We demonstrated the cybersecurity framework ATT&CK and shield for security strategies and active defense. We also covered the answers for TryHackMe MITRE room.
The Complete Practical Web Application Penetration Testing Course
Highlights
From Mitre.org: “At MITRE, we solve problems for a safer world. Through our federally funded R&D centers and public-private partnerships, we work across government to tackle challenges to the safety, stability, and well-being of our nation.“
“MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework.
The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for red teamers.
If you haven’t done so, navigate to the ATT&CK® website.
TTP is an acronym for Tactics, Techniques, and Procedures:
- The Tactic is the adversary’s goal or objective.
- The Technique is how the adversary achieves the goal or objective.
- The Procedure is how the technique is executed.
Room Answers
Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)
Nay
What is the ID for this technique?
T1566
Based on this technique, what mitigation covers identifying social engineering techniques?
User Training
What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)
User Execution
What groups have used spear-phishing in their campaigns? (format: group1,group2)
Dragonfly
Based on the information for the first group, what are their associated groups?
TTG-4192,Crouching Yeti,IRON LIBERTY,Energetic Bear
What software is associated with this group that lists phishing as a technique?
PsExec
What is the description for this software?
FIN5
This group overlaps (slightly) with which other group?
2008
How many techniques are attributed to this group?
Windows Credential Editor
What tactic has an ID of TA0003?
splunk search.
What is the name of the library that is a collection of Zeek (BRO) scripts?
Persistence
What is the name of the technique for running executables with the same hash and different names?
BZAR
Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
Masquerading
Under Prepare, what is ID SAC0002?
Detect
What is the name of the resource to aid you with the engagement activity from the previous question?
PERSONA PROFILE WORKSHEET
Which engagement activity baits a specific response from the adversary?
Lures
What is the definition of Threat Model?
A risk assessment that models organizational strengths and weaknesses
What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
Data Obfuscation
In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?
Outbound Internet Network Traffic
In Phase 1 for the APT3 Emulation Plan, what is listed first?
3
Under Persistence, what binary was replaced with cmd.exe?
sethc.exe
Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
Pupy and Meterpreter
What C2 framework is listed in Scenario 2 Infrastructure?
PoshC2
Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
P.A.S.,S0598
Video Walkthrough