Cybereason is pleased to announce the launch of the Attack Flow Project in collaboration with the Center for Threat-Informed Defense, a joint effort aimed at developing a common data format for describing sequences of adversary behavior to improve defensive capabilities.
The Attack Flow Project will enable the broader security community to better visualize, analyze and–most importantly–share attacks sequence actions and the assets they impact, ultimately advancing our understanding of TTPs and how to detect them earlier and remediate against them faster.
“Defenders often have to track adversary techniques individually, meaning they can only focus on only one specific activity at a time, but adversaries use complex sequences in their attack flows to hide in the network seams and avoid detection until it’s too late,” said Sam Curry, Cybereason CSO.
“Being able to understand the context and correlations across those sequences by chaining together the otherwise disparate Indicators of Behavior (IOBs), allows Defenders to surface complex attacks earlier in the attack sequence and creates the opportunity to respond faster as threats are emerging.”
The goal of the Attack Flow Project is to generate a machine-readable representation of a sequence of attacker actions and context along with specific descriptive attributes of those actions and assets composed of five main objects: the flow itself, a list of actions, a list of assets, a list of knowledge properties, and a list of causal relationships between the actions and assets.
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally.
Composed of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
Cybereason joined the Center as a Research Participant to conduct research and development to support further evolution of the MITRE ATT&CK® framework, widely accepted as the foundation for a threat-informed defense approach in countering the latest techniques being leveraged by today’s most advanced threat actors.
Cybereason and the Center work to provide Defenders with a deep understanding of adversary tradecraft and advances in the development of countermeasures for prevention, detection and response to complex threats.
“To help the community, we are building several tools to make working with Attack Flows easier. This includes a visualization tool, allowing users to easily communicate flows to each other and also to leadership,” said Jon Baker, Director of Research and Development at the Center.
“There are a number of ways Defenders can use the Attack Flow, and it is our hope that the format becomes a standard used throughout the industry to better define use cases within threat intelligence, adversary emulation, detection, assessments, and more.”
It is the intention of this ongoing collaboration between the Center and Cybereason that the effort will result in a significant reduction in the mean-time-to-detect (MttD) and the mean-time-to-respond (MttR) to the most complex attacks before any material damage can occur.
Cybereason is dedicated to teaming with Defenders to end attacks across the enterprise to anywhere the battle is taking place. Contact us today to learn how your organization can benefit from the Attack Flow Project.