SIEM Design: Cyber Kill Chains, Mitre Attack and SIEM

You may be wondering what on earth a Cyber Kill Chain is? After all, it sounds very a military term with little application in a business sphere, well I will connect the dots for you.

The Cyber Kill Chain is a concept by Lockheed Martin introduced in their network defence paper “Intelligence Driven Computer Network Defence”. It shows the steps that an attacker takes to achieve their endgame. Below is a graphic showing the steps an attacker needs to compromise a network using spear phishing.

kill-chain-small

Within this sequence of events, the attackers utilise tools, tactics and procedures known as TTP’s to achieve their endgame which be steal or destroying your data.

How do we know the tactics and tools used by attackers in each phase? Well there is a repository of observed techniques seen in the “wild”, this is called The Mitre ATT&CK framework. There are several versions, but the most applicable for business is the Enterprise version seen here.

You can see the headline categories mapped to the stages of the kill chain below.

mitre-attack-concept

Now let’s take the theoretical concept and relate to a real-world example in the context of a Security Information and Event Management system.

It is a common practice for network admins to allow log files on systems to “roll over” rather than clearing them at regular intervals as it reduces admin workload enabling them to concentrate on business related tasks. This practice means that clearing of log files is potentially a very solid indicator of something being amiss, on the network.

In the Mitre ATT&CK framework, this is known as “T1070 – “Indicator Removal from Host”, which means that the attackers removed indicators of there presence from a system, this is part of the Defence Evasion category. T1070 also maps to the Compromise (stage 03 above) category of the Cyber Kill Chain.

If an attacker has compromised a system and decides to delete the logs to cover their tracks, without a SIEM solution to capture the logs and alert, a business would have no visibility. This lack of visibility could mean that a data breach goes undetected allowing attacker to steal company data.

Therefore, we would want to detect the clearing of system logs from windows systems which means that the SIEM solution will need to detect and alert on Windows Event ID 1102 in the Security and System logs of all systems.

Ask your SIEM vendor what coverage does their solution have regarding the MITRE ATT&CK framework?

Here is our nice MITRE ATT&CK framework enabled dashboard detecting a range of issues in our purpose-built research environment.

mitre-attack-dashboard

DefenceLog is Defence Logic's next generation SIEM like system protecting businesses from threats. Our solution incorporates not only Mitre ATT&CK references but a risk scoring system as part of its feature set.