We demonstrated the cybersecurity framework ATT&CK and shield for security strategies and active defense. We also covered the answers for TryHackMe MITRE room.

OSCP Study Notes

The Complete Practical Web Application Penetration Testing Course

MITRE

MITRE is an organization dedicated to solving problems for a safer world, and one of its significant contributions is the development of crucial cybersecurity frameworks.

ATT&CK Framework: Understanding the Adversary

The ATT&CK Framework stands for Adversary Tactics, Techniques, and Common Knowledge. It’s essentially a matrix that outlines attacker tactics and the corresponding techniques they use, all based on real-world scenarios.

  • Use for Blue Teams (Defenders): ATT&CK helps cybersecurity defenders understand attacker methodologies, which is vital for building better defense strategies. They can learn about mitigations and detection methods for specific techniques.
  • Use for Red Teams/Pentesters (Attackers): For offensive security professionals, ATT&CK provides a methodical way to conduct tests by understanding and mimicking real-world attacker behaviors.

The framework is structured with broad tactics (e.g., Reconnaissance, Execution) and then more specific techniques under each tactic (e.g., Active Scanning, Scanning IP Blocks).

Shield Framework: Mastering Active Defense

The Shield Framework offers a different perspective, focusing on active defense. It teaches techniques and tactics that blue teamers can apply, sometimes involving limited offensive actions, to protect their resources. It provides defensive actions, for example, under the “Detect” tactic, a technique could be “Decoy Accounts.” Shield also explains the opportunities and use cases for these active defense techniques, such as studying adversaries or influencing their actions.

The Relationship Between ATT&CK and Shield

These two frameworks are closely related and can be mapped to each other. Shield provides active defense techniques that directly correspond to the attacker techniques outlined in ATT&CK. This mapping helps defenders understand precisely how to protect against specific adversarial actions. For instance, if ATT&CK describes an attacker technique like “Windows Management Instrumentation,” Shield might suggest an active defense like removing admin access to mitigate it.

Practical Application Example

The video below illustrated how to use ATT&CK for risk assessment when migrating on-premises resources (like a web server, email server, and file server) to Google Cloud.

  1. Identifying Cloud Risks: I could search ATT&CK for cloud-related attack techniques (e.g., “Cloud Infrastructure Discovery”) to understand potential risks specific to a cloud environment.
  2. Mitigation Strategies: ATT&CK provides detailed information on how attackers conduct these discoveries and offers mitigation strategies (e.g., limiting permissions, robust user account management).
  3. Real-World Examples: It also lists real-world examples of threat groups (e.g., UNC2552, involved in the SolarWinds attack) and the techniques they used, such as “Account Manipulation.”
  4. Mapping to Active Defense: By mapping these ATT&CK techniques to Shield, I could find active defense strategies, such as implementing monitoring for unusual account activity, using decoy accounts, or enforcing strong authentication.

Room Answers

Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)

Nay

What is the ID for this technique?

T1566

Based on this technique, what mitigation covers identifying social engineering techniques?

User Training

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

User Execution

What groups have used spear-phishing in their campaigns? (format: group1,group2)

Dragonfly

Based on the information for the first group, what are their associated groups?

TTG-4192,Crouching Yeti,IRON LIBERTY,Energetic Bear

What software is associated with this group that lists phishing as a technique?

PsExec

What is the description for this software?

FIN5

This group overlaps (slightly) with which other group?

2008

How many techniques are attributed to this group?

Windows Credential Editor

What tactic has an ID of TA0003?

splunk search.

What is the name of the library that is a collection of Zeek (BRO) scripts?

Persistence

What is the name of the technique for running executables with the same hash and different names?

BZAR

Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Masquerading

Under Prepare, what is ID SAC0002?

Detect

What is the name of the resource to aid you with the engagement activity from the previous question?

PERSONA PROFILE WORKSHEET

Which engagement activity baits a specific response from the adversary?

Lures

What is the definition of Threat Model?

A risk assessment that models organizational strengths and weaknesses

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

Data Obfuscation

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?

Outbound Internet Network Traffic

In Phase 1 for the APT3 Emulation Plan, what is listed first?

3

Under Persistence, what binary was replaced with cmd.exe?

sethc.exe

Examining APT29, what  C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

Pupy and Meterpreter

What C2 framework is listed in Scenario 2 Infrastructure?

PoshC2

Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

P.A.S.,S0598

Video Walkthrough

, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles