Unlocking the data hidden in logs using MITRE ATT&CK Framework

By Oren Koren, Idan Sharabi, Shay Hibah and Dan Zada, Threat Prevention R&D

This is the second installment of a three-part series about how Check Point employs the MITRE ATT&CK framework to prevent cyberattacks. Read Part 1 and Part 3.

The analyst holy grail

Analyzing system logs and efficiently identifying top threats to investigate and remediate is a security analyst’s biggest challenges. Most organizations receive malicious files every day. Without advanced protection technology and analytics, the malware will likely breach the organization’s systems and spread through the corporate networks.

The solution

Check Point SandBlast Network uses the MITRE ATT&CK framework in multiple ways in the detection and prevention of malware. SandBlast Network shows the techniques used when a malicious file is discovered.

Figure 1: The information security workflow

In addition, Check Point inspects each malicious file to determine the relationship between the malware family, its MITRE ATT&CK matrix, and known adversaries.

The Solution

Figure 2: Three methods provided by Check Point to investigate and respond to threats

The figure above shows the three methods Check Point provides to investigate and respond to threats and attacks based on the MITRE ATT&CK framework.

SmartLog

Once the malicious file has been found, Check Point’s engines enrich the logs with details of the attack. Check Point exposes the tactic and techniques used. Customers are also able to search based on specific techniques or tactics.

Figure 3: MITRE ATT&CK on SmartLog

SmartView

Check Point SmartView provides a comprehensive view of events logs. In the MITRE ATT&CK dashboard, SmartView displays incidents based on the tactics and techniques used. This enables security analysts to better understand the most common techniques and tactics used to attack their organizations.

Figure 4: MITRE ATT&CK on SmartView

Check Point Log Exporter

Check Point Log Exporter provides an easy and secure method to export Check Point logs into SIEM applications. Check Point Log Exporter integrates with Splunk, providing full visibility to live attack statistics using the MITRE ATT&CK framework.

Figure 5: MITRE ATT&CK on Splunk

Figure 6: Service Execution MITRE ATT&CK technique distribution on Splunk

Maximizing your logs

Check Point’s advanced prevention technologies use the MITRE ATT&CK framework in the complete workflow of detection, prevention and response, from file inspection to SOC tools that expose the attack techniques.

Check Point’s soon-to-be-released solution for security operations centers will provide additional tools to enable customers to prevent zero-day attacks and understand the cyberthreat landscape.

We recommend all customers to take the following actions in order to take advantage of the latest Check Point technology:

• Ensure that you are using the latest versions of Check Point SmartLog and SmartView
• Verify that you are on the latest version of the Check Point Security Management suite
• Update your Check Point App for Splunk to receive the latest version and use the new dashboards

Stay tuned for Part 3 of this blog series, where we will discuss how Check Point prevents zero-day attacks using the MITRE ATT&CK framework.