Security professionals are aware of the proven benefits of the MITRE ATT&CK framework – the free, globally accessible service that offers comprehensive and current cyber security threat information to organisations – but are not necessarily confident in the ability of their security systems to successfully detect all the tactics and techniques identified in it.
That is according to a joint report produced by McAfee and the Center for Long Term Cybersecurity at the University of California, Berkeley, MITRE ATT&CK as a framework for cloud threat investigations, which focuses on threat investigation in the cloud through the framework’s lens.
Rajiv Gupta, senior vice-president of cloud security at McAfee, said the widespread adoption of remote working initiatives was only serving to accelerate attacks on data and workloads held in the cloud, making threat discovery frameworks a must.
“As organisations review their existing technology stacks and strategies to keep their security posture effective, both from an efficacy and operational perspective, they should strongly consider interoperability with a consistent framework such as MITRE ATT&CK, which remains the most widely used framework across all industries to find gaps in visibilities, tools and processes,” said Gupta.
This view was borne out by the investigation, which confirmed that the rapid change in security postures wrought by the adoption of cloud services, in particular the changing delineation of responsibility for security in the cloud, was complicating and overwhelming many security pros, creating a need and a desire for a standardised investigation framework.
Positively, MITRE ATT&CK is indeed seeing widespread adoption in enterprises, with 87% of respondents believing that implementing it would improve cloud security, 81% already using it, 63% using both its matrix for enterprise and its matrix for cloud, 57% using it to determine gaps in deployed security solutions, 55% backing it for security policy implementation and 54% using it for threat modelling.
But although more than 80% of respondents said they experienced the adversary tactics and techniques identified by MITRE ATT&CK on a daily, monthly or annual basis, only 49% said they felt highly confident that their implemented security systems were up to the job of detecting them.
McAfee and UC Berkeley suggested that this doubt stemmed from challenges associated with the framework – 45% said their greatest challenge was interoperability, and 43% found it hard to map event-specific data to tactics and techniques.
Also, 61% said they were not currently correlating events from cloud, networks and endpoints to investigate threats, further muddying the waters around shared responsibility models and making it harder to manage threats that are increasingly intertwined with on-premise and hybrid environments.
Nigel Hawthorn, data privacy expert for cloud security at McAfee, described this failure to correlate security events across the IT estate as a serious concern.
“As attackers can gain access via a single vulnerability, then move laterally searching for weak defences and sensitive data, a way to view all points and threats is of huge value to the security operations centre [SOC] team who are always tight on time and resource,” he said.
“Securing data in the cloud is a shared responsibility that doesn’t fall solely on one party. From cloud service providers to end-users, each element of the ‘stack of responsibility’ has an individual part to play, but they all interact together.
“Taking a collaborative approach and using a framework to standardise investigation across cloud services and on-premise infrastructure is crucial if we are to meet today’s complex security challenges head-on. When implemented correctly, cloud is the most secure place to do business and an incredible driver of business growth, innovation and resiliency.”
McAfee recommends a multi-step approach to maintaining a strong security posture in the cloud – in combination with using the MITRE ATT&CK Cloud Matrix, CISOs should deploy comprehensive threat investigation to enhance their understanding of what is going on, and to help them systematically correlate and address events happening in different places, and consider embracing automation to reduce the workload of SOC analysts investigating multiple environments.