Fortinet Champions MITRE CTID Ambiguous Techniques

Fortinet's Leadership in Global Cybersecurity

Fortinet is steadfast in its mission to empower organizations to outpace sophisticated cyberthreats. We are pleased to continue our long-standing collaboration with the MITRE Center for Threat-Informed Defense (CTID) as a research partner and on the Ambiguous Techniques initiative, a groundbreaking approach that redefines detection engineering. The project was recently delivered to the MITRE CTID community as an advanced approach to the Summiting the Pyramid framework, with the goal of addressing the complex challenge of detecting behaviors where malicious and benign actions converge. Fortinet is proud to drive this innovation forward in collaboration with MITRE CTID, and the effort further Fortinet's commitment to deliver actionable, intelligence-driven security to its customers.

Summiting the Pyramid v3.0.0: Introducing Ambiguous Techniques

Summiting the Pyramid develops cyber analytics that target high-level tactics, techniques, and procedures (TTPs) from MITRE ATT&CK, leveraging David Bianco's Pyramid of Pain to prioritize behaviors that adversaries find costly to modify, such as TTPs, over ephemeral indicators like IP addresses, making it more costly and painful for cyber attackers to continue their campaigns. The project's core methodology provides a robust framework for crafting resilient detections. The most recent version of Summiting the Pyramid introduces Ambiguous Techniques, enabling defenders to discern malicious intent in techniques that mimic legitimate activities, such as PowerShell, AdFind, or system utilities. For additional color, this effort is significant because it solves for real-world challenges with a solution that offers a tangible impact. For example:

Problem: Sometimes defenders lack contextual knowledge to understand if a given detection is malicious or not.

Solution: The Ambiguous Techniques methodology helps defenders understand if a detection is more likely to be malicious or not.

Impact: If vendors and blue teams implement the methodologies in their products, the methodology offers improved and faster detection.

An ambiguous technique is characterized by observables that lack sufficient clarity to definitively determine intent. Such techniques exhibit key behaviors that may stem from either benign or malicious sources, requiring more precise and robust detection methods to minimize the risk of substantial false positives while maintaining effective identification of threats.

The research on ambiguous techniques identified three distinct types of context that are essential for defenders to discern an actor's intent: peripheral-level, chain-level, and technique-level. These contextual layers deliver critical information about a technique's usage, enabling precise differentiation of intent and enhancing detection accuracy.

Peripheral-level context adopts an "outside-looking-in" perspective, leveraging external intelligence to defend against network threats. Focused on pre-compromise activities, such as reconnaissance, this context drives proactive detections using cyberthreat intelligence tailored to your network, industry, or sector. It supports behavior-based and signature-based defenses, enabling organizations to anticipate and mitigate risks before they materialize, rather than relying solely on traditional SIEM queries.

Chain-level context centers on analyzing co-occurring techniques, those preceding, following, or concurrent with a target technique, to infer intent. We explored this context using data from our MITRE Attack Flows repository and Adversary Emulation Library. For instance, examining the Archiving Collected Data technique in notable breaches, we mapped adjacent activities to identify patterns, employing a tactic-based color-coding system for clarity. A key trend was the frequent pairing of exfiltration immediately after archiving, signaling malicious intent.

Determining intent relied on historical attack chain analysis and recurring patterns. We typically chained two techniques, as longer chains risk missing relevant activities, impacting accuracy. Balancing chain length, the number of linked techniques, and the desired precision is crucial to ensure effective and accurate detection analytics.

Technique-level context centers on artifacts specific to detecting a single technique, categorized into four key areas: who, what, when, and where.

Who focuses on authentication and privilege details, analyzing the user's identity, their access privileges, and resource access methods to uncover unusual behavior or unauthorized access patterns.

What encompasses traditional event artifacts, including flags, commands, registry keys, API calls, or other tangible indicators derived from event codes or IDs, providing concrete evidence of activity.

When evaluates access patterns, such as activity frequency and timing, to detect anomalies like operations occurring outside normal hours, which may signal malicious intent.

Where monitors critical network terrain, including key files, systems, and network connections, using baselines to identify deviations like new or unexpected connections to anomalous destinations.

These categories enable precise detection by anchoring analysis to specific, actionable artifacts.

The Ambiguous Techniques framework analyzes co-occurring techniques and contextual signals to minimize false positives, while chained analytics enhance detection precision.

Supported by Fortinet and collaborators like AttackIQ and Microsoft, this freely available Ambiguous Techniques project equips security teams with tools to build defenses that withstand adversary adaptation.

Fostering Collaboration and Future-Ready Defense

Summiting the Pyramid v3.0.0 empowers security operations centers (SOCs) because by targeting invariant behaviors and contextual intelligence we enable cyber defenders to truly understand and apply knowledge to fully grasp an attacker's intent. This synergy enhances SOC efficiency, enabling faster, more confident responses.

We invite the cybersecurity community to engage and contribute to the Analytics Repository, or sharing feedback via ctid@mitre.org or GitHub.

As cyber defenders, we must adopt and operationalize these tools, contribute to these ecosystems, and champion threat-informed defense efforts within our organizations. Fortinet remains committed to fostering collaboration and innovation, ensuring defenders are equipped to protect against sophisticated threats through initiatives such as this Ambiguous Techniques initiative and our industry-leading cybersecurity solutions.