Mitre Att&CK Framework
Defense Evasion
Adversary is trying to avoid being detected Tactics: uninstalling/disabling security software or obfuscating/encrypting data and scripts.
Privelage escalation
Adversary is trying to gain higher level permissions.
Execution
Adversary running malicious code Usually paired with other techniques from other tactics.
Initial Access
Adversary trying to get into the network Example Techniques: Spearphishing
Keylogging
A method of capturing and recording user keystrokes, providing a means to obtain passwords or encryption keys.
Best Practice API
API should return info following Mitre ATT&CK Framework. identify the tactic
Pre-Boom and Post Boom
ATT&CK has pre-Att&CK now ATT&CK for enterprise ATT&CK for Mobile
Persistence
Adversary trying to maintain their foothold Keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Sample techniques: access, action or config changes that let adversaries maintain footholds in systems, such as replacing or hijacking legitimate code or adding startup code.
Use case 1: Detection & Analytics
Analytics to look at patterns of behaviors actors would use. You need to be thoughtful that youre not tripping a single analytic, must be a chain of events to eliminate false positives. Theory: Actors dont morph much often. TTP's are supposed to be static in todays world.
Tactics are arranged
Column
How does Mitre get its data for ATT&CK
Community Driven (updated quarterly)
credential dumping
Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software
Use Case 3: Evaluating Tools
Evaluate 3rd party tools: Crowdstrike EndGame
LMCK
Lockhead Martin Cyber Kill Chain defines PREBOOm and POST BOOM Preboom - recon and weaponize PostBoom- deliver/exploit/control/execute/maintain Post Boom is all part of MITRE ATT&CK
Mitre v KillChain
Mitre is NOT hypothetical; it is based on real world events.
Use Case 2: Measuring Defense
Most popular use case See how you stack up against the different TTP's* Create a plan to deploy precious resources.
Mitre att&CK- what is it
Provides insights into the tactics and techniques Real life examples of things observed in the wild.
Red / Blue team
Red team mkae use of ATT&CK to label their post event activities in a debrief report B Blue team maps the gaps back to find where they make changes in products or analytics.
Tecnhiques are arranged by
Rows
CHOPSTICK
Software (Github) CHOPSTICK is a malware family of modular backdoors used by APT28. Usually a 2nd stage malware, but sometimes used as 1st stage malware. Techniques: Data Obfuscation; connection proxy, standard application layer protocol, remote file copy, rundll32, timestomp, credential dumping, screen capture
New Service
Technique When OS's boot up, they can start programs or applications called services that perform background system functions. Adversaries will install a new service which will be executed at startup by modidfying the registery or by tools. Examples: Carbanak, Lazarus Group, TinyZBot, CozyCar etc.
command and control
The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection
Discovery
The adversary is trying to figure out your environment. Network share discovery
Collection
The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
Impact
The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals.
Lateral Movement
The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.
Credential Access
The adversary is trying to steal account names and passwords.
Exfiltration
The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
How is Mitre funded
by local government
Blue Team;
defenders
Adversaries and malware tools
descirbed by Att&CK in GITHUB
Is LHM CKC competing with ATT&CK.
no they do not compete, nor does IRIS compete. LMCK is TOP Bottom is IRIS CYBER ATTACK FRAMEWORK They are complementary to each other.
red team
pretend adversaries
spearphishing
sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.