MITRE
Various resources MITRE has made available for the cybersecurity community.
Last updated
Various resources MITRE has made available for the cybersecurity community.
Last updated
"MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations."
The ATT&CK® framework covers platforms such as Windows, Linux, and Mac OS and is contributed by security researchers and threat intelligence reports and is a tool for blue and red teamers.
The ATT&CK matrix can be used to map a threat group to their tactics and techniques.
Besides blue teamers, who else will use the ATT&CK Matrix?
Red Teamers
What is the ID for this technique? T1566
Based on this technique, what mitigation covers identifying social engineering techniques? User Training
What are the data sources for Detection? Application log, file, network traffic
What groups have used spear-phishing in their campaigns? (format: group1,group2) Axiom, Gold Southfield
Based on the information for the first group, what are their associated groups? Group 72
What software is associated with this group that lists phishing as a technique? Hikit
What is the description for this software? Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise
This group overlaps (slightly) with which other group? Winnti Group
How many techniques are attributed to this group? 15
Including implementations targeted at specific tools (SPLUNK, EQL) in its analytics, CAR defines a data model leveraged in pseudocode representations. The MITRE Cyber Analytics Repository provides a set of validated and well-explained analytics regarding operating theory and rationale.
With CAR, a description of the analytic and references to ATT&CK is provided along with Pseudocode and a query to search the specific analytic within SPLUNK.
Pseudocode is a human-readable way to describe a set of instructions/algorithms a program or system will perform.
Using the Full Analytic List, an EQL version of the psuedocode is provided. Event Query Language (EQL) can be utilized to query, parse, and organize Sysmon event data.
For the above analytic, what is the pseudocode a representation of?
Splunk Search
What tactic has an ID of TA0003?
Persistence
What is the name of the library that is a collection of Zeek (BRO) scripts?
BZAR
What is the name of the technique for running executables with the same hash and different names?
Masquerading
Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
Unit Tests
"MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals."
Performed by the implementation of Cyber Denial and Cyber Deception, MITRE Engage is examined as an Adversary Engagement Approach.
Cyber Denial - Prevent adversary's ability to conduct operations
Cyber Deception - Intentionally plant artifacts to mislead adversary
The Engage matrix categories explained:
Prepare the set of operational actions that will lead to your desired outcome (input)
Expose adversaries when they trigger your deployed deception activities
Affect adversaries by performing actions that will have a negative impact on their operations
Elicit information by observing the adversary and learn more about their modus operandi (TTPs)
Understand the outcomes of the operational actions (output)
Under Prepare, what is ID SAC0002?
PERSONA CREATION
What is the name of the resource to aid you with the engagement activity from the previous question?
PERSONA PROFILE WORKSHEET
Which engagement activity baits a specific response from the adversary?
LURES
What is the definition of Threat Model?
A risk assessment that models organizational strengths and weaknesses
"A knowledge graph of cybersecurity countermeasures."
Detection, Denial, and Disruption Framework Empowering Network Defense (D3FEND) is still in beta and funded by Cybersecurity Directorate of NSA.
Within the site provides the technique, how it works, considerations when implemented, and utilization.
What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
Data Obfuscation
In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produces?
Outbound Internet Network Traffic
The Center of Threat-Informed Defense (CTID) globally consists of companies and vendors with the objective to conduct research on cyber threats and their TTPs. Sharing this research improves cyber defense. Some participants include:
AttackIQ (founder)
Verizon
Microsoft (founder)
Red Canary (founder)
Splunk
The Adversary Emulation Library supplies free resources to blue/red teamers for adversary emulation plans as a contribution from CTID. These EPs are guides to mimic the specific threat group.
In Phase 1 for the APT3 Emulation Plan, what is listed first?
C2 Setup
Under Persistence, what binary was replaced with cmd.exe?
sethc.exe
Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
What C2 framework is listed in Scenario 2 Infrastructure?
Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) is the information, or TTPs, attributed to the adversary. The goal of threat intelligence is to make the information actionable.
Scenario: You are a security analyst who works in the aviation sector. Your organization is moving their infrastructure to the cloud. Your goal is to use the ATT&CK® Matrix to gather threat intelligence on APT groups who might target this particular sector and use techniques targeting your areas of concern. You are checking to see if there are any gaps in coverage. After selecting a group, look over the selected group's information and their tactics, techniques, etc.
What is a group that targets your sector who has been in operation since at least 2013?
APT33
As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
Cloud Accounts
What tool is associated with the technique from the previous question?
Ruler
Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)
Abnormal or malicious behavior
What platforms does the technique from question #2 affect?
Azure AD, Google Workspace, IaaS, Office 365, SaaS
Some current AEPs are , , and
Defenders use TI to make better decisions for defensive strategy. Some TI can be open source or through vendors, such as .
