1. Basic Terminology
APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. The term 'advanced' can be misleading as it will tend to cause us to believe that each APT group all have some super-weapon, e.i. a zero-day exploit, that they use. That is not the case. As we will see a bit later, the techniques these APT groups use are quite common and can be detected with the right implementations in place. You can view FireEye's current list of APTgroups here.
TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean?
- The Tactic is the adversary's goal or objective.
- The Technique is how the adversary achieves the goal or objective.
- The Procedure is how the technique is executed.
2. ATT&CK® Framework
According to the website, "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks.
3. CAR Knowledge Base
The official definition of CAR is "The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITREATT&CK® adversary model"
To summarize, CAR is a great place for finding analytics that takes us further than the Mitigation and Detection summaries in the ATT&CK® framework. This tool is not a replacement for ATT&CK® but an added resource.
4. MITRE Engage
Per the website, "MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals."
MITRE Engage is considered an Adversary Engagement Approach. This is accomplished by the implementation of Cyber Denial and Cyber Deception.
With Cyber Denial we prevent the adversary's ability to conduct their operations and with Cyber Deception we intentionally plant artifacts to mislead the adversary.
The Engage website provides a starter kit to get you 'started' with the Adversary Engagement Approach. The starter kit is a collection of whitepapers and PDFs explaining various checklists, methodologies, and processes to get you started.
As with MITRE ATT&CK, Engage has its own matrix. Below is a visual of the Engage Matrix.
Let's quickly explain each of these categories based on the information on the Engage website.
- Prepare the set of operational actions that will lead to your desired outcome (input)
- Expose adversaries when they trigger your deployed deception activities
- Affect adversaries by performing actions that will have a negative impact on their operations
- Elicit information by observing the adversary and learn more about their modus operandi (TTPs)
- Understand the outcomes of the operational actions (output)
5. MITRE D3FEND
What is this MITRE resource? Per the D3FEND website, this resource is "A knowledge graph of cybersecurity countermeasures."
D3FEND is still in beta and is funded by the Cybersecurity Directorate of the NSA.
D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense.
At the time of this writing, there are 408 artifacts in the D3FEND matrix. See the below image.
Let's take a quick look at one of the D3FENDs artifacts, such as Decoy File.
As you can see, you're provided with information on what is the technique (definition), how the technique works (how it works), things to think about when implementing the technique (considerations), and how to utilize the technique (example).
Note, as with other MITRE resources, you can filter based on the ATT&CK matrix.
Since this resource is in beta and will change significantly in future releases, we won't spend that much time on D3FEND.
The objective of this task is to make you aware of this MITRE resource and hopefully you'll keep an eye on it as it matures in the future.
6. ATT&CK® Emulation Plans
If these tools provided to us by MITRE are not enough, under MITRE ENGENUITY, we have CTID, the Adversary Emulation Library, and ATT&CK® Emulation Plans.
CTID
MITRE formed an organization named The Center of Threat-Informed Defense (CTID). This organization consists of various companies and vendors from around the globe. Their objective is to conduct research on cyber threats and their TTPs and share this research to improve cyber defense for all.
Some of the companies and vendors who are participants of CTID:
- AttackIQ (founder)
- Verizon
- Microsoft (founder)
- Red Canary (founder)
- Splunk
Per the website, "Together with Participant organizations, we cultivate solutions for a safer world and advance threat-informed defense with open-source software, methodologies, and frameworks. By expanding upon the MITRE ATT&CK knowledge base, our work expands the global understanding of cyber adversaries and their tradecraft with the public release of data sets critical to better understanding adversarial behavior and their movements."
Adversary Emulation Library & ATT&CK® Emulations Plans
The Adversary Emulation Library is a public library making adversary emulation plans a free resource for blue/red teamers. The library and the emulations are a contribution from CTID. There are several ATT&CK® Emulation Plans currently available: APT3, APT29, and FIN6. The emulation plans are a step-by-step guide on how to mimic the specific threat group. If any of the C-Suite were to ask, "how would we fare if APT29 hits us?" This can easily be answered by referring to the results of the execution of the emulation plan.
7. ATT&CK® and Threat Intelligence
Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) is the information, or TTPs, attributed to the adversary. By using threat intelligence, as defenders, we can make better decisions regarding the defensive strategy. Large corporations might have an in-house team whose primary objective is to gather threat intelligence for other teams within the organization, aside from using threat intel already readily available. Some of this threat intel can be open source or through a subscription with a vendor, such as CrowdStrike. In contrast, many defenders wear multiple hats (roles) within some organizations, and they need to take time from their other tasks to focus on threat intelligence. To cater to the latter, we'll work on a scenario of using ATT&CK® for threat intelligence. The goal of threat intelligence is to make the information actionable.
Top comments (0)