How The MITRE ATT&CK For Cloud Framework Can Improve Threat Detection

Threats in cloud environments are becoming more sophisticated, and that means they are more challenging to monitor, detect and mitigate. Furthermore, what works in the traditional enterprise environment rarely works for cloud. How do you assess risks, validate compliance or detect, investigate and respond to threats in the cloud where environments are rapidly changing and resources are ephemeral?

One of the most effective methods to address the broad scope of these issues is to adopt a unified security framework that has been purpose-built for the unique challenges of cloud. The MITRE ATT&CK® knowledge base is the most widely adopted framework for security teams across the industry, and for good reason. MITRE ATT&CK offers a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, and provides threat modeling and methodologies for organizations of all sizes.

The group recently updated a new framework specifically tailored for cloud, which offers guidance on techniques specific to Microsoft Azure, Amazon Web Services (AWS), Google Cloud and other cloud services. Here are some primary use cases:

• Understand the tactics and techniques used by adversaries and guide security policy implementation.
• Identify gaps in currently deployed security products or tools.
• Assess how effective the security strategy is from a comprehensive perspective.

Prisma Cloud and ATT&CK for Cloud

The Cloud Security Posture Management modules in Prisma Cloud use this new ATT&CK framework to address use cases for risk assessment and mitigation, compliance and threat detection.

Risk Assessment and Mitigation

Our customers need to know if their cloud infrastructure resources are configured properly to prevent accidental exposure. Prisma Cloud ships with over 200 policies covering ATT&CK for Cloud, which include coverage for configuration issues as well as risk mitigation. Therefore, users can use ATT&CK for Cloud as a guiding standard to prioritize security policy implementation and evaluate the effectiveness of their internal controls.

Let’s look at an example of how Prisma Cloud leverages ATT&CK for Cloud to help customers assess risks in their cloud infrastructure and mitigate accordingly.

Prisma Cloud has mapped the policy, “AWS Security Group overly permissive to all traffic” to the ATT&CK technique, “Network Service Scanning (Technique ID: T1046)” of the tactic, “Discovery.” This policy identifies security groups that are overly permissive to all traffic. Overly permissive groups may allow a bad actor to brute-force their way into the system and potentially gain access to the entire network. If this tactic is of grave concern to the user, they could fix this misconfiguration. If it is less concerning, the customers could choose to accept the risk.

Compliance

ATT&CK for Cloud itself is not a regulatory compliance standard. Nevertheless, Prisma Cloud can generate reports aligned to the framework. These reports are a helpful tool that tells users about the misconfiguration status of their clouds, and provides recommendations for mitigation. This way users can monitor their accounts across all cloud providers and ensure that their infrastructure security posture is aligned to ATT&CK for Cloud.

For example, a customer checks the report and it shows that they have very high fail rates in both Initial Access and Persistence tactics. The reports help them decide to focus first on fixing the misconfiguration of Initial Access and temporarily accept the risks of Persistence because Initial Access is a more critical issue to their business.

Threat Detection

There is no such thing as “perfect” protection. In spite of all the risk mitigation techniques, sophisticated adversaries can still evade them and gain access to your environment. As a critical complementary piece to the risk assessment, mitigation and compliance use cases above, effective threat detection can help make your cloud security strategy complete.

Prisma Cloud goes beyond just mapping threat detection policies to ATT&CK for Cloud. The framework is in fact the guiding principle for developing the platform's overall detection and risk mitigation capabilities. This helps ensure Prisma Cloud can cover all stages of the matrix so that it can detect and respond to all potential cloud threats.

Powered by industry-leading machine learning techniques and bolstered by multiple threat intelligence sources, Prisma Cloud continuously monitors the entire threat lifecycle from discovery/initial access to impact/exfiltration, enabling security teams to automatically detect different attack tactics targeted at their public cloud environments.

For example, one of our anomaly policies, “port scan activity”, is mapped to the ATT&CK technique, “Network Service Scanning (Technique ID: T1046)” under the tactics, “Discovery”. If this threat policy generates an alert, customers would know that an adversary has been attempting reconnaissance, looking for vulnerable resources with open ports. If this is a critical concern, customers could immediately address the issue based on MITRE’s recommendation for this specific attack technique.

Conclusion

ATT&CK for Cloud is a comprehensive matrix of tactics and techniques to better understand attacks and enhance security strategy. Prisma Cloud now harnesses the power of the framework from risk assessment mitigation to compliance and threat detection to secure your cloud infrastructure environment.

For more detailed information on the breadth of compliance standards Prisma Cloud supports, check out our documentation.