UNDERSTANDING ATTACKFLOW

I had since developed interest in the field of threat intelligence, threat informed defense and purple teaming and looking for means to practice more when I came across a post by David G. . I wanted to gain deeper understanding of the field and was tasked to look into "Attackflow" as a concept that help organizations understand adversaries and threats to their businesses. This was a bit too simplified and I hope it helps.

·     What is it?

·       Who can use it?

·       How does it work?

What is an attack flow?

To understand this, we'd need to understand the two key concepts in use. While many definitions might exist, I'll try to break it down as much as as I can.

Attack: An attack is an intentional event to compromise information assets by a threat Flow: A flow is a very precise way to communicate between attackers and defenders following a key chain of events.

Attackflow: An attackflow provides a common language and toolset for describing complex adversarial behavior. It helps an intelligence consumer visualize the tactic, techniques, and procedures used by an attacker and can be used to identify key areas to improve your organizations defenses.

How does it work?

ATT&CK™ for Enterprise is an adversary model and framework for describing the actions an adversary may take to compromise and operate within an enterprise network. The model can be used to better characterize and describe post-compromise adversary behavior. It both expands the knowledge of network defenders and assists in prioritizing network defense by detailing the tactics, techniques, and procedures (TTPs) cyber threats use to gain access and execute their objectives while operating inside a network.(source: IBM)

As described by IBM , ATT&CK™ for Enterprise:

"…helps characterize adversary behavior, detailing the tactics, techniques, and procedures (TTPs) cyber threats use to gain access and execute their objectives while operating inside a network."

Who can use it?

The attackflow has various use cases, typically by all intelligence consumers at the Tactical, Operational, and Strategic levels of an organization.

Figure 1.2 BlackBasta Ransomeware (https://center-for-threat-informed-defense.github.io/attack-flow/ui/?src=..%2fcorpus%2fBlack%20Basta%20Ransomware.afb)

The flow diagram above contains sections/stages of the Blackbasta Ransomeware giving info on an attackers’ TTP using the following information: Action: Specific step taken by the attacker

Tactic_Id: The broader goal or strategy used by the attacker

Technique_Id: The exact method or tool used by the attacker

Description: A brief explanation of the action taken

Confidence level: How confident we are in the accuracy of the attack flow

Those of which can be used to map to specific actions and their groups on MITRE Attack Matrix which is a widely-used framework for categorizing adversary behavior.

Conclusion

• The attack flow can: Help to better prioritize resources based on the insights the flow has provided
• Identify the stages or pattern of an attack and key areas to strengthen defenses
• It can also help with faster detection and response with clear indicators

Have you used Attackflow or the MITRE ATT&CK framework in your organization? What’s your experience?

What other tools do you think are essential for improving threat-informed defense?

Big thanks to Kev Milne , Keith Wilson for helping me understand most of the concepts in the area of CTI and TID.