Adversary Emulation – ATT&CK can be used to create adversary emulation scenarios to test and verify defenses against common adversary techniques. There are a number of ways an organization can use MITRE ATT&CK. With behavioral analytics, these activities would be flagged as suspicious user behavior. During the final stage of the attack, the attacker’s computer accessed the Dropbox folder for the first time. For example, let’s say the admin clicked a link that no one in the company has ever clicked before, then the admin accessed a particular Dropbox folder at an unusual time. Note that if using behavior analytics, a security analyst might detect the attack in process by identifying anomalous user behavior. Collection, which is the last stage, is performed by downloading files from Dropbox to the attacker’s machine. Let’s assume that they’re after sensitive data in a Dropbox folder to which the admin also has access, so there is no need to escalate privileges. Figure 3: A simple attack to steal sensitive files from the CEO can be accomplished in three steps using three tactics and techniques. Once they have the admin’s credentials, the attacker will look for a remote system in the Discovery stage.įigure 3 shows an example attack with techniques from each tactical stage of the attack. In this attack (shown in Figure 3), the adversary performs Initial Access to the credentials of the CEO’s administrative assistant using a spear phishing link delivered in an email. Rather, the attacker will use the minimum number of tactics to achieve their objective, as it’s more efficient and provides less chance of discovery. It’s not necessary for an attacker to use all eleven tactics across the top of the matrix. For example, an attacker might try both an attachment and a link in a spear phishing exploit. 
It is possible for multiple techniques to be used for one tactic. In the Enterprise ATT&CK matrix, an attack sequence would involve at least one technique per tactic, and a completed attack sequence would be built by moving from left ( Initial Access) to right ( Command and Control). Attack tactics are shown across the top, and individual techniques are listed down each column. The MITRE ATT&CK Matrix visually arranges all known tactics and techniques into an easy to understand format. These include “network-based effects”, attack methods which can be performed without direct access to the device.
Mobile ATT&CK – based on the NIST Mobile Threat Catalogue, this is a threat model describing tactics and techniques attackers can use to infiltrate mobile devices. It helps security teams understand how attacker perform reconnaissance and select their point of entry, and makes it possible to more effectively monitor and identify attacker activities outside the boundaries of the corporate network. PRE-ATT&CK – this matrix focuses on activities performed before an attack, largely outside the organization’s view. This matrix can help prioritize network defense, explaining the tactics, techniques, and procedures (TTPs) attackers use once inside the network. It mainly focuses on post-compromise behavior. Enterprise ATT&CK – an adversary model that explains actions an attacker can take to operate inside a corporate network. There are three matrices in the ATT&CK framework: #MAKE QUICK EXPLAINER QWIKI HOW TO#
Each technique has a four-digit code-for example, Abuse Elevation Control Mechanism is T1548.Įach technique contains specific information about how threat actors operate, such as the privileges required, the platforms on which the technology is commonly used, and how to detect commands or activities associated with the technique. There are currently 185 techniques and 367 sub-techniques in the Enterprise ATT&CK matrix, and Mitre continuously adds more. For example, if the tactic is privilege escalation, the techniques will be various ways attackers carry out privilege escalation in real world attacks.
Techniques represent the “how”-how attackers carry out a tactic in practice. Each tactic includes a set of techniques that have been seen used by malware and threat actors. The second “T” in ATT&CK stands for techniques.
What are Techniques in the ATT&CK Framework? Figure 1: The Mitre Enterprise ATT&CK Matrix shows the tactics in an attack across the top, and individual techniques down each column.
0 kommentar(er)
