Monday, 19 July 2021 15:07

Why Network Detection and Response strengthens the MITRE ATT&CK framework

0
Shares
By Glen Maloney ExtraHop
Glen Maloney, ANZ Regional Sales Manager at ExtraHop

GUEST OPINION by Glen Maloney, ANZ Regional Sales Manager at ExtraHop:  First released in 2013, the MITRE ATT&CK framework is a global knowledge base of adversary tactics and techniques designed to help organisations stay one step ahead of possible security threats.

The framework contains details of observed tactics, techniques, and procedures (TTPs) currently in the wild. This information can be used by organisations of all sizes to evaluate their security situation and recognise any gaps that may need attention.

When it comes to recommended techniques to strengthen protection measures, one of the newest is Network Detection and Response (NDR). This technique relies on monitoring and real-time examination of data flowing across a network, and is particularly valuable when trying to meet the recommendations of the MITRE framework.

An effective option

Judging by the progress made by organisations that adopt NDR, it is a very effective approach for detecting TTPs, especially in middle and later stages of an attack. Because NDR tools passively gather, reassemble, and analyse traffic, the approach offers richer context and is not subject to the same blind spots as solutions that rely on application logs or simply analyse packet headers rather than full content.

Also, NDR does not require agent instrumentation on each device that it monitors, allowing much broader coverage in places where it is difficult or even impossible to install agents. In modern, multi-stage attacks, there is little way to avoid communicating on the network at some point, and this is where NDR adds its value.

It offers the best chance of seeing all the links in the chain of an attack, especially in the later stages. This allows a security team to put together a complete picture of what is happening in time to mount a meaningful response.

Improving visibility

NDR is the third element that needs to be in place to ensure that a corporate security operations centre (SOC) has full visibility of what is happening within an IT infrastructure. The other two are Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM).

NDR complements EDR and SIEM by covering unmanaged devices and those that cannot be instrumented with an EDR agent. In addition, NDR resists counter-incident-response activities by attackers who target the endpoint agent itself or disable logging processes that would feed a SIEM or other correlation engine.

Also, because NDR operates in real time and is able to see transaction payloads, it is the ideal solution for detecting many TTPs. This can be achieved without cybercriminals even knowing they are being watched.

It’s important to note that NDR should not be regarded as a replacement for SIEM or EDR as they still have important roles to play. NDR simply provides visibility into activity these other tools can't see.

Strengthening the MITRE framework

The ongoing inclusion of more network attack types in the MITRE framework serves as both a useful tool and a strong signal for security teams. It’s now been made clear that NDR is a vital tool to have in the toolbelt. If NDR is not in place, it means there will be a blind spot that cybercriminals know how to exploit.

During the past few years, security teams have been focused on operationalising their EDR and SIEM solutions. As more advanced threats take advantage of network blind spots, the importance of NDR as a foundational tool and data source for the SOC will grow.

Security teams that stay ahead of the curve in NDR adoption will find themselves taking back the upper hand from cyber attackers and delivering a competitive advantage for the businesses they defend.

Take time today to understand how NDR tools can be added to your environment and strengthen your defences. Tomorrow could be too late.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Published in Guest Opinion
Tagged under

Related items

More in this category: « How to ensure your contact centre’s new digital channels are an asset to the business
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top