🌔

1.6. MITRE

May 11, 202410 min read

Task 1: Introduction to MITRE

From Mitre.org: “At MITRE, we solve problems for a safer world. Through our federally funded R&D centers and public-private partnerships, we work across government to tackle challenges to the safety, stability, and well-being of our nation.

In this room, we will focus on other projects/research that the US-based non-profit MITRE Corporation has created for the cybersecurity community, specifically:

  • ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework
  • CAR (Cyber Analytics Repository) Knowledge Base
  • ENGAGE (sorry, not a fancy acronym)
  • D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense)
  • AEP (ATT&CK Emulation Plans)

Task 2: Basic Terminology

APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries.

The term ' advanced' can be misleading ...

…as it will tend to cause us to believe that each APT group all have some super-weapon, e.i. a zero-day exploit, that they use. That is not the case. As we will see a bit later, the techniques these APT groups use are quite common and can be detected with the right implementations in place. You can view FireEye’s current list of APT groups here.  

TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean?

  • The Tactic is the adversary’s goal or objective.
  • The Technique is how the adversary achieves the goal or objective.
  • The Procedure is how the technique is executed.

Task 3: ATT&CK® Framework

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”

In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks.

This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK framework.

If you haven’t done so, navigate to the ATT&CK® website.

 MITRE ATT&CK® Navigator: “The ATT&CK® Navigator is designed to provide basic navigation and annotation of ATT&CK® matrices, something that people are already doing today in tools like Excel. We’ve designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques, or anything else you want to do.”

A word from me

Note that I didn’t copy the whole instruction on how to navigate the ATT&CK website and category here. If I do, that would take too much space and I don’t like that. I think you (the reader) should participate in the room yourself and only use this note as a side reference whenever you wanna confirm your question, or if you just want a quick recap of the things you learned :v

The questions below will help you become more familiar with the ATT&CK®. It is recommended to start answering the questions from the Phishing page. Note, that this link is for version 8 of the ATT&CK Matrix.

Question

Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)

What is the ID for this technique?

Based on this technique, what mitigation covers identifying social engineering techniques?

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

What groups have used spear-phishing in their campaigns? (format: group1,group2)

Based on the information for the first group, what are their associated groups?

What software is associated with this group that lists phishing as a technique?

What is the description for this software?

This group overlaps (slightly) with which other group?

How many techniques are attributed to this group?

Task 4: CAR (Cyber Analytics Repository) Knowledge Base

”_The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK_® adversary model. CAR defines a data model that is leveraged in its pseudocode representations but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.

Questions

What tactic has an ID of TA0003?

What is the name of the library that is a collection of Zeek (BRO) scripts?

What is the name of the technique for running executables with the same hash and different names?

Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Task 5: MITRE Engage

MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.

MITRE Engage is considered an Adversary Engagement Approach. This is accomplished by the implementation of Cyber Denial and Cyber Deception. 

With Cyber Denial we prevent the adversary’s ability to conduct their operations and with Cyber Deception we intentionally plant artifacts to mislead the adversary. 

The Engage website provides a starter kit to get you ‘started’ with the Adversary Engagement Approach. The starter kit is a collection of whitepapers and PDFs explaining various checklists, methodologies, and processes to get you started.

As with MITRE ATT&CK, Engage has its own matrix. Below is a visual of the Engage Matrix.

Let’s quickly explain each of these categories based on the information on the Engage website.

  • Prepare the set of operational actions that will lead to your desired outcome (input)
  • Expose adversaries when they trigger your deployed deception activities 
  • Affect adversaries by performing actions that will have a negative impact on their operations
  • Elicit information by observing the adversary and learn more about their modus operandi (TTPs)
  • Understand the outcomes of the operational actions (output) 

Refer to the Engage Handbook to learn more. 

You can interact with the Engage Matrix Explorer. We can filter by information from MITRE ATT&CK.

Questions

Under Prepare, what is ID SAC0002?

What is the name of the resource to aid you with the engagement activity from the previous question?

Which engagement activity baits a specific response from the adversary?

What is the definition of Threat Model?

Task 6: MITRE D3FEND

What is this MITRE resource? Per the D3FEND website, this resource is “A knowledge graph of cybersecurity countermeasures.

D3FEND is still in beta and is funded by the Cybersecurity Directorate of the NSA

Anyway!

D3FEND stands for DetectionDenial, and Disruption Framework Empowering Network Defense

At the time of this writing, there are 408 artifacts in the D3FEND matrix. See the below image.

Since this resource is in beta and will change significantly in future releases, we won’t spend that much time on D3FEND.

Questions

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?

Task 7: ATT&CK® Emulation Plans

MITRE formed an organization named The Center of Threat-Informed Defense (CTID). This organization consists of various companies and vendors from around the globe. Their objective is to conduct research on cyber threats and their TTPs and share this research to improve cyber defense for all.

**Adversary Emulation Library & ATT&CK® Emulations Plans: **

The Adversary Emulation Library is a public library making adversary emulation plans a free resource for blue/red teamers. The library and the emulations are a contribution from CTID. There are several ATT&CK® Emulation Plans currently available: APT3APT29, and FIN6. The emulation plans are a step-by-step guide on how to mimic the specific threat group. If any of the C-Suite were to ask, “how would we fare if APT29 hits us?” This can easily be answered by referring to the results of the execution of the emulation plan.

Questions

In Phase 1 for the APT3 Emulation Plan, what is listed first?

Under Persistence, what binary was replaced with cmd.exe?

Examining APT29, what  C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

What C2 framework is listed in Scenario 2 Infrastructure?

Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

Task 8: ATT&CK® and Threat Intelligence

Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) is the information, or TTPs, attributed to the adversary. By using threat intelligence, as defenders, we can make better decisions regarding the defensive strategy.

Large corporations might have an in-house team whose primary objective is to gather threat intelligence for other teams within the organization, aside from using threat intel already readily available. Some of this threat intel can be open source or through a subscription with a vendor, such as CrowdStrike.

In contrast, many defenders wear multiple hats (roles) within some organizations, and they need to take time from their other tasks to focus on threat intelligence. To cater to the latter, we’ll work on a scenario of using ATT&CK® for threat intelligence.

The goal of threat intelligence is to make the information actionable.

Questions

Scenario: You are a security analyst who works in the aviation sector. Your organization is moving their infrastructure to the cloud. Your goal is to use the ATT&CK® Matrix to gather threat intelligence on APT groups who might target this particular sector and use techniques targeting your areas of concern. You are checking to see if there are any gaps in coverage. After selecting a group, look over the selected group’s information and their tactics, techniques, etc.

What is a group that targets your sector who has been in operation since at least 2013?

As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

What tool is associated with the technique from the previous question?

Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation?

What platforms does the technique from question #2 affect?

Conclusion

In this room, we explored tools/resources that MITRE has provided to the security community. The room’s goal was to expose you to these resources and give you a foundational knowledge of their uses. Many vendors of security products and security teams across the globe consider these contributions from MITRE invaluable in the day-to-day efforts to thwart evil. The more information we have as defenders, the better we are equipped to fight back. Some of you might be looking to transition to become a SOC analyst, detection engineer, cyber threat analyst, etc. these tools/resources are a must to know.

MITRE good. Very good.

:D

Search

SearchSearch

Graph View

Backlinks