Using ServiceNow SOAR to Operationalize MITRE ATT&CK

By Jon Oltsik, ESG Senior Principal Analyst and Fellow

Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

Executive Summary

While security operations is a high priority, many organizations continue to struggle to keep up with the scale and scope of the tasks at hand. Why? Security operations are often hamstrung by organizations’ reliance on an overabundance of point tools and manual processes, as well as a shortage of advanced security skills in areas like threat intelligence analysts and incident responders. This is especially problematic as the attack surface grows and organizations face an assortment of dangerous cyber-threats daily.

What can be done to address the growing imbalance between cybersecurity operations capabilities and requirements? Which indicators of threats can be detected using the information and tools we have right now? And how can our teams see the future and know where adversaries are going to go next?

This white paper concludes:

Security orchestration, automation, and response (SOAR) technology can help organizations operationalize processes and policies. More than half of organizations have already adopted technology to automate and orchestrate security operations processes. Top priorities for process automation include integrating security and IT operations systems, improving collaboration between security and IT teams, automating remediation tasks, and tracking the security incident lifecycle from discovery through remediation. SOAR solutions enable SOC teams to drive proactive and fast security response, prioritize threats by business context, and automate required actions to triage and remediate incidents quicker.

The MITRE ATT&CK Framework can give organizations an adversary perspective on their defenses and show how adversaries would act against them in a concerted, targeted attack. Security professionals are encouraged to “think like the enemy,” yet security operations teams often deal with discrete security events and alarms generated by internal security tools or indicators of compromise (IoCs) from threat intelligence feeds. This is like trying to solve a crime one clue at a time. As an alternative, many SOC teams have embraced the MITRE ATT&CK Framework as it helps security analysts align individual security events and IoCs with the tactics and techniques used by cyber-adversaries and known attack campaigns. Thus, MITRE ATT&CK provides a more comprehensive way to link distinct events together, providing visibility and context across the cyber-kill chain.

Integrating SOAR and MITRE ATT&CK can act as a force multiplier. While MITRE ATT&CK can be useful, SOC leaders often complain that it is difficult to operationalize the framework to its full potential. This can be accomplished, however, by tightly coupling SOAR and the MITRE ATT&CK Framework for process automation and orchestration. Integration, automation, and orchestration can then help organizations add MITRE data to business, asset, risk, and threat context. This combination improves the efficacy and efficiency of security operations in areas like incident detection, assessment and engineering, cyber-threat intelligence (CTI) analysis, and adversary emulation.

ServiceNow is committed to tight integration between its SOAR (platform Security Incident Response) and the MITRE ATT&CK Framework in its current product, with promises of additional capabilities in the future. In this way, ServiceNow cannot only operationalize MITRE ATT&CK and automate processes, but also help organizations actually improve processes and establish security operations best practices.

Cybersecurity Operations are Fraught with Challenges

According to recent ESG research, 63% of organizations believe that security operations is more difficult today than it was 2 short years ago. This change is driven by numerous security analytics and operations challenges (see Figure 1), such as:1

Monitoring the growing attack surface. Organizations have added public cloud services, new network devices, remote workers, and SaaS applications as part of digital transformation projects. These initiatives have greatly expanded the attack surface, leaving organizations vulnerable to diverse types of cyber-attacks across a distributed hybrid IT infrastructure.

Keeping up with the volume of security alerts and incidents. As threats increased in the past, CISOs added new types of monitoring systems and security controls. Unfortunately, more security technologies produce more alerts, making it challenging to triage, prioritize, and investigate incidents while separating signal from noise. Most systems are not integrated with IT monitoring, preventing the business insights and early warning indicators that could inform prioritization, detection, and investigation.

Focusing the most time on emergencies. Security teams are often short-staffed or lacking advanced skills in areas like threat intelligence analysis and incident response expertise. Furthermore, many security operations teams rely on manual processes as part of their threat detection and response efforts. This may be why so many events trigger the computer emergency response team (CERT). Many organizations don’t even have the luxury of these experts. Without optimized processes, you often see “All hands-on deck!” conditions that consume the most skilled resources as well as the frontline firefighters. When SOC teams are focused on emergencies, they neglect other critical activities that could improve operational execution—like best practice automation, skills training, threat hunting, or red/blue team exercises.

Detecting and investigating security incidents. Aside from dealing with the high volumes of security alerts, security analysts must piece evidence together to detect and investigate cyber-attacks as they proceed through multi-staged kill chains. Unfortunately, many organizations never get beyond individual events and indicators of compromise (IoCs). This means that they spend their time on individual clues but never “connect the dots” across all the individual acts that come together as complete cyber-attacks. Subtle intent indicators lack meaningful context, so attacks prosper longer.

Calculating ROI on security operations. While enterprise organizations increase cybersecurity spending annually, few CISOs have the right data and metrics to measure where these investments are delivering ROI. As a result, many firms spend cybersecurity budgets haphazardly or simply layer additional spending across the entire infrastructure rather than pinpointing and investing in areas of weakness. What’s really needed? A detailed view of all assets across the attack surface as they relate to critical IT assets, aligned with analysis determining which security controls and coverage gaps represent the biggest cyber-risks. CISOs could then accurately present their risk posture to executives and target investments toward risk mitigation efforts aimed at protecting the business “crown jewels.”

Figure 1. Top Six Security Analytics and Operations Challenges

What are your organization’s most important objectives for its digital transformation initiatives? (Percent of respondents, N=619, three responses accepted)

Source: Enterprise Strategy Group

SOAR and the MITRE ATT&CK Framework Can Help

The issues described previously point to an overall state of cybersecurity immaturity where infosec teams are understaffed, and protecting business-critical IT assets depends upon manual processes and disconnected point tools. CISOs in this situation need to address this misaligned situation as soon as possible.

To address these shortcomings, many organizations are adopting:

1. SOAR tools. SOAR can provide the SOC team with a workbench for process improvement and automation in areas like threat and vulnerability management, incident response, threat intelligence analysis, and cyber-risk mitigation. The SOC staff uses SOAR tools to create and automate playbooks that automate manual tasks like gathering data for investigations or modifying security controls to block malicious connections and content. In the process, smart organizations improve and formalize otherwise ad hoc processes, for better results including optimal insights from available internal and external data. According to ESG research, 27% of organizations use SOAR technologies extensively while another 38% do so on a limited basis today (see Figure 2).2 ESG believes that SOAR technology will continue to proliferate in the future, becoming a SOC staple.

2. The MITRE ATT&CK Framework. Created in 2013, the MITRE ATT&CK Framework is a community-based matrix of the tactics, techniques, and procedures (TTPs) used as part of cyber-attacks by numerous threat actors. It also acts as a common language about threat actors. Organizations can use the MITRE ATT&CK Framework to understand how internal security events map to adversary TTPs and cyber-attack campaigns over time. This knowledge can help red and blue teams adopt an “intent-based” perspective for tracking attacks, finding weaknesses in their defenses, and prioritizing remediation actions based on cyber-risks.

Figure 2. SOAR Usage

Has your organization deployed – or does it plan to deploy – technologies designed for security analytics and operations automation and orchestration? (Percent of respondents, N=406)

Source: Enterprise Strategy Group

ServiceNow Security Incident Response: Integrating SOAR and MITRE ATT&CK

While integrating SOAR and the MITRE ATT&CK Framework as a best practice, many organizations never move beyond setting up a simple MITRE data repository or using ad hoc lookups on indicators. Additional value depends upon analysts’ knowledge of MITRE ATT&CK and their efforts to build dashboards and playbooks that use MITRE for data contextualization and enrichment. These SOC teams tend to struggle to operationalize the MITRE ATT&CK Framework to its full potential and are unable to shift to proactive application of MITRE ATT&CK insights for faster response, let alone advanced use cases like threat hunting.

Since 2014, ServiceNow has offered a SOAR solution, ServiceNow Security Incident Response, as part of its Security Operations portfolio built on the NOW platform. It provides intelligent workflows, playbooks, integrations, and automation tools to optimize security operations. Recently, ServiceNow integrated the MITRE ATT&CK Framework with this security operations offering. ServiceNow’s vision is to enable customers to fully operationalize the MITRE ATT&CK Framework, improving their ability to develop, prioritize, and manage detection and response actions.

ServiceNow starts by ingesting all MITRE ATT&CK data, storing it in a common repository for easy access, and creating baseline information for different use cases. SOC teams can then tag tactics and techniques to security incidents and observables. Once a security incident or alert is mapped to a MITRE tactic or technique, security analysts can use the ServiceNow ATT&CK Navigator to visualize how an individual tactic/technique fits into the cyber-attack campaigns used by the numerous adversaries tracked by MITRE. Security analysts gain an adversary perspective into security alerts and a roadmap for investigations, report generation, and trending. Other SOC leaders (architects, managers, etc.) can use heat map-based views to understand adversary behavior detection effectiveness and then apply this knowledge to bolster defenses. Playbooks, automation, and integrations connect these actions within security teams and beyond to IT and risk processes to achieve operationalization.

ServiceNow improves results for four main use cases for the MITRE ATT&CK Framework:

Incident triage & response

Assessment & engineering

Cyber-threat intelligence (CTI) analysis

Adversary emulation

ServiceNow and the MITRE ATT&CK Framework for Incident Triage and Response

Security professionals are taught to “think like the enemy” by envisioning the tactics and techniques hackers might employ if they were attacking an organization. ServiceNow Security Incident Response integration with the MITRE ATT&CK Framework can help achieve this goal by enabling the SOC team to detect and respond to adversarial behavior as it aligns with the MITRE taxonomy. In this way, ServiceNow can enhance incident detection by:

  • Adding MITRE ATT&CK data into incidents and observables. Whenever a security incident is created out of a security alert, details from all data sources, including third-party products like SIEM, sandbox, and TIPs, are forwarded to ServiceNow SOAR, which also gathers all information related to MITRE ATT&CK tactics and techniques. These tactics and techniques are then mapped to a MITRE ATT&CK card. This allows analysts to better understand where individual security events fit into an overall attack. ServiceNow also can ingest MITRE ATT&CK data from third-party products like SIEM or threat intelligence feeds.
  • Use the ServiceNow ATT&CK navigator to link together different TTPs into a kill chain view. Beyond associating specific security incidents with MITRE tactics and techniques, security analysts can use the ServiceNow ATT&CK Navigator to pivot across the MITRE ATT&CK Framework and understand what likely happened before an individual security event and what’s likely to happen next. ServiceNow has enhanced the MITRE ATT&CK navigator with additional visualization and features to help organizations understand the scope and relationships of different types of attacks. Rather than detecting one-off anomalies or IoCs, security analysts have the data and insights to know what to do next for response and containment. This is analogous to navigation using GPS tracking rather than depending upon a compass and celestial constellation. This sequencing alone can help accelerate security operations processes.
  • Include MITRE data in IR processes to automate and orchestrate multi-phased investigations. Security analysts can then use, tailor, or create new playbooks that include the MITRE ATT&CK Framework data and automate other types of data collection and broader investigation across a cyber-kill chain. For example, a detection playbook may enhance MITRE ATT&CK data with threat intelligence from an ISAC, while a response playbook may use out-of-the-box security integrations to orchestrate the creation of new firewall rules or instrument detection technology decoys as countermeasures to progressing tactics and techniques along the kill chain. Base workflow templates automate investigation and response to attack activities such as reconnaissance, malicious software, data exposure, and rogue servers. A simple Flow Builder and pre-built action library help users customize templates and create their own tasks and orchestrations. While ServiceNow incident response processes are based on NIST, customers can adapt them for other methodologies like SANS.
  • Connect individual and “low-and-slow” attack activities to identify larger attacks. Security analysts can also link ongoing and past threats in the context of MITRE ATT&CK to see if a more sophisticated attack is in play that otherwise would have gone undetected.
  • Create custom detection dashboards. Aside from out-of-the-box features, SOC teams can create custom dashboards for high priority detections—like aligning MITRE tactics and techniques against known campaigns targeting a particular industry or anomalous privileged account behavior on a business-critical asset.
ServiceNow and the MITRE ATT&CK Framework for Assessment and Engineering

In this use case, organizations can use ServiceNow and the MITRE ATT&CK Framework to align adversarial behavior with all security policies, data, and technologies across the enterprise to enhance understanding and optimize resource allocation and investments. For example, the SOC team can:

Align adversary behavior and attack campaigns to overall detection coverage. ServiceNow includes filters and heat maps to help in several ways. Organizations track adversary behavior and use filters to search into ongoing and past incidents to uncover hidden threats. With heat maps, SOC teams can view their detection rules and adjust detection controls coverage across techniques, campaigns, and specific adversaries. Once security teams can determine the tactics and techniques used in cyber-attack campaigns, they can better understand the attack surface and how well prepared they are in terms of threat prevention and detection. This clarity can help them answer key questions like: Do we have the right controls in place to block tactics and techniques? What can and can’t we detect using current controls and data sources? Are security controls and data sources adequate or are there gaps in coverage?

Optimize processes and skills against evolving attack techniques. SOC teams can also use these visualizations to conduct post-mortems after attacks, helping them uncover hidden threats and identify the techniques for which hunting, detections, or investigation efforts were inadequate. SOC teams can then educate analysts and improve detection, investigation, and remediation processes for breaking similar kill chains in the future.

Prioritize security investments to improve the security posture. By assessing security controls and data sources, security teams can quickly classify their weakest areas. This information can help guide future actions like augmenting security data collection for the inclusion of new data sources (i.e., logs, network data, business impact, threat intelligence, endpoints, etc.). CISOs use these assessments to target and justify future security investments for monitoring, detecting, blocking, and responding to MITRE ATT&CK-specific tactics and techniques.

ServiceNow and the MITRE ATT&CK Framework for Cyber-threat Intelligence Analysis

Threat intelligence analysis is often focused on individual IoCs where cyber-adversary intent is unclear. The combination of SOAR and MITRE ATT&CK adds maturity to CTI analysis by moving from a basis of IoCs to TTPs. MITRE helps analysts further by weaving together TTPs into full cyber-attack campaigns. ServiceNow extends these capabilities with:

Out of-box integration with other threat intelligence sources. The ServiceNow security operations platform also includes out-of-the-box integration with threat feeds, threat intelligence platforms (TIPs), sandboxes, etc. Data from these systems is extracted and presented in context with MITRE ATT&CK tactics and techniques in common graphics and dashboards. Security analysts can then equate adversary tactics and techniques with other artifacts, including file hashes, known malicious IP addresses/web domains, whois lookups, etc. This gives threat analysts a “one-stop shop” to learn all they can about cyber-adversaries and attack campaigns.

Enrich with internal data. Armed with MITRE and third-party threat intelligence, ServiceNow uses this information to enrich internal security incidents and observables each time a case is created. This can help junior analysts triage and prioritize security alerts while level 2 and 3 analysts are presented with a consolidated view of all data elements to streamline further investigations.

Mine data for threat hunting. Analysts can use the filters within ServiceNow’s MITRE ATT&CK navigator to accelerate threat hunting exercises. For example, the SOC team can do deep searches into the incident repository to look for common artifacts and patterns that may indicate whether a single event was random or part of an attack campaign from a known adversary.

ServiceNow and the MITRE ATT&CK Framework for Adversary Emulation

Aside from reacting to security alerts and events, SOC teams can use the combination of SOAR and the MITRE ATT&CK Framework in a more proactive way—for red teaming and penetration testing. In fact, many service providers and automated testing tools use MITRE ATT&CK to emulate cyber-attacks conducted by known adversaries. ServiceNow integration with MITRE ATT&CK can help organizations:

  • Test against different adversaries. Organizations can use ServiceNow MITRE ATT&CK navigator to plot out likely tactics and techniques used by different known adversaries in their cyber-attack campaigns. Once they map the most likely paths, they can use third-party services or automated testing tools to test their defenses. This process can reveal unknown weaknesses like misconfigured security controls, unknown vulnerable assets, or ambiguous detection rules that need attention. Test results can be compared with data sources and overall technique detection coverages and then overlayed into heat maps to find the blind spots/vulnerable areas. Testing against known adversaries will be especially useful for highly targeted industries like financial services, government agencies, healthcare, and technology.
  • Improve red team/blue team collaboration and ROI. The combination of the ServiceNow security operations platform and MITRE ATT&CK Framework provides a template for collaboration. Red team members can test against specific tactics and techniques or emulate a known threat actor while blue teams have the right visualization into controls and data sources to isolate areas that need improvement. By working with the same tools and models, organizations gain visibility to granular changes for risk mitigation while this knowledge can also help guide security investments and improve ROI on security spending.

Aside from security operations, the ServiceNow SOAR and MITRE ATT&CK combination can also help improve the relationship between security and IT operations teams due to the tight integration across the ServiceNow platform. For example, when an investigation uncovers an incident related to a software vulnerability, the tool can use ServiceNow Vulnerability Response and ServiceNow Software Asset Management to understand where the vulnerable software is actively in use. At the same time, the tool can notify risk and compliance stakeholders of a new risk event through integration with ServiceNow risk management products. Information accessed from the CMDB (such as where the asset is located, who owns it, how critical it is to the company, or the sensitivity of data stored) can inform analysts, drive prioritization, and expedite response by grouping assets and automating tasks. For example, the security team can use workflows to kick off changes to systems, such as updated firewall rules or reprioritizing a patch in the ITSM module, and track progress through integrated dashboards. Beyond security teams, this can also help business managers understand risks to critical assets (in the CMDB) that could disrupt business operations.

With ServiceNow, security, risk, and IT operations teams work share a common data model and a single platform architecture with common tools and reporting. This relationship enables real-time collaboration and is especially important for process automation success. According to ESG research, integrating security tools with IT operations systems and improving collaboration between security and IT operations staff are top priorities for security operations automation and orchestration (see Figure 3).3

Figure 3. Top Four Priorities for Security Operations Automation and Orchestration

What types of tasks are or would be the top priorities for security operations automation/orchestration? (Percent of respondents, N=366, three responses accepted)

Source: Enterprise Strategy Group

The Bigger Truth

The MITRE ATT&CK Framework is often viewed as an encyclopedia of what adversaries can do using real-world examples as its basis. Additionally, the MITRE ATT&CK Framework is a living model with contributions and updates from a global community of cybersecurity professionals and organizations. Given this, the MITRE ATT&CK Framework’s value to security analysts can’t be overstated.

Unfortunately, many security organizations view MITRE ATT&CK as another threat intelligence data source alone. Yes, they use the data as they can, but they haven’t figured out how to use MITRE ATT&CK to truly improve security efficacy and efficiency.

As described in this white paper, the MITRE ATT&CK framework is a perfect complement to security process automation and orchestration. First, MITRE ATT&CK data should be ingested into a SOAR-based repository for visibility and queries, but additional layers of integration can truly unleash the power of MITRE. Security analysts should be able to view MITRE data in the context of security incidents and observables. MITRE data should be available for custom incident response playbooks and dashboards for different roles and responsibilities within the SOC. Security analysts and other SOC leaders should use MITRE ATT&CK navigators, filters, and heat maps to align individual security events with tactics and techniques in the context of attack campaigns and threat actors. Threat intelligence analysts should be able to enrich IoCs with MITRE data, and security testers should build test plans that emulate known threat actors to test detection rules and security controls. These are a few examples but there are countless other ways in which SOAR integration with MITRE ATT&CK can deliver benefits and ROI on security spending.

While most SOAR platforms can ingest MITRE data, ServiceNow has instrumented multiple layers of integration for security operations and even IT use cases. Furthermore, ServiceNow has an aggressive roadmap for further integration and functionality in the near future. CISOs who want to operationalize the MITRE ATT&CK Framework while improving security efficacy, operational efficiency, and ROI on security investment should contact ServiceNow to see how its security operations platform aligns with security requirements, objectives, and strategies.

See ServiceNow in action

Source: ESG Research Report, The rise of cloud-based security analytics and operations technologies, Dec 2019.
Source: ESG Research Report, The rise of cloud-based security analytics and operations technologies, Dec 2019.
Source: ESG Research Report, The rise of cloud-based security analytics and operations technologies, Dec 2019.

This ESG White Paper was commissioned by ServiceNow and is distributed under license from ESG.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.