Mitre Att&CK Framework

Defense Evasion

Adversary is trying to avoid being detected Tactics: uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Privelage escalation

Adversary is trying to gain higher level permissions.

Execution

Adversary running malicious code Usually paired with other techniques from other tactics.

Initial Access

Adversary trying to get into the network Example Techniques: Spearphishing

Keylogging

A method of capturing and recording user keystrokes, providing a means to obtain passwords or encryption keys.

Best Practice API

API should return info following Mitre ATT&CK Framework. identify the tactic

Pre-Boom and Post Boom

ATT&CK has pre-Att&CK now ATT&CK for enterprise ATT&CK for Mobile

Persistence

Adversary trying to maintain their foothold Keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Sample techniques: access, action or config changes that let adversaries maintain footholds in systems, such as replacing or hijacking legitimate code or adding startup code.

Use case 1: Detection & Analytics

Analytics to look at patterns of behaviors actors would use. You need to be thoughtful that youre not tripping a single analytic, must be a chain of events to eliminate false positives. Theory: Actors dont morph much often. TTP's are supposed to be static in todays world.

Tactics are arranged

Column

How does Mitre get its data for ATT&CK

Community Driven (updated quarterly)

credential dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software

Use Case 3: Evaluating Tools

Evaluate 3rd party tools: Crowdstrike EndGame

LMCK

Lockhead Martin Cyber Kill Chain defines PREBOOm and POST BOOM Preboom - recon and weaponize PostBoom- deliver/exploit/control/execute/maintain Post Boom is all part of MITRE ATT&CK

Mitre v KillChain

Mitre is NOT hypothetical; it is based on real world events.

Use Case 2: Measuring Defense

Most popular use case See how you stack up against the different TTP's* Create a plan to deploy precious resources.

Mitre att&CK- what is it

Provides insights into the tactics and techniques Real life examples of things observed in the wild.

Red / Blue team

Red team mkae use of ATT&CK to label their post event activities in a debrief report B Blue team maps the gaps back to find where they make changes in products or analytics.

Tecnhiques are arranged by

Rows

CHOPSTICK

Software (Github) CHOPSTICK is a malware family of modular backdoors used by APT28. Usually a 2nd stage malware, but sometimes used as 1st stage malware. Techniques: Data Obfuscation; connection proxy, standard application layer protocol, remote file copy, rundll32, timestomp, credential dumping, screen capture

New Service

Technique When OS's boot up, they can start programs or applications called services that perform background system functions. Adversaries will install a new service which will be executed at startup by modidfying the registery or by tools. Examples: Carbanak, Lazarus Group, TinyZBot, CozyCar etc.

command and control

The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection

Discovery

The adversary is trying to figure out your environment. Network share discovery

Collection

The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals.

Lateral Movement

The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

Credential Access

The adversary is trying to steal account names and passwords.

Exfiltration

The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

How is Mitre funded

by local government

Blue Team;

defenders

Adversaries and malware tools

descirbed by Att&CK in GITHUB

Is LHM CKC competing with ATT&CK.

no they do not compete, nor does IRIS compete. LMCK is TOP Bottom is IRIS CYBER ATTACK FRAMEWORK They are complementary to each other.

red team

pretend adversaries

spearphishing

sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.