Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Planning and Deploying Security Automation Leveraging MITRE ATT&CK and SHIELD with Microsoft Sentinel

Deploying security automation is hard if the criteria for success is beyond the scope of ticketing workflow. But the barrier of automation deployment has never been lower with the advent of so many Security Orchestration, Automation, and Response (SOAR) platforms now available to select from in the market and how attractive purchasing automation in a box (or in the cloud) is.

However, what isn't emphasized with SOAR is the importance of mastery in understanding framework such as Business Process Management (BPM), supply chain process models, and incident response playbooks. Trustwave has taken steps to help clients accelerate the time to value of building an effective plan and successfully moving organizations closer to the goal of automating their security program. A large part of our success is an approach that effectively ties together MITRE'S ATT&CK and SHIELD frameworks with Microsoft Sentinel.

These benefits create a system that relieves operations of the labor-intensive task of pulling together MITRE ATT&CK and SHIELD data, to help them better understand how to defend against specific attacker techniques, per David Broggy, a principal cyber architect at Trustwave.

"We are building SOAR solutions around ATT&CK and SHIELD, essentially automating defensive procedures for Security Operations Centers (SOCs) that otherwise can be a very heavy manual process," Broggy said.

For the uninitiated, MITRE ATT&CK is a framework containing hundreds of adversarial techniques compiled by MITRE, while SHIELD is a framework of about 33 defensive measures that a defender can use to counter the threats contained in ATT&CK. Trustwave's cyber automation approach essentially deciphers what attack tool is being used by the threat actor, finds the best defense available in SHIELD and recommends a course of action for the security team relevant to the business.

To help clients accelerate the time to value of MITRE's defense frameworks, Broggy has created a SOAR application to connect all the correlations within Microsoft Sentinel and map them to a MITRE ATT&CK or SHIELD technique. Once we know the technique, we can map how to defend against it using MITRE SHIELD.

Deploying and sustaining security processes and incident response (IR) automation is time-consuming which is compounded by the fact that many security staff continue to lack the capacity to handle existing responsibilities. David helps lead Trustwave services in accelerating the adoption and realizing the benefits of the MITRE frameworks and SOAR process automation.

The Winning Combination of MITRE ATT&CK & SHIELD and Microsoft Sentinel

Broggy described the Accelerator Program as "Trustwave mapping the MITRE ATT&CK techniques to the MITRE SHIELD defender techniques and their sub-categories of opportunities, use cases and procedures."

The key is using Microsoft Sentinel's Security Information and Event Management (SIEM) and SOAR capabilities to do the heavy lifting of mapping the attack and defensive scenarios maintained by MITRE instead of having security analysts spending time sorting through the MITRE Matrices, he said.

"The whole intent of using MITRE is to be able to understand your enemy, and then to know how to defend against your enemy," said Broggy.

Once Trustwave's solution maps the offensive characteristics of the attack and possible defensive measures, it hands a security team a plan for how to defend their organization. 

"The key reason for using MITRE is so we can understand what the adversaries are doing and how to defend against them. Microsoft Sentinel is simply a tool in the framework. It uses a SIEM to detect what the adversaries are doing. And it's not just SIEM that MITRE is looking at," Broggy said. "MITRE uses your entire cybersecurity environment -- all the security tools to help you detect deception and defend against those adversaries."

Ingredients to a Successful Deployment and Adoption

Just for a bit of background, MITRE ATT&CK, or Adversarial Tactics, Techniques, and Common Knowledge is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: Pre- ATT&CK, which focuses on reconnaissance and infrastructure setup; ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud; and ATT&CK for mobile, which focuses on behavior against mobile devices.

SHIELD is an active defense knowledge base MITRE is developing based on 10 years of adversary engagement experience the organization has gathered and analyzed. This knowledge spans the range from high-level, CISO ready considerations of opportunities and objectives to practitioner-friendly discussions of the Tactics, Techniques, and Procedures (TTPs) available to defenders.

The third piece of the puzzle, Microsoft Sentinel, is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution designed to make it easier for a defender to deal with a higher volume of increasingly sophisticated attacks.

Another element MITRE is bringing in that may play a larger role in Trustwave's solution in the future, is MITRE Engage. MITRE describes Engage as "a framework for discussing and planning adversary engagement, deception, and denial activities." Engage uses adversary behavior that has been observed in the wild and then use that knowledge to develop defensive measures. ENGAGE will eventually replace SHIELD.

Discover how we're helping organizations like yours extract the full value and capabilities of Microsoft Security: Trustwave Services for Microsoft

David Broggy is a Principal cyber architect at Trustwave focusing on Cloud(AWS, Azure, GCP),SIEM, SOAR, CASB, Zero Trust, Purple Teaming, EDR, ATT&CK and Database Auditing. I also specialize in several third-party products: Splunk, QRadar, Microsoft Sentinel, Netskope and PAN XSOAR & XDR. My active certifications include Azure Admin (AZ103), Azure Security Admin (AZ500) and CISSP.


Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More