Foundations Of MITRE ATT and CK v13

An essential part of the larger ATT&CK project, ATT&CK evaluations evaluate how well different cybersecurity systems identify and counteract actual threats.
Through the simulation of known adversary tactics, methods, and procedures (TTPs), these assessments offer security vendors and practitioners a rare chance to gain a deeper understanding of the advantages and disadvantages of their products and services.

1.1  Threat-Informed Defense

Three components make up a Threat Informed Defense, a proactive approach to cyber security that gives your security team an evolving feedback loop:

• Cyber threat intelligence analysis
• Defensive engagement of the threat
• Focused sharing and collaboration

Cyber Threat Intelligence Analysis

A threat-informed defense first begins with being threat-informed and being informed requires threat intelligence. With intelligence, you are able to understand who is likely to attack you and how they are likely to do it. This information gives you the basis for your defenses.
Threat Intelligence Analysis is taking existing intelligence data like TTPs, malware hashes, or domain names, and applying human intelligence to harden cyber defenses. This improves ways to anticipate, prevent, detect, and respond to cyber-attacks.

MITRE CRITS

CRITs is a free, open-source tool for analysts and security professionals on threat defense. Developed in 2010, its main goal is to offer the security community an adaptable and open platform for analyzing and collaborating on threat data.

Defensive Engagement of the Threat

Using the knowledge you’ve gained from intelligence analysis, defensive engagement of the threat enables you to search for signs of an impending, ongoing, or successful cyberattack. The behavioral models found during intelligence analysis are used by Breach and Attack Simulation (BAS) tools, which enable you to automate testing and reporting on how certain behavior patterns appear in your organization.

The ATT&CK framework is more than the single matrix you are used to seeing. There are, 3 matrices available to represent the ATT&CK Framework in different contexts. Those matrices are:

• The Enterprise Matrix
• The Mobile Matrix
• The ICS Matrix

TTPs is known as Tactics, techniques, and procedures are key concepts in the ATT&CK framework.

Techniques & sub -techniques

The framework in its current iteration comprises 196 techniques that are distributed among the 14 tactics.

This technique has to do with gathering information about a victim’s network in order to plan and execute an attack.

There are six sub-techniques in this technique; let’s examine one to see how much more detailed it may be. We’ll use the Network Security Appliances sub-technique T1590.006 for this. By employing this method, adversaries are taking steps to determine which security appliances are present in your network. Adversaries can obtain this data by more passive methods like looking through online job advertisements for information on the technologies and abilities needed, or by using more direct collection techniques like Phishing for Information (T1598) or Active Scanning (T1595).

A new classification was added to the ATT&CK Framework in version 8.0. We refer to that classification as a “sub-technique.” Sub-techniques are a means of dissecting and characterizing the particular strategies employed by opponents to accomplish their objectives. The fact that each technique in the framework is composed of one or more sub-techniques allows for a more detailed knowledge of the techniques and their applications. The framework has 411 sub-techniques in version 13.

“Data sources represent the various subjects/topics of information that can be collected by sensors/logs,” reads the ATT&CK website. Data components, which identify particular attributes or values of a data source pertinent to identifying a particular ATT&CK technique or sub-technique, are also included in data sources. This implies that we should anticipate a list of methods that the sensors or logs on a data source can identify for each data source. Additionally, we should anticipate learning which matrix is being referred to as well as how to identify the data source technique. To have a better grasp of various data sources, let’s take a closer look at a few of them.

Active Directory (DS0026): We can obtain several data components related to detection information and ATT&CK procedures from the Active Directory data source. For instance, Steal or Forge Authentication Certificates affect the data component Active Directory Credential Request (T1649). This kind of activity would be found by keeping an eye on issued certificates for anomalous activity and AD CS certificate requests. Unexpected certificate enrollments and indications of certificate attribute abuse may be examples of this.

Command (DS0017): “A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task” is the definition of the Command data source. Access Token Manipulation and Command Execution are related techniques (T1134). You might keep an eye on the commands and parameters being executed for token modification in order to spot this activity on this data source. For more in-depth detection details, visit the MITRE ATT&CK website’s Data Sources section.

Mitigations:

Mitigations are proactive steps you can take to ensure that a technique or sub-technique is not executed successfully. There are specific mitigations specified for each of the three matrices (Enterprise, Mobile, and ICS). We will concentrate on mitigations that relate to the Enterprise ATT&CK Matrix for the purposes of this training.
With every verified mitigation, you will receive the following details:

• A description of the mitigation
• Meta details about the mitigation such as ID, Version, Created Date, and Last Modified date.
• A listing of techniques that are addressed by the mitigation. Each listing consists of:o the matrix it is applied to under the Domain column,o the technique or sub-technique ID,o the technique or sub-technique name, ando a description of the use of the mitigation against the technique or sub-technique.

Two essential components of threat intelligence are provided by the MITRE ATT&CK framework: the methods and instruments your adversaries employ to carry out their operations. When we refer to a software listing in ATT&CK, the ID provided will start with an S (rather than a T or TA), so you can know.
Groups are also identified by an ID that starts with a G.
Furthermore, there are Campaigns that combine elements of the software your opponents employ with their behavior.

Threat Groups: According to the ATT&CK structure, groups are collections of connected activities that make use of the same tools or software. The word “Group” is used by the MITRE ATT&CK team to refer to several designations for the activity cluster of an adversary. Techniques published in open sources are connected to groups, and the original references are given. Groups are also connected to campaigns and software that have been reported.

Campaigns: The MITRE ATT&CK team utilizes the term “campaign” to refer to any grouping of intrusion activity carried out over a predetermined length of time with shared targets and objectives for the purposes of the Campaigns page. The team will use the activity name as reported in public reporting unless the intrusion activity is unnamed and is cited using a special ATT&CK identification. The team tries its hardest to monitor overlapping names for specified campaigns; these are labeled as “Associated Campaigns” on each page since we think analysts will find these overlaps helpful. According to public reporting, campaign entries will also be linked to the ATT&CK Group and Software pages wherever feasible; unattributed activity will only mention “threat actors” in the method example.

We should talk about the tools available to assist you in managing and utilizing the ATT&CK Framework so that you can use the intelligence inside your business, now that we have a better understanding of how the framework’s components interact to give you with intelligence.

MITRE ATT&CK Navigator

A tool for exploring, annotating, and visualizing the ATT&CK matrix is the MITRE ATT&CK Navigator. It makes using and comprehending the matrix for cybersecurity reasons easier.

Key Features:

• Technique Highlighting: Apply filters to highlight techniques used by specific threat groups, helping organizations prioritize high-risk techniques.
• Customization: Add annotations or color-code techniques based on relevance or other criteria to create a tailored view.
• Layer Management: Create, import, and export custom “layers” of the matrix for collaborative threat analysis.
• Integration: Seamlessly share and analyze data across various cybersecurity systems.

Top ATT&CK Techniques Calculator
MITRE ATT&CK implementation can be difficult and expensive. The Top ATT&CK tactics tool offers a foundation for defense strategy by assisting defenders in ranking tactics according to critical criteria. Use the GitHub repository to access this tool.

Threat emulation methods, security tools, intelligence reports, and detection analytics are all over the cybersecurity scene nowadays. Even though MITRE ATT&CK mappings are incorporated into many security providers’ products, the sheer amount of data can be debilitating. The broad scope of the MITRE ATT&CK methodology can make it seem overwhelming to operationalize.

According to the MITRE D3FEND website, “D3FEND is a knowledge base, but more specifically a knowledge graph, of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques.” D3FEND links the offensive model (ATT&CK) with the defensive model (D3FEND).

D3FEND Acronym:

• Detection
• Denial
• Disruption Framework Empowering Network Defense

D3FEND Matrix: The matrix allows cross-correlation of the ATT&CK Framework with defensive actions for detecting or disrupting attacker techniques. Tactics at the top vertical axis include:

• Model: Applies security engineering, vulnerability, threat, and risk analyses to digital systems.
• Harden: Increases the opportunity cost of computer network exploitation; generally conducted before a system is operational.
• Detect: Identifies adversary access to unauthorized activities on networks.
• Isolate: Creates barriers reducing adversaries’ opportunities for further access.
• Deceive: Entices potential attackers to a controlled environment.
• Evict: Removes adversaries from a network.

Tactics break down into techniques and sub-techniques for specific knowledge graphs. The matrix can be searched by ATT&CK Technique ID, D3FEND Technique ID, or Artifact

D3FEND artifacts: These comprehensive descriptions of defensive strategies and tactics include information on how they operate, how successful they are, and how they might be used to counter particular cyber threats. Examples and scenarios are provided by the categories of artifacts, which include network defense, endpoint defense, and data protection.

Example: Valid Accounts (T1078):

• Search T1078: Results in the Valid Accounts page with the “D3FEND Inferred Relationships” chart.
• Authentication Event Thresholding:
• Detects Valid Accounts (T1078)
• Analyzes Authentication
• Valid Accounts (T1078) uses User Account
• Produces Authentication and Authorization

Authentication Event Thresholding Page:

• Definition: Description of the control.
• How it works: Detailed explanation of the control’s functionality.
• Actions: Possible actions post-analysis.
• Example data sources: Useful data collection points.
• Considerations: Implementation factors.
• Digital Artifact Relationships: Impact on digital artifacts.
• Related ATT&CK Techniques: Related techniques via the ATT&CK Matrix.
• References: Sources and additional information.

Example Data:

Authentication Event Thresholding involves collecting authentication events to create a user profile and determining if new events deviate from this profile using thresholds. Actions after analysis include:

• locking (Evict)
• Raising an alert

D3FEND provides comprehensive, actionable knowledge to enhance cybersecurity defenses through a structured and collaborative approach.

If you have a mature organization with threat analysts, start mapping tactics from previous incident reports to the MITRE ATT&CK matrix. Here’s how:

Understand ATT&CK—Familiarize yourself with the overall structure of ATT&CK:

• adversary’s technical goals
  Techniques – How those goals are achieved
  Procedures – Specific implementations of techniques

• Identify the behavior: Consider the enemy’s actions more broadly than merely the atomic indicator—such as an IP address—that is employed. For instance, you might observe that enemy spyware creates a SOCKS5 connection. The enemy engages in this conduct when they want to connect.
• Investigate the behavior: You might need to learn more about it if you are unfamiliar with it. A little investigation would reveal that SOCKS5 is a Layer 5 (session layer) protocol in our scenario.
• Convert the behavior into a tactic by selecting a strategy that makes sense in light of the adversary’s technical objective. In the context of the SOCKS5 connection example, creating a connection in order to communicate later would be considered a Command and Control strategy.
• Determine which strategy best fits the behavior. This can be a little challenging, but with your analytical abilities and the examples from the ATT&CK website, it’s manageable. The method Standard Non-Application Layer Protocol (T1095) appears when you search ATT&CK for SOCKS. You can see that here is where our behavior might fit in by looking at the technique description.
• Examine your findings in relation to those of other analysts. Naturally, you may interpret a behavior differently than someone else. This is typical and anticipated to occur.It is advised to discuss any discrepancies between your and another analyst’s ATT&CK mapping of the data.

Expand Intelligence Data

More sophisticated teams with the means to do so can map more external data to ATT&CK. By enlarging the data in this manner, your security teams can receive your extensive threat intelligence and use it to engage the threat defensively, resulting in a defense that is better informed about potential threats.

Collect the Data
To build a threat-informed defense, start by collecting data from key sources:

• Process and Command Line Monitoring: Use Sysmon, Windows Event Logs, and EDR platforms.
• File and Registry Monitoring: Collected similarly via Sysmon, Windows Event Logs, and EDR platforms.
• Authentication Logs: Gather from the domain controller.
• Packet Capture: Focus on east/west traffic between hosts and network enclaves.

MITRE provides scripts on GitHub to help discover and collect this data.

Analyze the Data

After collecting the necessary data, analyze it using a search platform, typically a SIEM. MITRE’s Cyber Analytics Repository (CAR) offers guidance and contains analytics information such as:

• Hypotheses explaining each analytic
• Operational domains (host, network, process, etc.)
• References to ATT&CK Techniques and Tactics
• Pseudo code for implementation
• Unit tests to trigger the analytic

Reviewing CAR data helps analyze enterprise behaviors and expand threat intelligence by mapping behaviors to MITRE ATT&CK.

Expand and Customize Your Analysis
If you’ve started with data collection and existing analytics, expand coverage by creating custom analytics. This process familiarizes you with creating detections and analytics.

1. Start with ATT&CK Techniques: Use threat intel reports linked to the techniques. For example, to detect the “Squiblydoo” variant of Regsvr32:
• Review command lines associated with Squiblydoo.
• Design a test for your analytics using these techniques.
2. Test Your Analytics: Use commercial or open-source BAS solutions to test. For instance, look for regsvr32.exe creating processes and using “/i:http” in command lines, as this is indicative of Squiblydoo.