Mapping vendor products to ATT&CK: Tanium
Nowadays MITRE ATT&CK can no longer be ignored in a Cyber Defense Center or Security Operations Center. Many organisations are using ATT&CK to gather information on how cyber attacks are being performed (it’s kind of the Wikipedia on cyber attacks), but also to see how their organisation is performing when looking at the ATT&CK Enterprise Matrix. In 2019 Marcus Bakker and I released DeTT&CT to map your blue team capabilities to ATT&CK. With DeTT&CT you can administrate your data log source quality, get insight into your visibility and detection coverage and plot threat actor behaviours. We are happy to see that many organisations already started using or exploring DeTT&CT.
When mapping your blue team capabilities, it often involves analysing your own custom build use cases / detections to see how they relate to ATT&CK (sub-) techniques. But when working for our customers, we often see a combination of detection products that also cover a lot of ATT&CK techniques. And ideally you want to have one overall overview to see how good your organisation’s detection capabilities are.
Unfortunately not all vendors are transparant in what their detection capabilities are and how their ATT&CK coverage is. Luckily there are vendors that do give you that information, and that’s a good thing! Because we can use that information to compare that with other products, with our own use cases / detections or with threat actor behaviour (threat intelligence).
In this blog we will show how easy it is to make an ATT&CK mapping of the detection capabilities that are available in Tanium Threat Response. Tanium offers functionality to create detections, called signals, in their Threat Response module. Those signals provide realtime monitoring on endpoint telemetry events. Besides the possibility to create your own signals, Tanium offers a feed of signals. This is a regularly updated set of signals that are designed to detect common attack behaviour. And, YES those signals are already mapped to ATT&CK! So within the feed that Tanium provides (which is a JSON file) and within their GUI you can find the ATT&CK technique ID’s for each signal. Well that’s great… but we want more! We want to have an ATT&CK Navigator overview with the detection coverage of the Tanium signals-feed. And when we have that, we want to compare it with our own use cases / detections.
So let’s make an ATT&CK Navigator layer!
We’ve created a Python script that walks through the JSON file from the Tanium signals feed and creates a DeTT&CT techniques administration YAML file. With the help of DeTT&CT we are able to create an ATT&CK Navigator layer file from that YAML file.
First, let’s create a YAML file from the Tanium signals feed with the Python script:
python tanium_attack_mapping.py -f signals_v3.21.0.0000.json
The output of this command is a new DeTT&CT techniques administration YAML file which we need in the next step. Within the YAML file the signal names are listed within the location field of the detection object for the relevant technique. The platform (Windows, Linux, Mac) mentioned within each signal is reflected in the applicable_to field of the detection object.
Next we can easily create an ATT&CK Navigator file by using DeTT&CT with the following command:
python dettect.py d -ft techniques-tanium.yaml -l
The result is a JSON file that can be loaded into the ATT&CK Navigator.
In the picture on the right you see the result. As you can see there’s one shade of green being used, which reflects a score of 1. Within DeTT&CT you can have scores up to 5 which will reflect how good the detections are in your environment. For this demonstration we gave all the techniques a default score of 1, because we would like to encourage you to go over the signals yourself.
Review vendor ATT&CK mappings
It’s important to always review ATT&CK mappings that have been supplied by vendors. Many times we’ve seen vendors playing with their pencils and colouring ATT&CK techniques that don’t relate to their detections. So reviewing these are important!
As an example we once saw a vendor of a network anomaly detection product stating they have capabilities to detect T1133: External Remote Services. After looking into the details of their detection, we saw that it was detecting outgoing VPN connections, while T1133 is all about incoming VPN connections. Be critical when reviewing ATT&CK mappings from vendors.
Another thing vendors seem to do is mapping every ATT&CK technique that fits. So for example you have a detection that detects registry changes to disable Windows Defender. This is a behaviour that perfectly maps to T1562.001: Impair Defenses: Disable or Modify Tools. However, we’ve seen vendors mapping this detection to the following techniques as well:
It seems logical to map this to T1112, because the detection has something to do with the registry. However, in our opinion it’s better to choose the technique that describes what is being detected, not how. And exactly for that reason, we would not map techniques like T1112, T1059 and T1059.001 to this detection. There are many ways to initiate a registry change to disable Defender. So we prefer to map one technique that fits what’s being detected the best.
Compare
When you have this ATT&CK Navigator layer file, you can compare this with another layer file containing your own use cases / detections. Within the ATT&CK Navigator there’s a functionality to compare two layers. This is how you do that:
First open the Tanium layer within the ATT&CK Navigator.
Secondly open the layer with your own use cases / detections.
Create a new layer and choose “Create layer from other layers”. You now see a small yellow “a” and “b” on top of the layers you’ve opened in the previous step:
Select the Domain: Enterprise ATT&CK.
Use the following score expression:
(a*20)+(b>0?1:0)*30
And click Create.
You now have a new layer file with the following colours:
Orange: items with a score of 20. Those are the ones from your Tanium layer.
Light green: items with a score of 30. Those are the ones from the 2nd layer with your own use cases / detections.
Green: items with a score of 50. Those are the ones where you have overlap (20+30).
Let me explain the expression we used above:
(a*20)+(b>0?1:0)*30
“a” is the first layer with Tanium detections. All techniques in this layer have a score of 1, which we multiply with 20 to have an orange color. By default Navigator layers are getting a specific colour when you put a score from 1 to 100. It starts with red, then orange and then green (with shades in between). We’re skipping red because it has the association to be “bad”. Then we have “b” which is a layer with our own use cases / detections. Those have scores varying from -1 to 5. When the score of a technique in b is greater then 0, we use the score of 1, otherwise 0 (?1:0). And we then multiply the score with 30. This way we divide the two layers from each other within the new layer. The techniques that are present in both layers, will have a score of 50 (en thus another shade of green then the score of 30).
Prioritize
Comparing vendor detection capabilities and your own detection capabilities can be very handy to prioritise your defence efforts! Why build a lot of use cases / detections, when they are already covered by a product. Prioritizing based on MITRE ATT&CK mapping is in general a good idea. However, there is a lot more to take into account. You can read more about this on this blog from Marcus Bakker: The sources for hunts and how to prioritise.