IR 4: SEV Levels and MITRE ATT&CK

Published by Matt Clemons on

Introduction

For a SOC, using structured frameworks like MITRE ATT&CK enhances incident detection and provides a clear methodology for tracking and understanding adversarial behavior. This post will cover the basics of operationalizing MITRE ATT&CK in a SOC environment and handling high severity incidents (SEV0). We’ll explore how MITRE ATT&CK improves threat detection and response workflows and walk through key steps for managing critical incidents where time and accuracy are essential.

Severity Levels

Before we get started, let’s talk about severity levels (SEVs). SEVs are used to classify incidents based on their urgency, potential impact, and required response. While specific classifications may vary by organization, a typical structure for SEV levels in a SOC or IT environment would look like this:

1. SEV0 (Critical)

Definition: Represents the most severe, business-critical incidents that require an immediate response and often an all-hands approach.

Examples: Active ransomware, major data breaches, widespread service outages, or threats with significant legal or financial implications.

Response: Immediate escalation to top-level management and key stakeholders; containment and resolution efforts are prioritized above other tasks.

2. SEV1 (High Priority)

Definition: Serious incidents with high potential impact, requiring urgent attention but not as critical as SEV0.

Examples: Unauthorized access detected on sensitive systems, malware infections with lateral movement potential, or attacks targeting high-value assets.

Response: Prompt investigation and containment efforts, typically handled by senior SOC analysts or response teams. Often requires stakeholder communication but may not need all-hands involvement.

3. SEV2 (Medium Priority)

Definition: Incidents that have some potential impact but are generally contained and manageable, with a moderate response timeframe.

Examples: Suspicious activity with limited or unclear impact, phishing emails that reached users but were not acted on, or attempted (but failed) attacks.

Response: Assigned to SOC analysts for review, monitoring, and further investigation. Escalation to higher levels occurs only if new evidence indicates increased risk.

4. SEV3 (Low Priority)

Definition: Minor incidents with low or no immediate impact on business operations. Often includes events that are routine or anticipated as part of normal SOC activity.

Examples: Repeated login failures that appear non-malicious, benign system alerts, or routine vulnerability scans.

Response: Monitored for unusual patterns but generally does not require immediate action. May involve basic documentation or low-level response if needed.

5. SEV4 (Informational/Non-Actionable)

Definition: Alerts or events logged for informational purposes, which do not indicate a threat or require response.

Examples: Routine system logs, non-critical alerts, or notifications of completed scheduled tasks.

Response: Logged and documented as needed, but no active response is typically required.

What is the MITRE ATT&CK Framework?

MITRE ATT&CK is a globally recognized framework that categorizes the tactics, techniques, and procedures (TTPs) used by adversaries. This framework maps out various stages of the attack life cycle, from initial access to data exfiltration, providing SOC teams with a structured approach to identify and mitigate threats. Here’s a breakdown of its primary components:

  • Tactics: High level objectives that adversaries aim to accomplish, such as “Initial Access,” “Execution,” and “Privilege Escalation.” Each tactic represents a distinct stage in the attack.
  • Techniques: Specific methods used to achieve a tactic. For instance, within “Privilege Escalation,” techniques might include exploiting application vulnerabilities or credential dumping.
  • Sub techniques: Variations of a technique that detail more specific actions. An example would be distinguishing between different methods of credential dumping.

Using MITRE ATT&CK helps SOC analysts standardize the way they detect, respond to, and document incidents, making it easier to identify patterns in attacks and respond with targeted actions.

Operationalizing MITRE ATT&CK in Your SOC

To incorporate MITRE ATT&CK effectively, SOC teams should integrate the framework with existing tools and workflows. Here are steps to operationalize it:

  • Map Detection Rules to ATT&CK Techniques: Review your SIEM or EDR tools and align detection rules with ATT&CK techniques. For example, if your SIEM alerts on PowerShell execution, map this to the “Execution” tactic and the “PowerShell” technique in ATT&CK. This practice ensures that alerts are aligned with known attack methods.
  • Create an ATT&CK Based Playbook: Use ATT&CK techniques to create playbooks for handling specific types of incidents. For instance, if an alert is triggered on a known credential dumping technique, the playbook can guide analysts through investigating lateral movement and checking for privilege escalation attempts.
  • Use ATT&CK for Threat Hunting: Use ATT&CK as a foundation for proactive threat hunting. Select tactics or techniques of interest, such as “Persistence” or “Command and Control,” and use them as hypotheses to investigate within your environment. This helps identify hidden threats that may not trigger alerts.
  • Document Incidents Using ATT&CK: When documenting incidents, refer to the ATT&CK techniques observed during the incident. This creates a consistent record that makes it easier to track recurring techniques and understand attack trends.
  • Regularly Update ATT&CK Mappings: Attack techniques evolve, and so should your ATT&CK mappings. Regularly review and update mappings as new techniques emerge or existing ones become more sophisticated. This practice ensures that your SOC stays current and adapts to changing threat landscapes.

Managing High Severity Incidents (SEV0)

High severity incidents, such as a SEV0, demand immediate attention and a coordinated response. These incidents often indicate a critical threat, like a ransomware outbreak or data breach, with the potential to severely impact business operations. Here’s how to handle SEV0 incidents effectively:

Step 1: Confirm and Classify the Incident

  • Verify the Incident: Quickly assess the alert to confirm it’s a valid incident and not a false positive. Use data from multiple sources, such as EDR, network logs, and threat intelligence, to validate the scope.
  • Classify the Severity: Confirm the incident meets SEV0 criteria based on impact, scope, and urgency. This includes determining if sensitive data or critical systems are compromised.

Step 2: Initiate the Incident Response Plan

  • Activate the Incident Response Team (IRT): Notify key incident response members, including SOC analysts, IT teams, and any necessary executives. Assign roles and responsibilities, ensuring each team member knows their immediate tasks.
  • Establish a Communication Channel: Set up a secure communication channel, like an encrypted chat or conference bridge, to manage updates and coordination among team members.

Step 3: Contain and Control the Threat

  • Implement Containment Measures: Based on the threat type, enact containment actions such as isolating affected systems, disabling compromised accounts, or blocking malicious IPs. Temporary containment may be used to buy time until permanent containment measures are ready.
  • Monitor Containment Efficacy: Continuously monitor to ensure containment actions are effective. If the threat spreads despite containment, reassess and escalate control measures.

Step 4: Eradicate the Threat

  • Identify Root Cause and Remove Artifacts: Conduct a thorough analysis to identify all malicious components, such as malware files, scripts, or compromised accounts. Remove or neutralize these artifacts across affected systems.
  • Apply Security Patches and Reset Credentials: Patch vulnerabilities exploited during the incident, reset credentials, and update configurations to prevent re-entry.

Step 5: Recover and Restore Operations

  • Restore Systems and Test: Restore affected systems to a known good state and verify that all functionality is intact. Testing ensures that systems are safe to bring back online.
  • Monitor for Signs of Re-Infection: Implement heightened monitoring to detect any signs of re-infection or residual compromise, particularly in the days following recovery.

Step 6: Conduct a Post Incident Review

  • Document Findings: Summarize the incident, including root cause, impact, containment actions, eradication measures, and recovery steps. Detail any specific ATT&CK techniques observed to help with future incident detection.
  • Analyze Response Effectiveness: Review the incident handling process, identifying areas for improvement, such as gaps in detection or delays in containment.
  • Update Playbooks and Response Plans: Based on lessons learned, update playbooks and make any necessary changes to improve response times or strengthen defenses.

Example Use Cases for MITRE ATT&CK in SEV0 Incidents

MITRE ATT&CK can improve response strategies during SEV0 incidents. Here are some practical examples:

  • Credential Dumping Detection: Map alerts for credential dumping techniques to ATT&CK. If a SEV0 incident involves stolen credentials, ATT&CK mappings guide analysts to look for lateral movement, privilege escalation, and potential persistence mechanisms.
  • Ransomware Containment: For ransomware attacks, ATT&CK techniques related to “File Encryption” and “Data Destruction” can be tracked to identify files targeted for encryption and potential lateral spread. The mapped techniques help in rapidly isolating affected systems and cutting off the attack’s reach.
  • Command and Control Blocking: During incidents involving C2 (command and control), ATT&CK provides a structured way to investigate network indicators and outbound traffic. Analysts can use ATT&CK mappings to check for persistence mechanisms or network based C2 channels, aiding in more comprehensive containment.

Wrap Up

Operationalizing MITRE ATT&CK and managing SEV0 incidents requires a mix of structured frameworks, quick response actions, and accurate documentation. By mapping detection and response activities to ATT&CK, SOC teams standardize their processes, enabling better detection and quicker response to both expected and unexpected attack patterns. When handling SEV0 incidents, a methodical, well communicated approach ensures that containment and recovery actions are effective and well documented.

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Security

Nuclei

When it comes to automated vulnerability scanning, Nuclei is one of the best open source tools out there. It’s fast, flexible, and extensible with thousands of community templates. Masscan is like nmap on steroids. We’ll Read more…

Security

CISSP 3: Security and Risk Management Essentials

In the CISSP world, understanding Security and Risk Management is like building a solid foundation for a house. It supports everything else you do in cybersecurity. This domain forms the core of the CISSP Common Read more…

Security

T-Pot

T-Pot is an open-source honeypot framework designed to emulate multiple attack surfaces and gather data on malicious activities. This blog post walks through the installation process on an Ubuntu 20.04 server, and demonstrates how to Read more…