Let me help you navigate the Framework Jungle
Frameworks and Taxonomies, sometimes people try to sell you one but actually mean the other. It is a real jungle out there.
Like always, let’s look at the definition of the word:
A taxonomy (or taxonomical classification) is a scheme of classification, especially a hierarchical classification, in which things are organized into groups or types. (source: wikipedia)
A framework is a generic term commonly referring to an essential supporting structure which other things are built on top of. (source: wikipedia)
In my experience people get highly confused by the number of different frameworks available, especially Mitre ATT&CK contributes to that. To me, Mitre ATT&CK is a modern buzzword, it should actually stay in the endpoint corner, but with all the new hype people think they can build their whole SOC around it.
But anyways, let’s have a look, shall we?
Operational, Business and Risk
Before even thinking about the SOC, there might be frameworks in place which guide and build the overall rules of your IT and Business operation. So it pays out to do some inventory first.
COBIT, COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for IT management and IT governance. The framework is business focused and defines a set of generic processes for the management of IT, with each process defined together with processes of inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model. (source: wikipedia)
COBIT makes a great source to structure your overall IT operation.
While many SOC’s will use other frameworks and taxonomies during their daily operation, there is at least one Security Operations Framework which can help you structure your overall security operation and the SOC itself:
- NIST Cybersecurity Framework, the framework discusses all elements of a SOC operation (Detect, Respond, Recover, Identify & Protect) and links them also to different frameworks like COBIT, ISO, ISA and others we already discussed above. More focused on Security directly, so eventually in between Business and Security Operations.
ISO 27001, ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) — the aim of which is to help organizations make the information assets they hold more secure (source: wikipedia)
Daily Operation Frameworks
This section refers to those frameworks which can help your day-to-day business. The huge availability of frameworks and taxonomies makes it really hard to navigate, so let’s look into some of the most common (and needed)
Sharing of Information
Lets start with the maybe easiest ones (single purpose ones). Some frameworks/taxonomies have just been created to help you sharing information with others and/or to create reports.
- TLP Protocol (Traffic Light Protocol), a certain way of tagging information so all involved parties understand the usage and sharing restrictions of the data. I wrote a full blog post here.
- STIX, I believe the names says it all “Structured Threat Information eXpression”. STIX was designed to structure the information so shared information is comparable. In the newest version it is a simple JSON based framework, which ensures that an IP is always an IP address and a threat-actor can be seen and linked as such.
- Veris Framework (source wikipedia) Likewise with STIX, it’s a nice gimmick if the acronym makes sense: “Vocabulary for Event Recording and Incident Sharing”. The Veris Framework is a complete list of options and data points of an incident. It includes the common enumerations and its options, like CONFIDENCE can be either high, medium, low and none.
Endpoint Detection and Hunting
… and with this we finally come to MITRE ATT&CK. Out of my professional experience I encountered many SOC managers who want to use MITRE as the ground for their SOC operation. The statement alone drives me nuts.
MITRE ATT&CK is a great framework, but its usage is pretty much limited to the Endpoint. The strong suit of MITRE is the endpoint, almost every EDR (Endpoint Protection Response) will already throw a certain technique or tactical idea for you to choose from.
Use Case Design
The MaGMa Use Case Framework (UCF) is a framework and tool for use case management and administration that helps organizations to operationalize their security monitoring strategy. MaGMa stands for Management, Growth, Metrics & assessment. These are the pillars of the framework that help to guide the use case management process. The MaGMa framework covers everything from the creation of new use cases to maintenance of use cases, growing and maturing existing use case, and embedding use case management in a continuous improvement approach. The MaGMa UCF provides the capability to be in control over your security monitoring process and the alignment of security monitoring to business and compliance needs. The framework provides the ability to prove to your stakeholders that the SOC is in control and adequately managing and decreasing risk in the enterprise. (source: Magma)
Magma is the answer I normally give to anyone thinking about Use Case for detection or the traditional SIEM use cases if you like. Besides knowing some of the people which worked on this one, it has been a great joint adventure by some Dutch and Belgian financial institutions. It covers almost every aspect of the use case ecosystem, so definitely worth to have a look.
Magma also uses the Kill Chain to visualize the phase of a detection.
The Kill Chain is still my favorite. It’s an intelligence driven defense model, which was created to assist you identify and prevent a cyber attack. Every attack will basically fall into one of these 7 categories:
- reconnaissance: an attacker trying to probe your network or trying to harvest information he can utilize in an attack.
- weaponization: creating a payload which can be delivered (based on the gathered data, think about spear phishing)
- delivery: the weaponized bundle gets delivered
- exploitation: using vulnerabilities to execute code
- installation: becoming persistent or adding tools
- command & control: enabling remote control of whatever happened during “installation”
- actions on objective: accomplish the goal
As you may spot already, the kill chain is a pretty sharp tool. Any (security-) event you can find in your environment will be according to one of the categories of the kill chain.
With this knowledge you gain information over the pre- and past tense of the event. Whenever I write a Use Case, the Kill Chain is still on my mind… and yes, only if I wrote this Use Case to cover attacks or security events on an endpoint I add Mitre ATT&CK to it.
That’s it for today, please leave a 👏 and be excellent to each other.