+ All Categories
Home > Documents > Using Adversary Behavior to Get Started with ATT&CK ... · Follow us on Twitter for the latest...

Using Adversary Behavior to Get Started with ATT&CK ... · Follow us on Twitter for the latest...

Date post: 14-Feb-2020
Category:
Upload: others
View: 5 times
Download: 0 times
Share this document with a friend
2
Use ATT&CK for Cyber Threat Intelligence Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence. Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Use ATT&CK for Adversary Emulation and Red Teaming The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools and processes—and then fix them. No matter how strong your patching, compliance and security software, a determined cyber adversary can typically find a way into your network. But how did the attacker get in? How are they moving around? And how can you use that knowledge to detect, mitigate and prevent future attacks? The MITRE ATT&CK™ framework answers those questions by providing a globally accessible knowledge base of adversary tactics and techniques that are based on real-world observations of adversaries’ operations against computer networks. Armed with this knowledge, organizations and security vendors can work toward improving detection and prevention methods. Pioneering with the Cyber Community for Collaborative Defense ATT&CK was first created by a MITRE internal research program using our own data and operations. Now based on published, open source threat information, MITRE provides the framework as a resource to the cyber community. Anyone is free to leverage it, and everyone is free to use and contribute to ATT&CK. By making the ATT&CK knowledge base globally accessible, MITRE supports a growing community that is fostering innovation in open source tools, products and services based on the framework. ATT&CK is experiencing significant growth across the cybersecurity community, with wide adoption from industry, government and security vendors including organizations like Microsoft, IBM, USAA, JPMorgan Chase, and Palo Alto. With the creation of ATT&CK, MITRE is partnering with the cyber community to fulfill its mission to solve problems for a safer world. Using Adversary Behavior to Strengthen Cyber Defense Get Started with ATT&CK Join the ATT&CK Community MITRE encourages other researchers, analysts and cyber defenders to join our community and contribute new techniques and information. Finding Gaps in Defense Comparing APT 28 to Deep Panda MITRE ATT&CK Resources attack.mitre.org Access ATT&CK technical information Contribute to ATT&CK Follow our blog Watch ATT&CK presentations @MITREattack Follow us on Twitter for the latest news. attack.mitre.org
Transcript
Page 1: Using Adversary Behavior to Get Started with ATT&CK ... · Follow us on Twitter for the latest news. ... Signed Script Proxy Execu on Port Monitors Space a er Filename Password Policy

Use ATT&CK for Cyber Threat Intelligence

Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence.

Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats.

Use ATT&CK for Adversary Emulation and Red Teaming

The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teamscan use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools and processes—and then fix them.

No matter how strong your patching, compliance and security software, a determined cyber adversary can typically find a way into your network.

But how did the attacker get in? How are they moving around? And how can you use that knowledge to detect, mitigate and prevent future attacks? The MITRE ATT&CK™ framework answers those questions by providing a globally accessible knowledge base of adversary tactics and techniques that are based on real-world observations of adversaries’ operations against computer networks. Armed with this knowledge, organizations and security vendors can work toward improving detection and prevention methods.

Pioneering with the Cyber Community for Collaborative Defense

ATT&CK was first created by a MITRE internal research program using our own data and operations. Now based on published, open source threat information, MITRE provides the framework as a resource to the cyber community. Anyone is free to leverage it, and everyone is free to use and contribute to ATT&CK.

By making the ATT&CK knowledge base globally accessible, MITRE supports a growing community that is fostering innovation in open source tools, products and services based on the framework. ATT&CK is experiencing significant growth across the cybersecurity community, with wide adoption from industry, government and security vendors including organizations like Microsoft, IBM, USAA, JPMorgan Chase, and Palo Alto.

With the creation of ATT&CK, MITRE is partnering with the cyber community to fulfill its mission to solve problems for a safer world.

Using Adversary Behavior toStrengthen Cyber Defense

Get Started with ATT&CK

Join the ATT&CK CommunityMITRE encourages other researchers, analysts and cyber defenders to join our community and contribute new techniques and information.

Finding Gaps in Defense

Comparing APT 28 to Deep Panda

MITRE ATT&CK Resourcesattack.mitre.org • Access ATT&CK technical information • Contribute to ATT&CK • Follow our blog • Watch ATT&CK presentations

@MITREattackFollow us on Twitter for the latest news.

attack.mitre.org

Page 2: Using Adversary Behavior to Get Started with ATT&CK ... · Follow us on Twitter for the latest news. ... Signed Script Proxy Execu on Port Monitors Space a er Filename Password Policy

The MITRE ATT&CK™

Enterprise Frameworkattack.mitre.org

© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288.

Ini�al Access Execu�on Persistence Privilege Escala�on Defense Evasion Creden�alAccess Discovery Lateral Movement Collec�on Exfiltra�on Command and ControlValid Accounts Scheduled Task XSL Script Processing Network Sniffing Windows Remote

ManagementVideo Capture Scheduled Transfer Web Service

Trusted Rela�onship Trap Process Injec�on Two-Factor Authen�ca�on Intercep�on

System Time Discovery Screen Capture Exfiltra�on Over Physical Medium

Uncommonly Used PortSupply Chain Compromise LSASS Driver Extra Window Memory Injec�on System Service Discovery Third-party So�ware Man in the Browser Standard Non-Applica�on

Layer ProtocolSpearphishing via Service Local Job Scheduling Bypass User Account Control Private Keys System Owner/User Discovery

Taint Shared Content Input Capture Exfiltra�on Over Command and Control ChannelSpearphishing Link Launchctl Access Token Manipula�on Password Filter DLL SSH Hijacking Email Collec�on Standard Applica�on

Layer ProtocolSpearphishing A�achment XSL Script Processing Valid Accounts LLMNR/NBT-NS Poisoning System NetworkConfigura�on Discovery

Shared Webroot Data Staged Data Transfer Size Limits

Replica�on ThroughRemovable Media

Windows RemoteManagement

Plist Modifica�on Keychain Replica�on Through Removable Media

Data from Removable Media Data Encrypted Remote Access ToolsImage File Execu�on Op�ons Injec�on Kerberoas�ng Security So�ware Discovery Data from Network

Shared DriveData Compressed Port Knocking

Exploit Public-FacingApplica�on

User Execu�on DLL Search Order Hijacking Input Prompt Remote System Discovery Remote File Copy Automated Exfiltra�on Mul�layer Encryp�onTrusted Developer U�li�es Web Shell Web Service Input Capture Query Registry Remote Desktop Protocol Data from Informa�on

RepositoriesExfiltra�on Over Other

Network MediumMul�band Communica�on

Hardware Addi�ons Third-party So�ware Startup Items Trusted Developer U�li�es Hooking Process Discovery Pass the Ticket Mul�-Stage ChannelsDrive-by Compromise Space a�er Filename Setuid and Setgid Timestomp Forced Authen�ca�on Permission Groups Discovery Pass the Hash Automated Collec�on Exfiltra�on Over

Alterna�ve ProtocolMul�-hop Proxy

Source Service Registry Permissions Weakness Template Injec�on Exploita�on forCreden�al Access

Peripheral Device Discovery Logon Scripts Audio Capture Fallback Channels

Signed ScriptProxy Execu�on

Port Monitors Space a�er Filename Password Policy Discovery Exploita�on of Remote Services

Data from Local System Domain Fron�ngPath Intercep�on So�ware Packing Creden�als in Files Network Share Discovery Clipboard Data Data Obfusca�on

Service Execu�on New Service SIP and Trust Provider Hijacking

Creden�al Dumping Network Service Scanning Applica�on Deployment So�ware

Data EncodingScrip�ng Launch Daemon Brute Force File and Directory Discovery Custom Cryptographic

ProtocolRundll32 Hooking Signed Binary Proxy Execu�on

Bash History Browser Bookmark Discovery Windows Admin SharesRegsvr32 File System Permissions Weakness Account Manipula�on Applica�on Window

DiscoveryRemote Services Connec�on Proxy

Regsvcs/Regasm Dylib Hijacking Rundll32 Securityd Memory Distributed Component Object Model

Communica�on ThroughRemovable MediaPowerShell Applica�on Shimming Rootkit Creden�als in Registry System Network

Connec�ons DiscoveryMshta AppInit DLLs Regsvr32 AppleScript Standard Cryptographic ProtocolInstallU�l AppCert DLLs Regsvcs/Regasm System Informa�on

DiscoveryGraphical User Interface Accessibility Features Redundant Access Remote File Copy

Exploita�on for Client Execu�on

Winlogon Helper DLL Sudo Caching Process Hollowing Account Discovery Custom Command andControl ProtocolWindows Management

Instrumenta�onEvent Subscrip�on

Sudo Process DoppelgangingExecu�on through API SID-History Injec�on Port Knocking Commonly Used Port

Dynamic Data Exchange Exploita�on forPrivilege Escala�on

Obfuscated Filesor Informa�onControl Panel Items SIP and Trust Provider

HijackingCompiled HTML File Network ShareConnec�on RemovalCommand-Line Interface Security Support Provider

CMSTP Screensaver Modify RegistryAppleScript Registry Run

Keys / Startup FolderMasquerading

Windows ManagementInstrumenta�on

LC_MAIN HijackingRe-opened Applica�ons Launchctl

Signed BinaryProxy Execu�on

Rc.common InstallU�lPort Knocking Install Root Cer�ficate

Execu�on throughModule Load

Office Applica�on Startup Indirect Command Execu�onNetsh Helper DLL Component Firmware

Modify Exis�ng Service Indicator Removal from ToolsLogon Scripts Indicator Blocking

Login Item HISTCONTROLLC_LOAD_DYLIB Addi�on Hidden Window

Launch Agent Hidden Users

Kernel Modulesand Extensions

Hidden Files and DirectoriesGatekeeper Bypass

Hidden Files and Directories File System Logical OffsetsExternal Remote Services File Permissions Modifica�on

Create Account File Dele�on

Component Object ModelHijacking

Exploita�on forDefense Evasion

Change DefaultFile Associa�on

Disabling Security Tools

Deobfuscate/Decode Filesor Informa�onBootkit

BITS Jobs Control Panel ItemsAuthen�ca�on Package Component Object

Model HijackingAccount Manipula�on.bash_profile and .bashrc Compiled HTML File

Time Providers Code SigningSystem Firmware CMSTP

Shortcut Modifica�on Clear Command HistoryRedundant Access BITS Jobs

Hypervisor Signed Script Proxy Execu�onComponent Firmware Scrip�ng

Browser Extensions NTFS File A�ributesMshta

Indicator Removal on HostDLL Side-Loading

DCShadow


Recommended