AR
Uploaded byArpan Raval
PDF, PPTX1,789 views

Introduction to MITRE ATT&CK

The document discusses the MITRE ATT&CK framework, highlighting its purpose as a knowledge base for understanding adversarial behaviors during cyber-attacks. It outlines various tactics, techniques, and procedures (TTPs) used by threat actors and emphasizes the need for comprehensive threat intelligence and detection strategies. Additionally, it provides insights on improving detection capabilities and mapping adversary behaviors to enhance security measures.

Data & Analytics
Related topics:
MITRE ATT&CK Insights Blue Team Threat Hunting
In this document
Powered by AI

Introduction of MITRE ATT&CK Framework focusing on threat intelligence, analytics, assessment, and emulation.

Introduction of Arpan Raval as Senior Threat Analyst with expertise in DFIR and Threat Hunting.

Discussion of adversary behaviors, software used, and the significance of MITRE's knowledge base.

Presentation of the Pyramid of Pain and the difference between reactive indicators (IOC) and proactive indicators (IOA).

Explains MITRE ATT&CK tactics, techniques, procedure, and their importance in understanding adversaries.

Details the concept of sub-techniques to provide in-depth understanding of specific techniques.

Provides examples of tactics and techniques used by adversaries for various attack phases.

Discusses use cases for enhancing detection capabilities and creating prioritized subsets of MITRE ATT&CK.

Outlines mapping techniques to data sources for effective detection and monitoring.

Presentation of a heatmap to assess the maturity level of detection mechanisms across attack stages.

Insights from Sun Tzu and guidance on not misusing the MITRE ATT&CK framework.

Promotes collaboration within the ATT&CK community and provides additional training resources.

Wrap-up and gratitude for participation.

Embed presentation

Download as PDF, PPTX
1 MITRE ATT&CKTM FRAMEWORK Threat Intelligence Detection, Analytics & Hunting f Assessment & Engineering L Threat Emulation L G ARPAN RAVAL null Bangalore & OWASP Bangalore Meet 28th March 2020
WHOAMI ❖Arpan Raval ❖Senior Threat Analyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl ❖https://www.linkedin.com/in/arpanraval
Software p i CAR s Threat Actors Y ATT&CK MATRICES PRE ATT&CK MITRE Software observed in adversary behavior Adversaries observed in cyber Knowledgebase of developed analytics Observed TTPs
MITRE ATT&CKTM ▪MITRE •R&D focused, federally funded non-profit org ▪ATT&CK •Knowledge base of adversary’s behaviors collected based on real world observations and attacks •Describes and Categorize adversarial behavioral in different phases of attack cycle. •Common Language
CHALLENGING ANNOYING TOUGH! TRIVIAL PYRAMID OF PAIN Courtesy David J Bianco TOOLS TTP SIMPLE EASY
6 Tactical Behavioral ▪ Reactive Indicators of Compromise ▪ Doesn’t work for malware-free intrusions ▪ Point in time artifacts ▪ Proactive Indicators of Attack ▪ Defined by adversary's behavior ▪ Real time https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects MITRE Explained: Tactic 7 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Example An adversary want to achieve credential access.
MITRE Explained: Technique 9 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
MITRE Explained: Technique-Metainfo 10 ❖Tactic: Related MITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
MITRE Explained: Procedure 11 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
MITRE Explained: Sub Technique 13 ▪Sub-techniques are a way to describe a specific implementation of a technique in more detail. OS Credential Dumping ▪ LSASS Memory ▪ Security Account Manager ▪ NTDS ▪ DCSync ▪ Proc File System ▪ etc/passwd
MITRE Explained: Enumeration 14 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
Detection and Analytics Adversary Emulation and Red Teaming Threat Intelligence Assessment and Engineering MITRE ATT&CK Use Cases . T f d
Improve Detection & Visibility Capability with MITRE ATT&CK 21
PRIORITIZED MITRE ATT&CK SUBSETS 22 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides are example matrix with dummy data for which not necessarily is true or to promote any tool/technology.
MITRE DETECTION MAPPING 23 MITRE Enumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
DATA SOURCE MAPPING 24 MITRE Enumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
25 MITRE Enumeration Key
DETECTION MATURITY HEATMAP 26 MITRE Enumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
27 If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu -
Don’t Do This 28 ❖ Use Matrix as a Checklist to Create Alerts for everything ▪ Specific Technique – High Fidelity Alert ▪ Less Specific Technique – Data Enrichment ❖ Believe Matrix is every possible attack behavior ▪ Adversaries probably don’t report their own TTPs to MITRE ❖ Replace fundamentals with MITRE ATT&CK ▪ Term Does not found (404): MITRE COMPLIANT ❖ Make it Green if you detect one command of Technique ▪ There can be N number of procedure to implement a technique.
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
Together
ATT&CK is not juts a Framework, ATT&CK is community!
References and Awesome Resources 36 ▪ Indicators of Attack vs Indicators of Compromise ▪ https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise ▪ Using ATT&CK for Cyber Threat Intelligence ▪ https://attack.mitre.org/resources/training/cti/ ▪ MITRE ATT&CK Getting Started ▪ https://attack.mitre.org/resources/getting-started/ ▪ ATT&CK Con Talks ▪ https://attack.mitre.org/resources/attackcon/ ▪ ATT&CK 101 ▪ https://medium.com/mitre-attack/att-ck-101-17074d3bc62 ▪ ATT&CK Sub Technique Preview ▪https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a ▪ 2020 ATT&CK Roadmap ▪https://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba
THANK YOU

More Related Content

PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
PDF
When Insiders ATT&CK!
byMITRE ATT&CK
 
PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
MITRE ATT&CK framework
byBhushan Gurav
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
When Insiders ATT&CK!
byMITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 

What's hot

PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PDF
Cyber Threat hunting workshop
byArpan Raval
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PDF
ATT&CKcon Intro
byMITRE ATT&CK
 
PPTX
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PDF
Threat Hunting
bySplunk
 
PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PPTX
SOC and SIEM.pptx
bySandeshUprety4
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PPTX
Threat hunting for Beginners
bySKMohamedKasim
 
PDF
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PDF
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
byJamieWilliams130
 
PDF
SIEM Architecture
byNishanth Kumar Pathi
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
Cyber Threat hunting workshop
byArpan Raval
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
ATT&CKcon Intro
byMITRE ATT&CK
 
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
Threat Hunting
bySplunk
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
SOC and SIEM.pptx
bySandeshUprety4
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
Threat hunting for Beginners
bySKMohamedKasim
 
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
byJamieWilliams130
 
SIEM Architecture
byNishanth Kumar Pathi
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
Cyber Threat Intelligence
bymohamed nasri
 

Similar to Introduction to MITRE ATT&CK

PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
PDF
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
PDF
State of the ATT&CK
byMITRE ATT&CK
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PPTX
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
byChristopher Korban
 
PDF
MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington...
byMITRE - ATT&CKcon
 
PDF
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
byPriyanka Aash
 
PDF
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
PDF
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
PDF
MITRE-Module 3 Slides.pdf
byReZa AdineH
 
PDF
Using the MITRE ATT&CK framework to analyze real-world cyberattacks
bylucytyrteos
 
PDF
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
PDF
Update from the MITRE ATT&CK Team
byAdam Pennington
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
MITRE-Module 4 Slides.pdf
byReZa AdineH
 
PDF
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
PPTX
Paranoia 2018: A Process is No One
byJared Atkinson
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
State of the ATT&CK
byMITRE ATT&CK
 
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
byChristopher Korban
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington...
byMITRE - ATT&CKcon
 
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
byPriyanka Aash
 
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
MITRE-Module 3 Slides.pdf
byReZa AdineH
 
Using the MITRE ATT&CK framework to analyze real-world cyberattacks
bylucytyrteos
 
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
Update from the MITRE ATT&CK Team
byAdam Pennington
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
MITRE-Module 4 Slides.pdf
byReZa AdineH
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
Paranoia 2018: A Process is No One
byJared Atkinson
 

Recently uploaded

PDF
Comparing Versions in MySQL Key Differences and Insights.pdf
bySQL DBM
 
PDF
The Hidden Risks in Linux Power Monitoring and How to Fix Them
byNiCE IT Management Solutions GmbH
 
PDF
MariaDB Monitoring for Enhancing Performance, Availability, and Security
byNiCE IT Management Solutions GmbH
 
PPT
fgfdgdgdgdfgerst4t4tqwweqe3eawdsfsdsdsdd
bymohamedtarekabdelrou
 
PDF
Interpretability and Explainability Module 4.pdf
byShiwani Gupta
 
PDF
OLAP (Online Analytical Processing) is a technology used for quickly analyzin...
bykibreabtsigabu16
 
PDF
MATERI HUAWEI AI ALL yang di upload langsung oleh dosen perguruan tinggi.pdf
byscopptelkom25
 
PDF
The Gemini Advantage: A Strategic Overview of Google’s Multimodal AI Ecosystem
byRohit Garg
 
DOCX
Leadership as a Catalyst How Nutrition Leadership Influences Health Financing...
byGetachewKebede3
 
PPT
Java Swing in java object oriented progaming.ppt
byCarlos701746
 
PDF
Social Issues in Pakistan.pdf about social issues in pakistan
byabubakar384923
 
PDF
Calculating qualified non-mutagenic impurity levels Harmonization.pdf
byFbioTeixeiradaSilva
 
PDF
Google Gemini Learning Guide - Generating Text, Vision Model, and Embeddings ...
byRohit Garg
 
PDF
IIT JEE 2026 Complete Study Planner.pdfg
byniknikhi905
 
PPTX
Engineering Project Proposal by Slidesgo.pptx
bythub2306144
 
PPT
Acids and alkalis ppt.ppt SVfhasvas jhsvdhsvduisa
byleonciaamolato001
 
PPTX
Pollution_Assignment_GurveerKaur_1112.pptx
bydeeppc8900
 
PPTX
PPT PVA Training NDLM portal various data .pptx
bysachinsoodvetss
 
PPTX
Chinese economy in the era a modern world
byAnwaar Ahmed
 
PPTX
Correlation-Regression analysis -16.11.25.pptx
byFahmida Swati
 
Comparing Versions in MySQL Key Differences and Insights.pdf
bySQL DBM
 
The Hidden Risks in Linux Power Monitoring and How to Fix Them
byNiCE IT Management Solutions GmbH
 
MariaDB Monitoring for Enhancing Performance, Availability, and Security
byNiCE IT Management Solutions GmbH
 
fgfdgdgdgdfgerst4t4tqwweqe3eawdsfsdsdsdd
bymohamedtarekabdelrou
 
Interpretability and Explainability Module 4.pdf
byShiwani Gupta
 
OLAP (Online Analytical Processing) is a technology used for quickly analyzin...
bykibreabtsigabu16
 
MATERI HUAWEI AI ALL yang di upload langsung oleh dosen perguruan tinggi.pdf
byscopptelkom25
 
The Gemini Advantage: A Strategic Overview of Google’s Multimodal AI Ecosystem
byRohit Garg
 
Leadership as a Catalyst How Nutrition Leadership Influences Health Financing...
byGetachewKebede3
 
Java Swing in java object oriented progaming.ppt
byCarlos701746
 
Social Issues in Pakistan.pdf about social issues in pakistan
byabubakar384923
 
Calculating qualified non-mutagenic impurity levels Harmonization.pdf
byFbioTeixeiradaSilva
 
Google Gemini Learning Guide - Generating Text, Vision Model, and Embeddings ...
byRohit Garg
 
IIT JEE 2026 Complete Study Planner.pdfg
byniknikhi905
 
Engineering Project Proposal by Slidesgo.pptx
bythub2306144
 
Acids and alkalis ppt.ppt SVfhasvas jhsvdhsvduisa
byleonciaamolato001
 
Pollution_Assignment_GurveerKaur_1112.pptx
bydeeppc8900
 
PPT PVA Training NDLM portal various data .pptx
bysachinsoodvetss
 
Chinese economy in the era a modern world
byAnwaar Ahmed
 
Correlation-Regression analysis -16.11.25.pptx
byFahmida Swati
 

Introduction to MITRE ATT&CK

  • 1.
    1 MITRE ATT&CKTM FRAMEWORK Threat Intelligence Detection, Analytics &Hunting f Assessment & Engineering L Threat Emulation L G ARPAN RAVAL null Bangalore & OWASP Bangalore Meet 28th March 2020
  • 2.
    WHOAMI ❖Arpan Raval ❖Senior ThreatAnalyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl ❖https://www.linkedin.com/in/arpanraval
  • 3.
  • 4.
    MITRE ATT&CKTM ▪MITRE •R&D focused,federally funded non-profit org ▪ATT&CK •Knowledge base of adversary’s behaviors collected based on real world observations and attacks •Describes and Categorize adversarial behavioral in different phases of attack cycle. •Common Language
  • 5.
  • 6.
    6 Tactical Behavioral ▪ Reactive Indicatorsof Compromise ▪ Doesn’t work for malware-free intrusions ▪ Point in time artifacts ▪ Proactive Indicators of Attack ▪ Defined by adversary's behavior ▪ Real time https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
  • 7.
    Matrix Tactic Enterprise 12 Mobile13 ICS 11 Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects MITRE Explained: Tactic 7 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Example An adversary want to achieve credential access.
  • 8.
    MITRE Explained: Technique 9 ▪Answershow? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
  • 9.
    MITRE Explained: Technique-Metainfo 10 ❖Tactic: RelatedMITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
  • 10.
    MITRE Explained: Procedure 11 ▪Answerswhat? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
  • 12.
    MITRE Explained: SubTechnique 13 ▪Sub-techniques are a way to describe a specific implementation of a technique in more detail. OS Credential Dumping ▪ LSASS Memory ▪ Security Account Manager ▪ NTDS ▪ DCSync ▪ Proc File System ▪ etc/passwd
  • 13.
    MITRE Explained: Enumeration 14 TacticExample Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
  • 14.
    Detection and Analytics Adversary Emulation and RedTeaming Threat Intelligence Assessment and Engineering MITRE ATT&CK Use Cases . T f d
  • 15.
    Improve Detection &Visibility Capability with MITRE ATT&CK 21
  • 16.
    PRIORITIZED MITRE ATT&CKSUBSETS 22 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides are example matrix with dummy data for which not necessarily is true or to promote any tool/technology.
  • 17.
    MITRE DETECTION MAPPING 23 MITREEnumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
  • 18.
    DATA SOURCE MAPPING 24 MITREEnumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 19.
  • 20.
    DETECTION MATURITY HEATMAP 26 MITREEnumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 21.
    27 If you knowneither the enemy nor yourself, you will succumb in every battle. - Sun Tzu -
  • 22.
    Don’t Do This 28 ❖Use Matrix as a Checklist to Create Alerts for everything ▪ Specific Technique – High Fidelity Alert ▪ Less Specific Technique – Data Enrichment ❖ Believe Matrix is every possible attack behavior ▪ Adversaries probably don’t report their own TTPs to MITRE ❖ Replace fundamentals with MITRE ATT&CK ▪ Term Does not found (404): MITRE COMPLIANT ❖ Make it Green if you detect one command of Technique ▪ There can be N number of procedure to implement a technique.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
    ATT&CK is notjuts a Framework, ATT&CK is community!
  • 30.
    References and AwesomeResources 36 ▪ Indicators of Attack vs Indicators of Compromise ▪ https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise ▪ Using ATT&CK for Cyber Threat Intelligence ▪ https://attack.mitre.org/resources/training/cti/ ▪ MITRE ATT&CK Getting Started ▪ https://attack.mitre.org/resources/getting-started/ ▪ ATT&CK Con Talks ▪ https://attack.mitre.org/resources/attackcon/ ▪ ATT&CK 101 ▪ https://medium.com/mitre-attack/att-ck-101-17074d3bc62 ▪ ATT&CK Sub Technique Preview ▪https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a ▪ 2020 ATT&CK Roadmap ▪https://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba
  • 31.