Following the publication of the latest Forrester Wave™ evaluation on enterprise detection and response (EDR), I published a blog with the demo script that was used in the evaluation to enable further discussion and understanding of where the market is. With this blog, I thought it would be interesting to dig into the demo script a bit to provide some additional insight into what I view is going on in the market and how I used the demo as a temperature check.

Linguistic Relativity And The ATT&CK Framework

I think it’s important to start this discussion by reiterating that I think the MITRE ATT&CK framework is the most transformative thing happening in cybersecurity right now, and to understand why requires that we view it as a corpus for describing threats. You may be familiar with the trope that Eskimo languages have some 50-plus words for snow and the influence that has on how they perceive and think about snow. This concept is called linguistic relativity. One of the critical consequences of the ATT&CK framework is that we now have over 260 “words” (ATT&CK techniques) for describing threats. With this common, descriptive language, MITRE has given us a much bigger box of crayons with which to express ourselves.

Step 2: Lays The Foundation For Everything Around It

The second scenario in the demo script explores the outcomes vendors are enabling as a result of this broadened corpus. My goal for step 2 was to push vendors to extend beyond labeling alerts and have them show how they are able to enrich the raw telemetry itself with the appropriate ATT&CK technique. The most base example of this is to have a query for user execution (T1204) return every instance CreateProcess was called in the environment. My vision for this step was to see who was enabling security operations center analysts to hunt by describing behaviors without knowledge of the underlying telemetry or the antecedent of an alert that had been labeled as being associated with that behavior. I describe such a capability as “hunting through abstraction” and view it as a critical building block for the future of detection.

Step 3: Extends The Concept By Using Patterns Of Behavior To Achieve Confident Indictments

Imagine a situation where “a legitimate user executed the payload, which launched a batch file that executed a Cobalt Strike DLL payload via Rundll32.” The MITRE team describes this sequence as user execution (T1204) via scripting (T1064) with Rundll32 (T1085) and measured the ability of products to detect each of these techniques in the first round of the ATT&CK evaluations. In step 3 of the EDR demo script, I presented this as a challenge for demonstrating the ability to query across multiple related pieces of telemetry to return a result. How would you find a sequence of events where a Word document was opened from the desktop (Explorer -> Word), which executed PowerShell (Word -> PowerShell) and created a network connection outside the organization (PowerShell opens a socket connection)? Describing this sequence requires three distinct pieces of telemetry and consequently allows for higher-confidence indictments, because you’re not looking at signals but patterns of events.

Key Takeaway

Products that enable analysts to combine step 2 and step 3 in the demo script allow analysts to hunt for APT3 based on intelligence about that actor’s operational procedures without getting bogged down in the nuance of the particular product they are using or device they are analyzing. This is an important evolution that lowers the barrier of entry for hunting and mirrors something held as gospel within the intelligence community: that you need to separate collection from analysis to eliminate bias. To accomplish this, telemetry should be labeled as close to the extract, transform, load (ETL) process as possible, turning detection of ATT&CK techniques into an engineering challenge and leaving the analysis to analysts . . . and this particular outcome is one of the most important impacts ATT&CK will have on this industry.

If you’re interested in exploring which vendors achieve this particular outcome, download the Wave model from within the report and check out the criteria for “ATT&CK mapping” and “threat hunting.” The vendors who scored well for these criteria are closest to achieving this vision for “hunting through abstraction.”