BUILD CYBER ANALYTICS

The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. CAR defines a data model that is leveraged in its pseudocode representations, but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.

Visit the CAR site.

For this Ransomware Resource Center, we have created a specific view within the ATT&CK Navigator that highlights the known ransomware actors, software, and their tactics and techniques that are presently documented in ATT&CK.  The analytics listed below are to detect those techniques.

Below are the cyber analytics relevant to ransomware techniques that are presently documented in ATT&CK.  This information continues to evolve.  Feedback on relevant information from the user community is welcome at HealthCyber@mitre.org.

The analytics are shown in three groups based on the data sources used in collecting the required events:

Detections with data available in Windows

These events can be detected by collecting Windows security log events.

Detections Using Events from a Domain Controller

Detections Using Events from an Endpoint Data Source

Detections with data available in Windows with additional configuration

To use these detections, it is necessary to turn on EventID 4688 (Event Named, “A new process has been created”) in the Windows security log. Once this event has been enabled on endpoints, their logs need to be sent to a system that will be used to implement the following detections.

To use the following detections, it is also necessary to activate file auditing on the folders to be monitored.

Detections that require additional telemetry

These detections need more data than Windows provides out of the box.  They require additional tools such as Microsoft Sysmon, or an EDR solution. Consult the individual detections below for details.

Pin It on Pinterest