Loading...
Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Planning and Deploying Security Automation Leveraging MITRE ATT&CK and SHIELD with Microsoft Sentinel

Deploying security automation is hard if the criteria for success is beyond the scope of ticketing workflow. But the barrier of automation deployment has never been lower with the advent of so many Security Orchestration, Automation, and Response (SOAR) platforms now available to select from in the market and how attractive purchasing automation in a box (or in the cloud) is.

However, what isn't emphasized with SOAR is the importance of mastery in understanding framework such as Business Process Management (BPM), supply chain process models, and incident response playbooks. Trustwave has taken steps to help clients accelerate the time to value of building an effective plan and successfully moving organizations closer to the goal of automating their security program. A large part of our success is an approach that effectively ties together MITRE's ATT&CK and SHIELD frameworks with Microsoft's Azure Sentinel.

These benefits create a system that relieves operations of the labor-intensive task of pulling together MITRE ATT&CK and SHIELD data, to help them better understand how to defend against specific attacker techniques, per David Broggy, a principal cyber architect at Trustwave.

"We are building SOAR solutions around ATT&CK and SHIELD, essentially automating defensive procedures for Security Operations Centers (SOCs) that otherwise can be a very heavy manual process," Broggy said.

For the uninitiated, MITRE ATT&CK is a framework containing hundreds of adversarial techniques compiled by MITRE, while SHIELD is a framework of about 33 defensive measures that a defender can use to counter the threats contained in ATT&CK. Trustwave’s cyber automation approach essentially deciphers what attack tool is being used by the threat actor, finds the best defense available in SHIELD and recommends a course of action for the security team relevant to the business.

To help clients accelerate the time to value of MITRE’s defense frameworks, Broggy has created a SOAR application to connect all the correlations within Microsoft Sentinel and map them to a MITRE ATT&CK or SHIELD technique. Once we know the technique, we can map how to defend against it using MITRE SHIELD.

Deploying and sustaining security processes and incident response (IR) automation is time-consuming, which is compounded by the fact that many security staff continue to lack the capacity to handle existing responsibilities. David helps lead Trustwave services in accelerating the adoption and realizing the benefits of the MITRE frameworks and SOAR process automation.

The Winning Combination of MITRE ATT&CK & SHIELD and Microsoft Sentinel

Broggy described the Accelerator Program as "Trustwave mapping the MITRE ATT&CK techniques to the MITRE SHIELD defender techniques and their sub-categories of opportunities, use cases and procedures."

The key is using Azure Sentinel's Security Information and Event Management (SIEM) and SOAR capabilities to do the heavy lifting of mapping the attack and defensive scenarios maintained by MITRE instead of having security analysts spending time sorting through the MITRE Matrices, he said.

"The whole intent of using MITRE is to be able to understand your enemy, and then to know how to defend against your enemy," said Broggy.

Once Trustwave's solution maps the offensive characteristics of the attack and possible defensive measures, it hands a security team a plan for how to defend their organization. 

"The key reason for using MITRE is so we can understand what the adversaries are doing and how to defend against them. Sentinel is simply a tool in the framework. It uses a SIEM to detect what the adversaries are doing. And it's not just SIEM that MITRE is looking at," Broggy said. "MITRE uses your entire cybersecurity environment -- all the security tools to help you detect deception and defend against those adversaries."

Ingredients to a Successful Deployment and Adoption

Just for a bit of background, MITRE ATT&CK, or Adversarial Tactics, Techniques, and Common Knowledge is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: Pre- ATT&CK, which focuses on reconnaissance and infrastructure setup; ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud; and ATT&CK for mobile, which focuses on behavior against mobile devices.

SHIELD is an active defense knowledge base MITRE is developing based on 10 years of adversary engagement experience the organization has gathered and analyzed. This knowledge spans the range from high-level, CISO ready considerations of opportunities and objectives to practitioner-friendly discussions of the Tactics, Techniques, and Procedures (TTPs) available to defenders.

The third piece of the puzzle, Azure Sentinel, is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution designed to make it easier for a defender to deal with a higher volume of increasingly sophisticated attacks.

Another element MITRE is bringing in that may play a larger role in Trustwave's solution in the future, is MITRE Engage. MITRE describes Engage as "a framework for discussing and planning adversary engagement, deception, and denial activities." Engage uses adversary behavior that has been observed in the wild and then use that knowledge to develop defensive measures. ENGAGE will eventually replace SHIELD.


David Broggy is a Principal cyber architect at Trustwave focusing on Cloud(AWS, Azure, GCP),SIEM, SOAR, CASB, Zero Trust, Purple Teaming, EDR, ATT&CK and Database Auditing. I also specialize in several third-party products: Splunk, QRadar, Azure Sentinel, Netskope and PAN XSOAR & XDR. My active certifications include Azure Admin (AZ103), Azure Security Admin (AZ500) and CISSP.