The document highlights critical security measures for organizations against potential attacker tactics, including awareness of personal asset vulnerabilities, prioritization of patching, and implementing compensating controls. It emphasizes the importance of secure coding practices, user login logging, and robust credential management while recommending network segmentation and centralized logging for effective threat detection. Additional recommendations include employing email filtering, utilizing advanced threat protection for services like Office365, and ensuring proper logging of any modifications to system logs.

1. 0. PRE-ATT&CK
3. Persistence
7. Discovery
9. Collection
MITRE ATT&CK and the 2017 FSB Indictment
Mitre ATT&CK Stage 2017 FSB Tactics, Techniques and Procedures Mitigation Advice
• Awareness of an organization’s security pos-
ture at the perimeter and beyond is critical for
understanding where attackers might begin
targeting an organization.
• Employees need to be informed that their
personal assets such as email accounts or
Internet-connected devices may well be
targets for attackers looking to then pivot up
into corporate or other environments.
• Prioritize patches for publicly available exploits
• In the cases where patching is not feasible,
additional compensating controls, such as
access control lists or firewalling, should be
applied to mitigate the risk.
• Employee’s personal systems should not
contain any corporate credentials.
• With privilege escalation exploits in the kernel
(affecting any operating system), the affected
machine must be rebooted after patching for
the patch to be applied.
• The use of a patch management solution can
help to keep an environment patched to an
appropriate level.
• Require a “four-eyes” process where multiple
code reviewers are mandated
• Code reviewers need to look for security
issues as well as concerns relating to
performance, stability, correctness, etc.
• Do not store directly reusable credentials in
wikis and other information systems
• Use a password manager for secure password
storage and sharing
• Log user logins to accounts on customer-fac-
ing services to detect anomalous behavior.
• Corporate VPNs should use strong 2FA
solutions, such as TOTP or U2F, for the second
factor
• Cryptographic material needs to be
separated between production and staging
environments.
• Network segmentation can be used to
limit which systems an attacker can
interrogate after a successful compromise.
This can be achieved with host and network
firewalls and/or VLANs.
• While internal IDS systems can detect nmap
and other scans, there are standard evasion
techniques used by attackers
• Monitoring account activity, including admin
accounts, is important for uncovering anoma-
lous and/or malicious behavior.
• Attempts to modify system logs, such as the
Event ID 1102 on Windows, should be logged
wherever possible.
• Centralized logging where logs, such as
syslog, are automatically forwarded to central
location can mitigate an attacker attempting to
alter the logs on a local system.
• Email filtering systems or services can help to
identify some spearphishing threats
• Office365 users should consider Microsoft’s
Advanced Threat Protection (ATP)
• Black lists for web traffic can be used to detect
and block known malicious URLs if they
happen to be opened.
Exploit Public-Facing Application
1. Initial Access
Spearphishing attachment,
Spearphishing Link
Web Shell
Exploitation for Privilege
Escalation
Exploitation for Credential Access,
Hooking, Credentials in Files,
Private Keys
Network Service Scanning,
Remote System Discovery
Data from Local System, Data from
Network Shared Drive, Data Staged,
Data from Information Repositories
Clear Command History
6. Credential Access
5. Defense Evasion
People Information Gathering,
Technical Information Gathering,
Technical Weakness Identification
4. Privilege Escalation
!