MITRE

Various resources MITRE has made available for the cybersecurity community.

Advanced Persistent Threats (APTs) | Threat Actors & GroupsMandiant

FireEye's current list of APT groups

MITRE ATT&CK®

ATT&CK® Matrix for Enterprise

ATT&CK Framework

"MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations."

The ATT&CK® framework covers platforms such as Windows, Linux, and Mac OS and is contributed by security researchers and threat intelligence reports and is a tool for blue and red teamers.

The ATT&CK matrix can be used to map a threat group to their tactics and techniques.

Besides blue teamers, who else will use the ATT&CK Matrix?

Red Teamers

What is the ID for this technique? T1566

Based on this technique, what mitigation covers identifying social engineering techniques? User Training

What are the data sources for Detection? Application log, file, network traffic

What groups have used spear-phishing in their campaigns? (format: group1,group2) Axiom, Gold Southfield

Based on the information for the first group, what are their associated groups? Group 72

What software is associated with this group that lists phishing as a technique? Hikit

What is the description for this software? Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise

This group overlaps (slightly) with which other group? Winnti Group

How many techniques are attributed to this group? 15

CAR Knowledge Base

Including implementations targeted at specific tools (SPLUNK, EQL) in its analytics, CAR defines a data model leveraged in pseudocode representations. The MITRE Cyber Analytics Repository provides a set of validated and well-explained analytics regarding operating theory and rationale.

With CAR, a description of the analytic and references to ATT&CK is provided along with Pseudocode and a query to search the specific analytic within SPLUNK.

Pseudocode is a human-readable way to describe a set of instructions/algorithms a program or system will perform.

AnalyticsMITRE Cyber Analytics Repository

Full Analytic List

https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_04_05_2022.json

CAR ATT&CK® Navigator layer

Using the Full Analytic List, an EQL version of the psuedocode is provided. Event Query Language (EQL) can be utilized to query, parse, and organize Sysmon event data.

https://assets.tryhackme.com/additional/mitrev2/t4-eql-pseudo.png

For the above analytic, what is the pseudocode a representation of?

Splunk Search

What tactic has an ID of TA0003?

Persistence

What is the name of the library that is a collection of Zeek (BRO) scripts?

BZAR

What is the name of the technique for running executables with the same hash and different names?

Masquerading

Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Unit Tests

MITRE Engage

"MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals."

Performed by the implementation of Cyber Denial and Cyber Deception, MITRE Engage is examined as an Adversary Engagement Approach.

Cyber Denial - Prevent adversary's ability to conduct operations

Cyber Deception - Intentionally plant artifacts to mislead adversary

Starter KitMITRE Engage™

MITRE Engage Start Kit

The Engage matrix categories explained:

• Prepare the set of operational actions that will lead to your desired outcome (input)

• Expose adversaries when they trigger your deployed deception activities

• Affect adversaries by performing actions that will have a negative impact on their operations

• Elicit information by observing the adversary and learn more about their modus operandi (TTPs)

• Understand the outcomes of the operational actions (output)

MatrixMITRE Engage™

MITRE Engage Matrix

Under Prepare, what is ID SAC0002?

PERSONA CREATION

What is the name of the resource to aid you with the engagement activity from the previous question?

PERSONA PROFILE WORKSHEET

Which engagement activity baits a specific response from the adversary?

LURES

What is the definition of Threat Model?

A risk assessment that models organizational strengths and weaknesses

MITRE D3FEND

"A knowledge graph of cybersecurity countermeasures."

MITRE D3FEND Knowledge Graph

D3FEND beta site

Detection, Denial, and Disruption Framework Empowering Network Defense (D3FEND) is still in beta and funded by Cybersecurity Directorate of NSA.

Within the site provides the technique, how it works, considerations when implemented, and utilization.

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

Data Obfuscation

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produces?

Outbound Internet Network Traffic

ATT&CK Emulation Plans

HomepageMITRE Engenuity

CTID, the Adversary Emulation Library, and ATT&CK® Emulation Plans

The Center of Threat-Informed Defense (CTID) globally consists of companies and vendors with the objective to conduct research on cyber threats and their TTPs. Sharing this research improves cyber defense. Some participants include:

• AttackIQ (founder)

• Verizon

• Microsoft (founder)

• Red Canary (founder)

• Splunk

The Adversary Emulation Library supplies free resources to blue/red teamers for adversary emulation plans as a contribution from CTID. These EPs are guides to mimic the specific threat group.

Introducing the all-new Adversary Emulation Plan LibraryMedium

Adversary Emulation Library

GitHub - center-for-threat-informed-defense/adversary_emulation_library: An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.GitHub

ATT&CK Emulation Plans

Some current AEPs are APT3, APT29, and FIN6.

In Phase 1 for the APT3 Emulation Plan, what is listed first?

C2 Setup

Under Persistence, what binary was replaced with cmd.exe?

sethc.exe

Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

Pupy,Metasploit Framework

What C2 framework is listed in Scenario 2 Infrastructure?

PoshC2

Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

P.A.S.,S0598

ATT&CK and Threat Intelligence

Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) is the information, or TTPs, attributed to the adversary. The goal of threat intelligence is to make the information actionable.

Defenders use TI to make better decisions for defensive strategy. Some TI can be open source or through vendors, such as CrowdStrike.

Scenario: You are a security analyst who works in the aviation sector. Your organization is moving their infrastructure to the cloud. Your goal is to use the ATT&CK® Matrix to gather threat intelligence on APT groups who might target this particular sector and use techniques targeting your areas of concern. You are checking to see if there are any gaps in coverage. After selecting a group, look over the selected group's information and their tactics, techniques, etc.

What is a group that targets your sector who has been in operation since at least 2013?

APT33

As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

Cloud Accounts

What tool is associated with the technique from the previous question?

Ruler

Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)

Abnormal or malicious behavior

What platforms does the technique from question #2 affect?

Azure AD, Google Workspace, IaaS, Office 365, SaaS