Stepping into a time machine and traveling back to the past, during the last half of my nearly 20 year career at MITRE I served in a variety of roles that spanned the evolution of MITRE ATT&CK®. I started as a detection engineer / hunter when ATT&CK was just a flicker in the eye of Blake Strom, who is now a Tidal Cyber Advisory Board member. As one of the earliest practitioners as ATT&CK gained popularity, I turned into an ATT&CK evangelist and I was tasked with increasing ATT&CK adoption across the vendor community. This eventually led to me creating ATT&CK Evaluations to keep marketing teams honest and provide vendors with an opportunity for self-reflection on how to improve coverage.
The results? ATT&CK has been heavily adopted across the vendor community and is used to create heatmaps. Almost all EDRs, SIEMs, and many other products include an ATT&CK heatmap in their product, and many others in their marketing. That sounds pretty great! All our ATT&CK coverage questions are solved!
Except unfortunately, that isn’t true. It’s a huge step forward, but that vendor heatmap is not enough.
There are three main challenges with traditional heatmaps:
Problem 1: Not all heatmaps communicate the same thing.
- General coverage with no specifics: Too frequently you get a heatmap with colored boxes, but no description of which capabilities are providing the coverage. You get ATT&CK cells turned green, without knowing what provides that coverage.
- Deep specifics of rule coverage, but not much else: Rich context for detection capabilities can be extremely valuable. Not every vendor provides glimpses into their black-box rules engine, but luckily more and more products are treating this as an industry norm. But rule logic isn’t everything. There is little or no context on how a specific configuration setting is going to alter your coverage, or the types of countermeasures in place beyond detections that provide coverage.
- Not representative of your coverage: There is no direct correlation between the coverage depicted in the heatmap and how the tool is deployed in your environment. What’s worse, there’s little indication in these heatmaps if the coverage provided requires that you enable all the features from the vendor and what is enabled by default. A single matrix isn’t telling you both the art of the possible and what you have.
- It is not kept up to date: Unfortunately, as someone who works closely with vendors, we find heatmaps are usually not dynamic. Instead, they are updated as time allows – on a quarterly, yearly, or less frequent basis.
Problem 2: Heatmaps don’t take into account an organization’s threat profile.
- Across the board in product-specific heatmaps, coverage is a binary yes or no, or best case a list of how the product detects a given technique. It doesn’t take into account the complexity of techniques, caused by the procedural details around that technique. You might be covered for some versions of that technique, but not all
- ATT&CK heatmaps don’t take into account the relative importance of techniques. As I and others have historically written ad nauseam – not all techniques matter the same. Among many variables, you have to take into account:
- How each technique’s impact and frequency compares to one another
- Which techniques the threats specific to your sector are using so that you can weigh techniques and prioritize your coverage on the right things.
Problem 3: Vendor heatmaps don’t consider the other tools you have, so you only get a piece of the puzzle.
- Single product view: Your security stack is complex, but you aren’t getting credit for anything else you have. A gap in one product’s coverage might be acceptable if another product or policy fills it, but without an aggregate understanding you will never know that.
- Single vendor view: As the security market has started to swing back towards a consolidated platform solution, you might have one vendor providing multiple solutions. While this gets you some broader coverage, you are still limited to only the products that are part of that platform, and unfortunately, all the challenges of how vendors define scope as we talked about above, including, the lack of the right level of specificity.
- SIEM / SOAR view: The capabilities of these products are defined by the connectors you have and the automations you have built. For instance, there are solutions that will share logs seen from each of the connected products, but what about protections and mitigations those platforms provide? How do heatmaps register what the art of the possible is and not just what they are observing? They don’t. They are focused on specific types of data being fed into the SIEM and how that data is used in analytics – important but not everything.
Reducing Risk with What You Have: The Art of the Possible
At Tidal Cyber, we address all three of these challenges by working with vendors and our users to deliver Coverage Maps that maximize the reduction of residual risk.
Solution 1: We provide a comprehensive, systematic representation of product capabilities.
- We work with vendors to aggregate and maintain a detailed database of product capabilities.
- We know what capabilities are native to each product and what those capabilities do (i.e., mitigate, protect, detect, log, respond, test) and we assign a level of risk reduction to each capability based on capability type. Because of our ATT&CK domain expertise, we know which adversary techniques and sub-techniques are mitigated by each of those capabilities (typically several techniques per capability).
- The Tidal Cyber platform integrates via API with a customer’s security platforms to pull and maintain up-to-date configuration data that lets us know which of those thousands of capabilities are configured “on,” and which are still dormant.
Solution 2: We focus on threats that matter to you.
- The ATT&CK knowledge base is the foundation for how we categorize threats, supplemented with additional threat intelligence the Tidal Cyber platform provides.
- Regular extensions to the threat knowledge base including groups, software, campaigns and relationships.
- Additional context to determine what threats matter to you (e.g., observed sectors).
- We curate Threat Profiles specific to your sector and other trending threats, and additionally weight techniques based on their relative impact, so you can prioritize changes to your coverage.
Solution 3: We stack defenses for an accurate measure of residual risk.
- With a detailed understanding of your defenses and how they are deployed, our platform stacks defenses to calculate cumulative risk reduction on a technique-by-technique basis.
- As CTI and security products are added or updated, Threat Profiles and Defensive Stack capabilities are automatically updated to provide the individual and aggregate impact of your tools on relevant risk.
- We immediately reflect that knowledge in the prioritization of which capability to enable to reduce residual risk.
Turn Up the Heat
Aligning Threat Profiles and Defensive Stacks by techniques makes it easy to create Coverage Maps that show your ability to defend against a given technique, campaign, adversary group, or portfolio of adversary groups that may be a threat to your organization.
With a few clicks you get: a clear and granular view of where risk exists, when to turn on a configuration in an existing tool to fill a gap or consider a new tool to add to your stack, and even where there’s overlap. Tidal Cyber Coverage Maps go well beyond traditional heatmaps to reveal both your reality as it exists at that moment and the art of the possible so you can address residual risk.
