H-ISAC Collaboration and the MITRE ATT&CK Model
Using Analytics for Proactive Cyber Defense
As the various ISAC’s continue to rally their defenses against the growing number of cyber threats, MITRE has revolutionized the tracking of cyber threat intelligence. The MITRE ATT&CK Model has become the globally recognized knowledgebase for adversarial tactics used by today’s high tech cyber criminals.
While this framework is an excellent start to collecting cyber threat intelligence, it is by no means complete. Because cyber criminals are constantly developing new tactics. The future of this framework and its value to the various Information Sharing and Analysis Centers (ISAC) is fully dependent on a collaborative approach to continuous improvement. As William Barnes, Director of Security Solutions for Pfizer stated recently, “We’re all in this together.”
How does the ATT&CK Model Work?
The ATT&CK framework provides information for Adversarial Tactics, Techniques & Common Knowledge, hence the acronym. This matrix is the brain child of the MITRE Corporation, which is a non-profit organization that prides itself on solving problems for the sake of a safer world. Their federally funded data centers perform a wide variety of data driven research efforts, including cybersecurity.
Started in 2013, the ATT&CK knowledgebase documents the common tactics and techniques that are used by modern cyber adversaries. The driver behind the creation of this model was the need to understand the behavior of adversaries as opposed to a point in time understanding of individual tactics. There is a method to the operation of cybercriminals and the key to stopping them is to accurately predict their next move.
The components of the ATT&CK model can be broken down into tactics and techniques. The tactics are representative of “why” an adversary will choose to perform a certain action. Techniques are “how” an adversary attempts to achieve their tactical objective. The combination of the two helps to shed light on possible behaviors, or next steps, that a cybercriminal may take.
The ATT&CK Matrix is the visual representation of these tactics and techniques. Some examples of tactics include Persistence, Lateral Movement, and Discovery. For these and many other tactics, the matrix identifies potential techniques that could be used for each. For example, Lateral Movement has 17 different techniques that have been identified such as Logon Scripts and Remote File Copy.
How Organizations Benefit from the ATT&CK Model
Armed with the information from the ATT&CK Model, organizations can begin to proactively build their cyber defenses. When they detect certain tactics being used against their perimeter defenses, they can use the matrix to prepare defenses for the potential techniques, or next steps of the adversary.
The primary benefit is the proactive nature of the ATT&CK Model. All organizations in the digital age are using some form of cybersecurity software and solutions. They offer varying levels of defensive postures and, at the very least, provide basic levels of protection. However, the eventuality of a successful breach is imminent.
For any organization to successfully protect their digital assets, they need to remain vigilant in their efforts to stay ahead of their adversaries. According to William Barnes, the primary challenge is that there are a wide range of malicious activities. Additionally, he cited the fact that both the financial services and healthcare industries are the largest entities and therefore provide a target rich environment for would be adversaries. “Financial services are the largest ISAC… but Healthcare represents a mass community that is far larger in terms of stakeholders.”
Collaboration is the Key
At the recent H-ISAC Spring Summit, there was a resounding central theme. Working together to fight the threat of cyber adversaries is the best path forward for not only healthcare but for all industries.
This is where the MITRE ATT&CK model and H-ISAC, Inc. (Health Information Sharing and Analysis Center) can make the greatest strides. The model itself provides a framework for identifying tactics with associated techniques. However, it is only as good as the information that it currently has. By having H-ISAC member organizations share their experiences, the MITRE knowledgebase can be continually updated with the latest threats.
Organizations now have a consistent platform that, according to Barnes, can be crowd sourced. This means that all entities can benefit from the experiences of a single entity. As a result, they can continue to build proactive security measures that keep them ahead of the adversary.
What are the Impacts of Disclosure
Of course, this open sharing of information also raises some concerns. Some organizations are reluctant to share the fact that they may have experienced a breach as it hurts their credibility in the marketplace. Some fear other entities may be enticed to use this information against their competitors.
According to Barnes, H-ISAC has taken this problem head on through the use of Non-Disclosure agreements for member entities. These NDAs help to alleviate the concerns of inappropriate information getting leaked out to the public.
Barnes also noted that the sharing of information is not necessarily about an actual breach incident. By having H-ISAC partnering with MITRE, the information shared is more about the identification of suspicious or malicious activity. The goal is not to point fingers at those that were breached, but to identify new tactics and techniques and share them with members of the community.
Advantages and Disadvantages of Vendor Involvement
As the collaborative community continues to grow, cybersecurity vendors are beginning to take a seat at the table. The advantage of bringing these players on board is that they are immersed in the tactics and techniques of adversaries and can bring a front-line view to H-ISAC member entities.
According to Barnes, each vendor likely can handle the spectrum of tactics and techniques; however, each one also tends to specialize in certain areas. By bringing in a wide range of vendors, H-ISAC members and the MITRE ATT&CK Model can benefit from their various perspectives.
The Future is Bright
Despite all the challenges that exist in the modern digital age, Barnes remains optimistic. One of his biggest takeaways from the H-ISAC Spring Summit is the renewed belief that this group can accomplish remarkable things.
The continued growth and development of the MITRE ATT&CK Model is an exciting opportunity. The possibility to positively impact organizations across the healthcare spectrum has never been better. In addition, Barnes also noted that the H-ISAC community has made diversity and inclusion a priority.
For more information on the Cybersecurity Analytics Development and other working groups, go to https://health-isac.org/h-isac-membership/.