaks into a bank and steals the money inside. But the robber can always ditch the baseball cap. The most important thing to track is the bank robber’s behavior when conducting the robbery, not the outfit he’s wearing.
And when you know your attacker’s tactics and techniques, you can defend yourself.
The Community Makes CAR Stronger
Adversaries are always looking for the next best way to wreak havoc, so cybersecurity is always striving to stay at least one step ahead of them. So by necessity, CAR is always a work in progress.
“It’s a tool that’s like an instrument that you tune and retune to get the right sound,” McFail says.
By working together and sharing defensive techniques, everyone can contribute to the defeat of attackers. Got some ideas you’d like to share? Send ‘em in! CAR was released publicly was to foster community-based collaboration, so it’s set up to welcome contributions.
A previous version of this article was published here.