the now platform connects information security professionals like security analysts threat intelligence analysts and csos with the insights they need to get work done better every day today we're going to look at how integrating with the miter attack framework does just that we'll look at several examples of how it helps security incident handlers threat hunters and security leaders this is the miter attack heat map and navigator a key feature and an important tool in threat intel but before we go too far let's quickly review what mitre attack is the miter attack framework is a knowledge base of cyber attack tactics and techniques used as a foundation for the development of specific threat models and methodologies attack stands for adversarial tactics techniques and common knowledge it consists of the five following components the attack model this is the basis of attack and it is the set of individual techniques that represent actions that adversaries can perform to accomplish objectives the attack matrix is the relationship between tactics and techniques tactics represent the why of an attack technique this is the adversary's tactical objective the reason for performing the action techniques represent how an adversary achieves a tactical objective by performing an action and procedures are the specific implementation the adversary uses for techniques or sub techniques let's go ahead and see how a security analyst could use miter attack in responding to a security incident now right away we see that this is a phishing email intended for one of the employees at the company in addition to the typical triage information the security analyst now has immediate access to mitre attack data and the ability to provide additional mappings the miter attack tactics and techniques data was automatically mapped and associated when our security incident was created based on the category of phishing we can select any of the links provided in the card to perform further investigation and we can adjust how the data is presented in our security incident we are provided with a list of associated observables but they could use more context now we can see what the observable is its type and whether or not it is malicious minor attack has the additional context by associating tactics and techniques data for example we can see that this url is let's say potentially a spearfishing url so we'll go ahead and add that technique so it will appear on the security incident these tactics and techniques can be extracted automatically once applied by a third-party tool such as a sim or by sensors and threat sources and we can also associate tactics and techniques manually if needed for example to the individual observables in our security incident or the security incident itself while the security analyst works on a few incidents at a time a threat intelligence analyst often works from the very top down the data from our security incident and every incident is mapped against attack patterns here in this heat map it makes it easier for the threat intelligence analyst to see the overall presence of a threat and our organization's readiness to address it the mitre attack heat map and navigator allows threat intelligence analysts to view how an organization is handling and helps them perform threat hunting activities using filters the threat intelligence analyst has the ability to quickly and easily see the data pertinent to their investigation even if very little data is available they can begin their search and have the ability to see correlations and associations that may not be so easily apparent there are a variety of different filters that come out of the box to help threat intelligence analysts isolate the data that they are looking for they can use these filters to quickly see what attackers may be concentrating on within their environment by simply selecting one of the links on the form they can easily expand their investigations by opening any of the records that are provided to them this attack pattern record provides a variety of different data about this particular technique including the different adversary groups that use it in addition to this powerful new miter attack heat map and navigator the threat intelligence analyst can also view data through a stixx visualizer this feature gives them quick and easy ways to see relationships between the intrusion set and malware attack patterns and the tools that they use with both our analysts hard at work let's go ahead and take a look at how security leaders like a ciso can also use miter attack to assist in the management of their security programs the miter attack heat map and navigator is an excellent place to understand how various defensive systems are performing and identify where there may be gaps we can gain immediate visibility into patterns where the department is seeing any concentration of incidents or is dealing with any relevant vulnerabilities it also provides a quick visual of their current security posture for detecting and defending against each of these attack techniques all of this helps the cso understand where investments of time and resources are most needed in order to thwart the attack patterns that impact their organization the most such as those from the adversary group like unc 2452 during the solarwinds breach this demonstration showed you how using the miter attack framework with servicenow security incident response can help security analysts threat hunters and security leaders do their jobs more effectively if you'd like to learn more please visit us at www.servicenow.com thank you