Focus Investigations With MITRE ATT&CK Insights

Integrate Automated Evidence Analysis and Mapping to Your Investigations

Understanding an attacker’s behavior and their tactics, techniques and procedures (TTPs) is vitally important to any investigation – it provides critical context that allows for more efficient and effective investigations. This context informs what response actions are appropriate, and improves short, and long-term, response outcomes.  

But the threat landscape is growing increasingly complex, and it can be difficult to keep on top of every IoC, malware family, and adversary tricks, particularly given the scope of activities that can be involved in any one investigation.  Luckily, frameworks like the MITRE ATT&CK framework are available to aid analysts and investigators.

What Exactly Is MITRE ATT&CK?

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques, curated from real-world observations.

It acts as a knowledge base that can be used as the foundation for the development of specific threat models and methodologies. These threat models and methodologies are relevant across the private sector, government organizations and are a cornerstone of the cybersecurity product and service communities.

MITRE ATT&CK was conceived to help combat the continuously advancing threats that arise daily by mapping IoCs and uniting communities to forge improved cybersecurity strategies.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Integrating Valuable Insights Into Investigations

The MITRE ATT&CK framework therefore offers key information and helps provide signposts for incident responders, hunters and analysts to leverage as they work through an investigation. It’s also really important in helping them better understand how a cybersecurity incident may have occurred.

In addition to providing this important context, the mapping of observed indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) to specific ATT&CK tactics and techniques, helps to speed up the detection and analysis phase, by providing: 

  1. Common Language: MITRE ATT&CK provides a common taxonomy and language for cyber security practitioners to describe adversary tactics, techniques, and procedures (TTPs). This common language can be invaluable during incident response to quickly and accurately convey information about the attack amongst other analysts or colleagues. 
  2. Attack Characterization: Analysts can use MITRE ATT&CK to help characterize and categorize the nature of the attack. By matching observed behaviors to the framework, analysts can identify the TTPs being used by the adversary.
  3. Guidance on Response: The framework can guide analysts in identifying which actions to take to counteract observed TTPs. This might involve specific mitigation measures to prevent further breaches or adjustments to defenses to disrupt ongoing attacks.
  4. Prioritization: MITRE ATT&CK can help analysts prioritize their actions based on the tactics and techniques observed. Some actions may be more critical to address immediately, while others can be handled later. This can be a big help to teams where there are resource challenges or teams are geographically dispersed  and might need to collaborate.
  5. Threat Intelligence: MITRE ATT&CK can be used to enrich threat intelligence by comparing current incident data with known patterns of adversary behavior. This can help in attributing the attack to specific threat actors or campaigns, if they’re known to use certain TTPs.

What Is the AIR MITRE ATT&CK Analyzer Feature?

AIR includes a suite of incident response capabilities including automated evidence analyzers based on research from our in-house researchers and threat hunters – known as the Binalyze DFIR Lab – and incorporates the very latest versions of MITRE ATT&CK. 

With their fingers on the pulse of the cybersecurity ecosystem, the DFIR Lab ensures that AIR’s built-in automated evidence analyzers always include the latest IOCs to provide detailed insights into the tactics and techniques used by attackers.This is all about giving you visibility into suspicious activity on your networks and assets. Being able to automate this process means that you can  save time on what’s “known”, are able to confidently cut through  the noise of evidence, and move more quickly through investigations.

The DFIR Lab, here at Binalyze, is always working towards an ambitious roadmap of new features and enhanced capabilities, all designed to make your investigations easier from the moment they start.

Below, we’ll explore how AIR’s MITRE ATT&CK analyzers and mapping can help you protect your organization from cyber threats.

Like all the other analyzers built into AIR,  the MITRE ATT&CK Analyzer enables responders and analysts, like you, to make decisions faster and piece together critical information as part of an investigation.

Thanks to the exhaustive R&D work carried out by our world-class DFIR Lab team, the MITRE ATT&CK Analyzer combines a high level of detection rate for malicious indicators with an extremely low false positive rate.

The integration of MITRE ATT&CK Analyzer delivers benefits of additional YARA rules for detecting potential Indicators of Compromise (IoC) or TTPs (Tactics, Techniques and Procedures). 

As of November 2023, we’re supporting more than 25,000 IoCs, with additional rules being added constantly by the DFIR Lab team. Keep track of our additions by following our team on X (Twitter) and Linkedin.

Finding details; 

Detailed information for each verdict

Comprehensive analyzers help you see the attack stages, the footprints of any attackers, and which of the tactics in MITRE ATT&CK were used.  

By using this option, you’ll have a greater understanding of what the attackers intentions were and what they’ve done in your systems. Categorizing IOCs and malware identified by our automated evidence analyzers against certain MITRE tactics and categories using MITRE ATT&CK mapping makes it even quicker and easier to understand the intent of certain IOCs and start the process towards appropriate remediation.

Findings from the automated analyzers can then be viewed as part of comprehensive, intuitive and efficient investigation experience in the new AIR Investigation Hub

Read more about how our automated analyzers are used within the Investigation Hub to move through a malware investigation in our recent blog.

The Investigation Hub consolidates case relevant evidence, artifacts and insights into a single pane of glass. By having everything in one place, it removes the unnecessary and inefficient back and forth of hunting for relevant information, streamlining your investigation and remediation efforts.

To help focus and progress the investigation, analyzers provide three verdict levels to you, representing how serious any discovered threat is.

Threat levels:

  • Dangerous – a dangerous verdict will indicate specific malware families or TTPs that are only ever used by malware.
  • Suspicious – a suspicious verdict aims to highlight indicators that are more than likely to be used for malicious rather than legitimate purposes.
  • Relevant – relevant is our lowest verdict level. This level is intended to show indicators that we can’t say are 100% malicious until they’ve been more thoroughly analyzed. A good example would be either a password protected archive or macro enabled office document. These file types are typically used for legitimate purposes but have gained popularity amongst bad actors for exploitation

What Problem Does This Solve for AIR Customers?

During your analysis, the analyzers will quickly and clearly show you any easily compromised assets amongst your total estate of hundreds or thousands of machines. 

You’ll never again have to spend your time hunting for a needle in a haystack.  Finding from AIR’s MITRE ATT&CK Analyzer, working in conjunction with Investigation Hub, free-up time to focus on other key parts of your DFIR investigation process – driving faster remediation and incident response case closures.

Watch our new on-demand webinar to learn more about how AIR’s Investigation Hub provides the context needed to prioritize next steps in your investigation.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles