FireEye Stories

Operationalizing CTI: Using MITRE ATT&CK to Hunt for and Defend Against Iranian Cyber Threats

Escalating geopolitical tensions between Iran and the U.S. as well as regional rivals increase the cyber threat from Iran, a nation that has demonstrated increasing cyber capabilities in recent years. FireEye has tracked numerous Iranian threat groups that have demonstrated interest in a range of industries including defense, government, energy, telecommunications, and financial services in the U.S. and Middle East, though others may be at risk at well. Given the breadth of information available via open sources and cyber security vendors, one challenge that enterprises' security teams can face is how to effectively determine the actual threat to their enterprise and what steps they can take in order to proactively prepare and defend against real and emerging threats.

This blog post will showcase how organizations can effectively operationalize cyber threat intelligence (CTI) on Iranian APT groups’ methodologies while using the MITRE ATT&CK framework. A systematic approach to applying specific knowledge of these groups' tactics, techniques, and procedures (TTPs) can better assist organizations to hunt for and mitigate the threat from such groups.

Value of CTI

Cyber threat intelligence (CTI) enables a more effective and efficient cyber risk management process. Actionable intelligence allows enterprises to be more proactive against threats, giving security organizations greater visibility into adversaries and motivations, enabling faster response to targeted attacks, and improving strategic planning and investment. CTI can improve the efficiency of security teams by providing them with information on the threats that are most likely to affect the organization. CTI can be valuable in helping enterprises in a range of strategic, operational and tactical capacities such as proactively preparing for real and emerging threats, prioritizing patching of known and unreported vulnerabilities, providing decisionmakers and stakeholders with information and analysis on credible threats, and hunting for attackers in an enterprise environment.

Operationalizing Intelligence: Hunt Operations

The term threat hunting can be interpreted for a range of security analytic methods: frequency based analysis involves considering the frequency of an event within an enterprise environment and global prevalence; anomaly-based analysis involves identification of anomalies after baselining/whitelisting a customer environment; TTP-based analysis considers methodology and behavioral aspects (TTPs) of attacker activities; and intelligence-based analysis uses IOC data from attacker and malware artifacts.

MITRE ATT&CK

One tool that has become increasingly popular in the security community in recent years is MITRE’s ATT&CK Framework. MITRE, an independent not-for-profit organization, created the globally-accessible knowledge base of adversary tactics and techniques and the framework which is used as a foundation for the development of specific threat models and methodologies for private sector organizations, government, and in the broader cyber security community. FireEye Threat Intelligence provides mapping of tracked adversary group TTPs to the ATT&CK framework.

Iran Cyber Threats: Hunting Use Case

The following use case details the steps security analysts can take to operationalize CTI to complement a data-driven hunt effort using the ATT&CK framework.

1.     Develop an Organizational Threat Profile and Risk Heat Map

First, analysts can identify priority threats by reviewing the current cyber threat landscape, understanding known threat actor motivations and methods and historical targeting and incidents. Analysts should also understand their organization’s internal processes, “crown jewels” such as highly sensitive data that exists within the enterprise, and a history of cases that have already taken place. Analysts can place threat actors across a heat map to identify which pose the greatest and most likely threats.


Figure 1: Risk Heat Map

2.     Leverage the MITRE ATT&CK Framework to Map Out Adversary TTPs

Once analysts identify and prioritize threats, they can compile a TTP heat map. This can be done effectively by using the MITRE ATT&CK Framework. Mapping multiple threat groups—in this case, known Iranian state-sponsored threat actors—across one instance of the framework can enable analysts to visualize and identify which TTPs are most likely to be leveraged by multiple threat actors or groups, allowing analysts to focus efforts more efficiently, as TTPs leveraged by multiple groups should constitute a higher priority in hunt missions.

In the example (Figure 2), the threat heat map combines Iranian threat groups tracked by FireEye—such as APT33, APT34, APT35, APT39, TEMP.Zagros and Temp.Omega— into one heat map. TTPs are color coded on a scale of 1 to 6, with “1” meaning this TTP (corresponding to the lightest shade of red) is used by one tracked Iranian threat group and “6” (bright red) meaning this TTP is used by 6 tracked Iranian groups. Shared TTPs should take higher priority during hunts.


Figure 2: Iran APT & TEMP Groups, MITRE ATT&CK Navigator

3.     Leverage the MITRE ATT&CK Framework to Map Out Security Detections and Controls

Analysts can identify and catalog security tools detections and mitigations in place, and similarly mapping them to the MITRE framework. This will help identify gaps in detections and mitigations. This process can be iterative, and analysts can record roadblocks discovered during hunts as well as document input from network architects, system administrators and other key stakeholders.

By cross-referencing the known TTPs of threat actors to known gaps in security controls, it is possible to see where the network is vulnerable to likely attacks, further allowing analysts to prioritize hunt efforts.

In the example in Figure 3, six Iranian threat groups have been mapped out against mitigations and detections to form an organizational heat map. Items in RED indicate a known adversary TTP for which the organization lacks either mitigation and/or detection measures. Green indicates a TTP for which both mitigations and detections exist.


Figure 3: Organizational Heat Map, MITRE ATT&CK Navigator

4.     Prioritize TTPs and Develop Adversary Playbooks

There are multiple ways to prioritize hunts based on the aggregated heat maps. Hunters can score different threat groups based on their perceived threat level; they can choose to look for bottlenecks in TTPs (for example: lateral movement is a key tactic common to almost all exploit attempts, and there are a limited number of ways in which adversaries can attempt to move laterally); they can also look at the areas where the highest number of adversaries employ a common TTP which also overlaps with security control gaps. In all cases, the goal is to be efficient and effective by executing hunts on areas where they have high visibility and there is a high likelihood of an exploit attempt having occurred.

Hunters should create a roadmap of planned hunts to ensure a systematic approach that does not overlook any key areas. Once this process roadmap is created, each individual hunt should be planned out using adversary playbooks that detail the individual TTPs with as much information as possible, down to the string level. This will guide the hunters’ search by listing relevant artifacts, hunting tips, and other useful items.


Figure 4: APT33 TTPs, MITRE ATT&CK

5.     Prioritize Security Control Improvements

Simultaneously, system administrators can begin planning improvements to the identified security control gaps. It is vital to engage key stakeholders across the organization to plan, budget, and ensure execution of these improvements, which focus on both detections and mitigations. This will improve not only the outcome of individual hunts, but the organization’s overall security posture.

6.    Leverage the Cyber Analytics Repository (CAR) As Necessary

Analysts can execute hunts according to the prescribed roadmap. As they pivot between artifacts on their search, hunters inevitably come across unexpected and unknown processes, files, and other network events. The Cyber Analytics Repository is an extensive database maintained by MITRE which outlines analytic-based detection methods. We recommend supplementing hunt efforts and playbooks by pivoting throughout the hunt to this useful tool.


Figure 5: Cyber Analytics Repository, MITRE

7.     Provide After Action Report and Update All Heat Maps Accordingly

Following the conclusion of each hunt, analysts can create an after action report detailing the outcome, any findings, roadblocks (either tool-based or process-based), and open-ended questions, which may result in either additional hunts or changes to the cyber landscape on a tactical, operational, or strategic level. Any newly identified hunts can be integrated into the existing roadmap based on level of priority. Playbooks can also be updated based on relevant findings.

Analysts can update all heat maps continually based on hunt results, new intelligence, vulnerability reporting, and changes to network architecture. These maps can be revisited at the beginning of each new hunt cycle, to determine whether or not to shift hunt priorities.

Additional Information

Please join us on Monday, Feb. 10, 2020, at 8 a.m. PT/11 a.m. ET for the webinar Operationalizing Cyber Threat Intel for Computer Network Defense: Focus on Iran, where we will discuss how CTI can help improve computer network defense (CND) operations overall.

In addition, please review our recent blog post, FireEye Response to Mounting U.S.-Iran Tensions: Preparing for Possible Iranian Cyber Attacks (Jan. 10, 2020), and webinar, FireEye’s Perspective on Iranian Attacks and Practical Mitigations (Jan. 13, 2020).

Learn more about how FireEye Threat Intelligence can help protect your organization.