Intro:

Organizing and categorizing a SecOps use case can be challenging. There are some great frameworks like MITRE ATT&CK that can help, but how to best use them is not always clear. This article will provide a clear method for those responsible for creating and organizing the use cases used by their organization.

The Challenge of Organization 

There is an inherent challenge when attempting to organize SecOps use cases. The source of this challenge is in the attempt to ensure that all threats perceived to affect an organization are covered properly. Standards have been developed to assist in this process but many of them focus on compliance systems, or other non-threat driven methodologies. Defenders become buried in check lists that they hope will give their enterprise the protection it requires. Worse is the inability to track metrics once all the boxes are checked and the security team must now make sense of how the rest of their operations fit into this static model. To remedy this problem the concept of threat modeling has given teams a much better view of where their most valuable assets are and the best ways to provide protection. However, this has caused security operations to become an array of silos with no way to communicate between each other or more importantly provide a single voice to leadership. 

It has become apparent that a common language is needed that can bridge the gap between the disparate teams and allow them to provide a unified purpose aligned to business goals. The MITRE ATT&CK framework has evolved into this common language as it bridges the actual actions taken by adversaries, but can also be used to map those techniques to compliance schemes, security controls and detections. However, even using ATT&CK can create challenges, which arise from the large number of techniques tracked, and how to properly apply them to a single SecOps use case development flow. To resolve this, a better layer of abstraction within ATT&CK must be utilized. The abstraction layer most suitable is that of data sources. 

Along with using this higher layer of abstraction the application of a truly unified workflow known as Continuous Detection/Continuous Response(CD/CR).  This workflow is part of the wider modern SecOps approach based on ASO principles. 

Techniques of Confusion 

The Enterprise Matrix, prominently displayed upon entering the ATT&CK website, often becomes the cornerstone around which many teams strive to build their security defenses. It's reminiscent of the iconic scene in "The Matrix" – a captivating spectacle that promises clarity, yet upon closer inspection, can reveal a labyrinth of complexity. Heat map tools, designed to track coverage across the matrix, can further reinforce this illusion of control. But just like Neo's awakening, teams can quickly realize that the true challenge lies in navigating this intricate web.

For some, the initial confusion can be overwhelming: Where does one begin? What goals are truly attainable? The sheer volume of Techniques and Sub-Techniques can paralyze even the most seasoned security professionals. And even if a set of detections are successfully mapped, the question of how to structure response playbooks around them remains a daunting task. Enterprises are often left with a patchwork of playbooks, each attempting to decipher the underlying complexity.

Thankfully there is a way to move beyond the matrix. Quite frankly the Enterprise Matrix should not be the starting point. Before any use of ATT&CK begins, you first must construct a threat profile for your organization. This profile will help focus your efforts towards finding the most important starting points, and avoid data-driven SIEM that can be a pitfall.  Once this is accomplished you will want to look at a higher level of abstraction known as the ATT&CK Data Sources. 

There are two main reasons to adopt this approach. The first is the far smaller amount of items to track. At the time of this writing there are only forty-three data sources, and many use cases will apply to more than one. The second is that these data sources find their origin from the actual assets in an enterprise environment. There is no need to develop abstract understandings about how the threat modeling based on critical assets applies to the model. The data sources are then mapped to the applicable techniques that adversaries use against them. This means that detections mapped to techniques fall nicely into categories of use cases dictated by the data sources. Further, the matrix is no longer the starting point but a natural progression from the assets in the environment. 

Continuous Detection/Continuous Response 

Now that confusion has been removed from our starting point it is possible to apply a workflow that brings together the silos that have plagued SecOps. Below is a diagram that shows the phases of Continuous Detection/Continuous Response.

The first phase of CD/CR is data visibility. This is the stage when asset evaluation and threat modeling create the observable needs of the environment. Through this process, the data sources that are needed become apparent and logs/analytics to provide visibility can be ascertained. Along with this the goals of both SecOps and business needs can be enumerated to provide a clear understanding of needed roles and their objectives. Lines of communication between the teams responsible for these assets should be established through predictable procedures, and expected reporting goals should be developed.

The second phase of CD/CR is security analytics. It is during this stage that the established data sources should be mapped to the techniques that apply and detections created. ATT&CK data sources have specific components that describe what actions adversaries take against the data source, which can be used to narrow down what techniques are most important based on the specific assets included. Threat hunting objectives can also be created and acted on either by the enterprise themselves or a managed service. The hunt hypothesis is developed based on the techniques used against the specified data source, with the techniques providing a better understanding of what the hunter is looking for. All these

activities should have specific metrics that measure their level of success and their contribution to business needs. 

The third phase of CD/CR is continuous response. As CD/CR is the core component of Autonomic Security Operations (ASO) it inherently requires automation to allow the SecOps team to scale the threats they are able to handle. Automated response to alert triage and remediation is essential. An analyst shouldn’t be blinded by a blur of tabs that they sift through in their attempt to align their investigation among a pile of disparate tools. There needs to be a single platform that takes the alerts produced and provides a means to automate all actions of both the investigation, remediation and communication between stakeholders. This platform should act as a source of truth where the analyst can use their skills to provide swift triage of true/false positives and determine if an incident has occurred. Although manual steps will always be needed, the analyst needs to be able to take them from the same console. Also, all reporting metrics needed for different levels of the enterprise need to be aggregated at this point. 

The final phase of CD/CR is continuous feedback. This is the true make or break phase of the workflow. It is critical that there are clear ways for the findings of analysts to be communicated to a growing number of stratified teams within an enterprise. This includes the tuning of detection rules, threat intelligence from the local environment, tactical operating improvements and strategic business direction based on risk forecasting. This feedback will take many forms depending on the type of information and intended audience. It will drive advanced programs such as purple teaming, help prioritize technology acquisition, improve internal procedures and provide executive leadership with a clear picture of the risks they must plan for in the future. All of this feedback must then find its way back into the continuous loop of the workflow and improve the next iteration. 

Entering the Flow 

The flow of creating SecOps use cases is not a linear process. Instead it is an ever moving journey of identifying the critical assets to be protected and creating all the parts of the CD/CR workflow starting with a Threat Profile then mapping those assets to ATT&CK data sources. Even here, it is not a method with a clear beginning or ending. Before a threat model can be created, threat intelligence gathered about adversaries targeting enterprises in specific regions must be considered along with vulnerability evaluation and attack path simulations. The important thing to remember is that the ATT&CK data sources provide a manageable way to tie all of this information together into coherent use cases. A graphical implementation of this flow is presented in the diagram below. By using ATT&CK mappings each major need of the use case can be accounted for including security controls, detection engineering, response playbooks and finally the steps needed to make collected metrics and information useful for the enterprise to use in their continuing efforts to improve.

Closing Thoughts 

The sometimes confusing challenge of organizing SecOps use cases has been extremely detrimental. Worse yet, the answers provided overtime have mostly created more toil for security teams while providing only confusion. Starting with the ATT&CK data sources based on a solid threat profile, and applying them to CD/CR is a path through this confusion. Attempting to use linear workflows for security has not worked, and trying to use a matrix with an astronomical number of pieces has only complicated the problem. CD/CR will require enterprises to plan before acting and create lines of communication between silos that have hardened over time. The benefits of this approach will become apparent quickly. ATT&CK provides a common language that ties all business and security needs into clearly mapped relationships, but it only works if your team can reduce it to a manageable challenge in a workflow that presents clear objectives and the ability to improve over time.