Users of individual cyber threat feeds or knowledge bases are not always getting the entire picture until they are able to glean and aggregate info from more than one source. To reduce work for the intel community, and to break down barriers and silos of data, researchers have developed a way to integrate the Mitre ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) knowledge base with Verizon’s VERIS (Vocabulary for Event Recording and Incident Sharing) framework.
VERIS is a taxonomy and attack categorization model designed to help users describe attacks and their overall impact, while ATT&CK looks more granularly at adversary tactics, techniques and procedures (TTPs).
Spearheaded since April by Mitre’s Center for Threat-Informed Defense (CTID) and supported by Verizon, the Center for Internet Security and Siemens AG, the just-launched integration project will now allow users to perform a joint analysis by mapping ATT&CK’s TTPs of known hacker groups against incident actions and attributes described through VERIS metadata — or vice versa.
A blog post from the CTID portrays the project as the combining of VERIS’ explanation of who, what and why with ATT&CK’s description of when and how. Essentially, the project consists of a bidirectional mapping and translation layer between VERIS and ATT&CK, which is made possible through the creation of STIX relationships to represent the association between the two frameworks.
SC Media spoke with Rich Struse, director of the CTID, and Alex Pinto, Verizon’s Data Breach Investigations Report (DBIR) team lead, to discuss the potential implications of the new innovation and the need for even more integration of threat intelligence down the road.
What were your objectives with this integration project, and what opportunities does it present to the intelligence community?
Richard Struse (RS): Like a lot of Center for Threat-Informed Defense R&D projects, this one started off with the definition of a problem or an opportunity — depending on how you want to look at it: We have the VERIS standard, created by Verizon, that powers the DBIR (Data Breach Investigations Report) and other analyses — with its own user base and use cases. And then you have the ATT&CK knowledge base, which has basically become the common language for describing adversary TTPs at a technical level. How do you connect those two? There really wasn't any good connective tissue between them.
And so this project was inspired by that need… [But] instead of creating some new framework or instead of taking either ATT&CK or VERIS and morphing it to try to be all things to all people, we recognized: VERIS has peanut butter and we have chocolate. Let's connect the two. Let's build connective tissue that would allow practitioners — regardless if you're starting with ATT&CK or starting with the VERIS — to make the linkages where they're supported by evidence, and then make that methodology freely available to the world…
What we released last week is hopefully enough of a kit that cybersecurity practitioners who want to transit that gap between ATT&CK and VERIS, or VERIS and ATT&CK can do so in a way where they're just focused on what's important to them, and not having to figure out how to do that themselves.
Alex Pinto (AP): Especially in recent times, a lot of discussion has been heard about potentially sharing more information and having more clear disclosure of breaches, as something that's going to be mandated by the federal government.
There is no really comprehensive, commonly acceptable standard for that to be done. And you have two very battle-tested ones: VERIS has been around for a little bit longer, [and] it's very strategic, it [provides a] 10,000-foot view of what happened and sweeps broader. Then when you look at ATT&CK, which is incredibly good and detailed and very actionable when you're looking specifically at what kinds of controls you should have.
One of the main motivations here is: What if we could have the best of both worlds, and provide a… standardized way to transition back and forth?
As I'm looking at data that's being generated by my security tools as far as what kinds of techniques and tactics are being seen, how can I relate that back to a high-level strategic view that could potentially go to the board [of directors] that ties back to operational risk or things like that?
What were the biggest challenges in terms of mapping VERIS and ATT&CK and integrating these two frameworks? How did you overcome that challenge?
AP: It was a very interesting challenge.
These are two very mature standards, and we wanted to make sure that while we were doing this exercise, we wouldn't make it in a way that would compromise the vision and what those specific separate standards are good for.
They're both very comprehensive and very detailed in their own respect, at two very different atmospheric levels, so to speak. And we managed to put together a bidirectional map, which is very important. So it doesn't matter which side of the fence you're starting from, you can get the benefits of the other standard. [But while] preserving those characteristics [of each].
So we didn't start adding a lot of different things into ATT&CK that didn’t make sense for ATT&CK. For instance, an example I love to use is that VERIS covers environmental actions. Sometimes it's a literal act of God that makes a data breach happen. We did have a case of a tornado on the 2021 DBIR that actually spread printed medical records across the whole county. That was a data breach [but] we're not going to add that to ATT&CK; it doesn't make sense. It doesn't need to have that linkage.
The same thing is true the other way around. Although VERIS does take the time to describe some specific malware activities, some specific hacking activity, it doesn't necessarily need to go into that level of detail, of which specifically methodology of persistence was used. So it became a natural fit once we started to understand that the right way to do this was to make sure that the specific standards could shine in what they're good at.
Can you give me a concrete example of how a VERIS user would be able to apply their ATT&CK toward their VERIS findings?
AP: Ransomware… the latest DBIR said that it's very much a clear and present danger: 10% of breaches had some ransomware component to it. If you are a CISO, if you are the head of security, you read that and you say, “Oh, maybe I should be defending myself against ransomware.” [But how exactly?] It's vague; it describes a high-level threat, but not so much what you should be doing against it.
Now if you look at what happens with the more tactical-focused threat intelligence community, they will publish attacks like the Colonial Pipeline one, and they'll say, “Look, this is how they moved across the network. These were the attack techniques that they generated.”
So you can correlate [the] VERIS ransomware [information] to known techniques that are used by ransomware attacks, so you can have a more clear definition of what you should be protecting against. You can even enhance that with a tighter focus, if you believe you're more likely to be targeted by specific actor or… you have your own collection of incidents.
What about the reverse scenario, where ATT&CK users can correlate their findings with VERIS?
You have two different data repositories that now are very easy to link together. You have everything that your detections have seen on your network, and you know what ATT&CK techniques have been firing your detection rules — so you know which things are more likely to happen to you or not. And if you… have a repository of these… incidents… you can start doing some very interesting things.
[Let’s say there’s intel reports of a data-stealing trojan.] You see that your detections have been firing and blocking those a lot. And that the number of actual trojan incidents you have are low. Then this probably means that your detections in that area are good. You can actually put those two data points possible and make a conclusion. On the other hand, if you're not seeing a lot of detections that are associated with the ransomware case, and you're having ransomware instances, then this is a place you should invest in detection to make sure you have the appropriate coverage.
It answers that question: Are my defenses being effective? Or at least it starts to — because you see right what is happening on the low-level detection [side] versus the more structured data of what the incidents were that actually happened to you, or the industry.
In what ways would the threat intel community benefit from even further integration of various threat intel platforms and feeds? What future innovation in that area might be possible?
RS: We have so many different silos in the security world. We have people who know a lot about vulnerabilities, people who know a lot about threats at a strategic level [or a] tactical level, and then you have people who focus on controls acquiring security capabilities. And one of the things that I think is so important — and one of the animating goals of the center — is to help people connect the dots, to connect that knowledge graph, which is pretty sparsely connected in some ways. And to do it in a way that the entire community can benefit from.
We've just done this mapping project, so that's great. So [if] I use VERIS, I have a repository of information that's encoded in VERIS and now I have a well-defined way, done by experts, that allows me to transit that gap and now get to the ATT&CK knowledge base. But that's not where I have to just wind up and sort of bounce around inside of ATT&CK. Because through other center R&D projects we've done things like mapping NIST 800-53 controls to ATT&CK techniques. So if a VERIS action… mapping… takes me to a particular technique or sub-technique, I can now, using those center-provided mappings, answer the question: What NIST-853 controls are applicable to preventing that technique from being used?
Or maybe you don't use NIST, but you're in Azure. Well, we just released… mappings of security capabilities in Azure to ATT&CK techniques. And we're building that out. We were going to be releasing one for AWS in a few weeks.
For the cybersecurity practitioner who is just trying to keep their head above water, they now… can take and transit these gaps and get to an actionable answer like, “OK, we need to plug this hole. Is there a cloud security capability we can use? Is there a NIST control? Is there something else we can do? How do I talk about this to my senior leadership?”
So instead of the practitioner figuring out how to jump from place to place, we're giving them those foundational resources. We're not providing some sort of magic tool, but we are creating and making freely available… all these resources so those paths exist, those bridges exist. Individual practitioners have to walk across those bridges and follow those links. But I think that's a big advance, and we've done it in a way that I think is systematic.
The answer to your question is: Yes, people should connect [these platforms more]. There's such an instinct for people to say, “This doesn't do what I want. I'm going to make my own new thing” Everyone loves to have their own thing, and they get credit for it. But the reality is, we didn't need a new thing here. We needed to connect two things that already existed, that had good user populations and that do a good job, instead of twisting and torqueing one into the other.