We demonstrated the cybersecurity framework ATT&CK and shield for security strategies and active defense. We also covered the answers for TryHackMe MITRE room.
The Complete Practical Web Application Penetration Testing Course
MITRE
MITRE is an organization dedicated to solving problems for a safer world, and one of its significant contributions is the development of crucial cybersecurity frameworks.
ATT&CK Framework: Understanding the Adversary
The ATT&CK Framework stands for Adversary Tactics, Techniques, and Common Knowledge. It’s essentially a matrix that outlines attacker tactics and the corresponding techniques they use, all based on real-world scenarios.
- Use for Blue Teams (Defenders): ATT&CK helps cybersecurity defenders understand attacker methodologies, which is vital for building better defense strategies. They can learn about mitigations and detection methods for specific techniques.
- Use for Red Teams/Pentesters (Attackers): For offensive security professionals, ATT&CK provides a methodical way to conduct tests by understanding and mimicking real-world attacker behaviors.
The framework is structured with broad tactics (e.g., Reconnaissance, Execution) and then more specific techniques under each tactic (e.g., Active Scanning, Scanning IP Blocks).
Shield Framework: Mastering Active Defense
The Shield Framework offers a different perspective, focusing on active defense. It teaches techniques and tactics that blue teamers can apply, sometimes involving limited offensive actions, to protect their resources. It provides defensive actions, for example, under the “Detect” tactic, a technique could be “Decoy Accounts.” Shield also explains the opportunities and use cases for these active defense techniques, such as studying adversaries or influencing their actions.
The Relationship Between ATT&CK and Shield
These two frameworks are closely related and can be mapped to each other. Shield provides active defense techniques that directly correspond to the attacker techniques outlined in ATT&CK. This mapping helps defenders understand precisely how to protect against specific adversarial actions. For instance, if ATT&CK describes an attacker technique like “Windows Management Instrumentation,” Shield might suggest an active defense like removing admin access to mitigate it.
Practical Application Example
The video below illustrated how to use ATT&CK for risk assessment when migrating on-premises resources (like a web server, email server, and file server) to Google Cloud.
- Identifying Cloud Risks: I could search ATT&CK for cloud-related attack techniques (e.g., “Cloud Infrastructure Discovery”) to understand potential risks specific to a cloud environment.
- Mitigation Strategies: ATT&CK provides detailed information on how attackers conduct these discoveries and offers mitigation strategies (e.g., limiting permissions, robust user account management).
- Real-World Examples: It also lists real-world examples of threat groups (e.g., UNC2552, involved in the SolarWinds attack) and the techniques they used, such as “Account Manipulation.”
- Mapping to Active Defense: By mapping these ATT&CK techniques to Shield, I could find active defense strategies, such as implementing monitoring for unusual account activity, using decoy accounts, or enforcing strong authentication.
Room Answers
Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)
Nay
What is the ID for this technique?
T1566
Based on this technique, what mitigation covers identifying social engineering techniques?
User Training
What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)
User Execution
What groups have used spear-phishing in their campaigns? (format: group1,group2)
Dragonfly
Based on the information for the first group, what are their associated groups?
TTG-4192,Crouching Yeti,IRON LIBERTY,Energetic Bear
What software is associated with this group that lists phishing as a technique?
PsExec
What is the description for this software?
FIN5
This group overlaps (slightly) with which other group?
2008
How many techniques are attributed to this group?
Windows Credential Editor
What tactic has an ID of TA0003?
splunk search.
What is the name of the library that is a collection of Zeek (BRO) scripts?
Persistence
What is the name of the technique for running executables with the same hash and different names?
BZAR
Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
Masquerading
Under Prepare, what is ID SAC0002?
Detect
What is the name of the resource to aid you with the engagement activity from the previous question?
PERSONA PROFILE WORKSHEET
Which engagement activity baits a specific response from the adversary?
Lures
What is the definition of Threat Model?
A risk assessment that models organizational strengths and weaknesses
What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
Data Obfuscation
In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?
Outbound Internet Network Traffic
In Phase 1 for the APT3 Emulation Plan, what is listed first?
3
Under Persistence, what binary was replaced with cmd.exe?
sethc.exe
Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
Pupy and Meterpreter
What C2 framework is listed in Scenario 2 Infrastructure?
PoshC2
Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
P.A.S.,S0598
Video Walkthrough