Module 1: Introducing the Training and Understanding ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Using MITRE ATT&CKTM for Cyber Threat Intelligence Training
Katie Nickels and Adam Pennington
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview
▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti
▪ Module 1: Introducing training and understanding ATT&CK A. Topic introduction (Video)
▪ Module 2: Mapping to ATT&CK from finished reporting
A. Topic introduction (Video)
B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 2 (Video)
▪ Module 3: Mapping to ATT&CK from raw data
A. Topic introduction (Video)
B. Exercise 3: Mapping to ATT&CK from raw data
(Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 3 (Video)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview
▪ Module 4: Storing and analyzing ATT&CK-mapped intel
A. Topic introduction (Video)
B. Exercise 4: Comparing layers in ATT&CK Navigator
(Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 4 (Video)
▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations
A. Topic introduction (Video)
B. Exercise 5: Making defensive recommendations
(Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 5 and wrap-up (Video)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Module 1
Map data to ATT&CK
Module 2 Module 3
Store & analyze ATT&CK-mapped data
Module 4
Make defensive recommendations from ATT&CK- mapped data
Module 5
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Introduction to ATT&CK and Applying it to CTI
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Tough Questions for Defenders
▪How effective are my defenses?
▪Do I have a chance at detecting APT29?
▪Is the data I’m collecting useful?
▪Do I have overlapping tool coverage?
▪Will this new product help my organization’s defenses?
|8|
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
What is
A knowledge base of adversary behavior
➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language
➢ Community-driven
?
|9|
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
The Difficult Task of Detecting TTPs
•Tough! •Challenging
TTPs Tools
Network/ Host Artifacts
Domain Names
IP Addresses
Hash Values
•Annoying •Simple
•Easy •Trivial
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.
Breaking Down ATT&CK
Tactics: the adversary’s technical goals
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Drive-by Compromise
Launchctl
Scheduled Task
Access Token Manipulation
Bypass User Account Control
Binary Padding
Network Sniffing
Application Window Discovery
AppleScript
Application Deployment Software
Audio Capture
Commonly Used Port
Automated Exfiltration
Data Destruction
Exploit Public-Facing Application
Account Manipulation
Account Discovery
Automated Collection
Communication Through Removable Media
Data Compressed
Data Encrypted for Impact
Local Job Scheduling
Bash History
Clipboard Data
Data Encrypted
Defacement
External Remote Services
AppleScript
LSASS Driver
DLL Search Order Hijacking
Extra Window Memory Injection
Brute Force
Distributed Component Object Model
Exploitation of Remote Services
Data from Information Repositories
Data from Local System
Connection Proxy
Data Transfer Size Limits
Disk Content Wipe
Hardware Additions
Trap
Process Injection
Credential Dumping
Browser Bookmark Discovery
Custom Command and Control Protocol
Exfiltration Over Other Network Medium
Disk Structure Wipe
Replication Through Removable Media
Credentials in Files
Endpoint Denial of Service
CMSTP
Image File Execution Options Injection
Credentials in Registry
Domain Trust Discovery
Data from Network Shared Drive
Custom Cryptographic Protocol
Exfiltration Over Command and Control Channel
Firmware Corruption
Spearphishing Attachment
Command-Line Interface
Plist Modification
Exploitation for Credential Access
File and Directory Discovery
Logon Scripts
Inhibit System Recovery
Spearphishing Link
Compiled HTML File
Valid Accounts
Network Service Scanning
Pass the Hash
Data from Removable Media
Data Encoding
Exfiltration Over Alternative Protocol
Network Denial of Service
Spearphishing via Service
Control Panel Items
Accessibility Features
BITS Jobs
Forced Authentication
Network Share Discovery
Pass the Ticket
Data Staged
Data Obfuscation
Resource Hijacking
Supply Chain Compromise
Dynamic Data Exchange
Execution through API
InstallUtil
Mshta PowerShell
Regsvr32
Rundll32
Scripting
Service Execution
.bash_profile and .bashrc
AppCert DLLs
AppInit DLLs
New Service Path Interception
Startup Items
Web Shell
Exploitation for Privilege Escalation
Clear Command History
CMSTP
Control Panel Items DCShadow
DLL Side-Loading
Hooking
Password Policy Discovery
System Information Discovery
Remote Desktop Protocol
Email Collection
Domain Fronting
Domain Generation Algorithms
Exfiltration Over Physical Medium
Runtime Data Manipulation
Trusted Relationship
Input Capture
Peripheral Device Discovery
Remote File Copy
Input Capture
Service Stop
Valid Accounts
Execution through Module Load
Application Shimming
Code Signing
Input Prompt
Permission Groups Discovery
Remote Services
Man in the Browser
Scheduled Transfer
Stored Data Manipulation
Dylib Hijacking
Compiled HTML File
Kerberoasting
Process Discovery
Replication Through Removable Media
Screen Capture
Fallback Channels
Transmitted Data Manipulation
Exploitation for Client Execution
File System Permissions Weakness
Component Firmware
Keychain
Query Registry
Video Capture
Multiband Communication
Hooking
Component Object Model Hijacking
LLMNR/NBT-NS Poisoning and Relay
Remote System Discovery
Shared Webroot
Multi-hop Proxy
Graphical User Interface
Launch Daemon
Security Software Discovery
SSH Hijacking
Multilayer Encryption
Password Filter DLL Private Keys
Taint Shared Content Third-party Software
Multi-Stage Channels Port Knocking
Procedures: Specific technique implementation
Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools
Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy
Regsvcs/Regasm
Inte
rcep
tion
M
Setuid and Setgid Disabling Security Tools
nt
System Network Standard Application Layer
anageme
Connections Discovery Protocol
Execution Guardrails
Exploitation for Defense Evasion
System Owner/User Discovery
Standard Cryptographic Protocol
Signed Binary Proxy Execution
Account Manipulation
System Service Discovery
Standard Non-Application Layer Protocol
Authentication Package
SID-History Injection
File Deletion
System Time Discovery
Signed Script Proxy Execution
Trusted Developer Utilities
BITS Jobs
Sudo
File Permissions Modification
Virtualization/Sandbox Evasion
Uncommonly Used Port
Bootkit
Web Service
Source
Browser Extensions
Change Default File Association
Sudo Caching
File System Logical Offsets
Space after Filename
Gatekeeper Bypass
Third-party Software
Component Firmware
Group Policy Modification
Hidden Files and Directories
User Execution
Windows Management Instrumentation
Windows Remote Management
XSL Script Processing
Component Object Model Hijacking
External Remote Services
Hidden Users
Hidden Window
Create Account
HISTCONTROL
Indicator Blocking
Hidden Files and
Hypervisor
Directories
Indicator Removal from Tools
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil
Credential Access
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Login Item Launchctl Logon Scripts LC_MAIN Hijacking
Techniques: how the goals are achieved
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
ems
ExploitPublic-FacingApplication External Remote Services Hardware Additions
Replication Through Removable Media
Spearphishing Attachment Spearphishing Link SpearphishingviaService Supply Chain Compromise Trusted Relationship
Valid Accounts
ATT&CK Use C
CRoemmovuanbilceaMtioendiTahrough Connection Proxy CPruosttocmolCommand and Control Custom Cryptographic Protocol DataEncoding
Data Obfuscation DomainFronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
SpearphishingLink Spearphishing via Service Supply Chain Compromise Trusted Relationship
Valid Accounts
we’ve chosen 12 of those data sources to show the techniques each of them might be able to detect with the right colle
ExecutionthroughAPI AuthenticationPackage DLLSearchOrderHijacking CodeSigning ExploitationforCredential Access NetworkShareDiscovery PasstheTicket DatafromRemovableMedia DataObfuscation EMxefdiltiruamtionOverOtherNetwork FirmwareCorruption
== “cmd.exe”)
ProcessHollowing Process Injection Redundant Access Regsvcs/Regasm
Weakness
Setuid and SetgidInstallUtil Shortcut ModificaLtaiounchctl
Local Job Scheduling
SIP and Trust Provider Hijacking
LSASS Driver
AccessibilityFeatures Account Manipulation AppCert DLLs
AppInit DLLs ApplicationShimming Authentication Package BITSJobs
Bootkit
Browser Extensions
Change Default File Association
ApplicationDeploymentSoftware DMiosdtreibluted Component Object Exploitation of Remote Services Logon Scripts
DataCompressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerlCommandand EMxefdiltiruamtion Over Other Network ExfiltrationOverPhysicalMedium Scheduled Transfer
DataEncryptedforImpact Defacement
Disk Content Wipe
Disk Structure Wipe EndpointDenialofService Firmware Corruption InhibitSystemRecovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
DynamicDataExchange
Execution through API
ExecutionthroughModuleLoad
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared W ebroot Screen Capture Multi-Stage Channels
Local Job Scheduling Component Object Model Hijacking ImnjeacgteioFnile Execution Options DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication
LSASS Driver Create Account Launch Daemon DIneforbmfuasticoante/Decode Files or LRLeMlaNyR/NBT -NS Poisoning and Remote System Discovery Taint Shared Content Multilayer Encryption
Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys SDyisctoevmerNyetwork Configuration Windows Remote Management Remote File Copy
Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory SDyisctoevmerNyetwork Connections Standard Application Layer Protocol
AccessibilityFeatures AppCert DLLs
AppInit DLLs
Application Shimming BypassUser AccountControl DLL Search Order Hijacking DylibHijacking
BinaryPadding
BITS Jobs
Bypass User Account Control Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
BashHistory
Brute Force
Credential Dumping
Credentials in Files CredentialsinRegistry Exploitation for Credential Access Forced Authentication
Hooking
Input Capture
Input Prompt
ApplicationWindowDiscovery Browser Bookmark Discovery Domain Trust Discovery
File and Directory Discovery NetworkServiceScanning Network Share Discovery NetworkSniffing
AutomatedCollection
Clipboard Data
Data from Information Repositories Data from Local System DatafromNetworkSharedDrive Data from Removable Media DataStaged
Email Collection
Input Capture
Man in the Browser
analytics.Check out our website at attack.mitre.org for more information on how each technique can be detected,and
cmstp
account manipulation
bits jobs
Exploitation for Privilege Escalation Extra Window Memory Injection
File System Permissions W eakness
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery
Component Object Model Hijacking Image File Execution Options DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
rootkit
Hidden Files and Dir
Scripting Hypervisor SWeeravikcneeRssegistry Permissions File Deletion System Time Discovery Service Execution ImnjeacgteioFnile Execution Options Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion
kernel modules and extensions
y
keychain
Signed Binary Proxy Execution Signed Script Proxy Execution Source
Space after Filename Third-party Software
Trap
Trusted Developer Utilities User Execution
Windows Management Instrumentation
Windows Remote Management XSL Script Processing
Kernel Modules and Extensions Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition Local Job Scheduling Login Item
Logon Scripts
SID-History Injection Startup Items
Sudo
Sudo Caching
Valid Accounts Web Shell
File System Logical Of fsets Gatekeeper Bypass
Group Policy Modification Hidden Files and Directories Hidden Users
Hidden Window HISTCONTROL
ImnjeacgteioFnile Execution Options Indicator Blocking
Indicator Removal from Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil
Launchctl
LC_MAIN Hijacking Masquerading
Modify Registry
Use ATT&CK for Cyber Threat Intelligence
ectories Process
n for Defense Evasion
System Owner/User
Discovery
Standard Cryptographic Protocol
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications Mshta
Legend
comm
cial threat feeds,
ation-sharing groups, government threat-sharing programs, ysts a common language to communicate across reports and
processes = search Process:Create RegistryRunKeys/StartupFolder NTFSFileAttributes
Initial Access
Execution
Persistence
.bash_profile and .bashrc Accessibility Features AccountManipulation AppCert DLLs
AppInit DLLs ApplicationShimming AuthenticationPackage BITSJobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
DylibHijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
ImnjeacgteioFnile Execution Options
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
ModifyExistingService
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access NRetmwovrkalShare Connection Registry Run Keys / Startup Folder NTFS File Attributes
Scheduled Task Obfuscated Files or Information
Redundant Access NRetmwovrkalShare Connection
Rc.common
Drive-by Compromise Re-opened AppliAcpaptlieoSncsript
Exploit Public-Facing Application CMSTP ExternalRemoteServices Command-LineInterface
Hardware Additions Compiled HTML File
Registry Run Keys / Startup Folder
Replication Through Removable Media
Defense Evasion
Access Token Manipulation Binary Padding
BITSJobs
Bypass User Account Control Clear Command History CMSTP
CodeSigning CompileAfterDelivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking Control Panel Items
Credential Access
Account Manipulation
Bash History
BruteForce
Credential Dumping
Credentials in Files CredentialsinRegistry ExploitationforCredentialAccess ForcedAuthentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and Relay
Network Snif fing PasswordFilterDLL
Private Keys
Securityd Memory
Two-Factor Authentication Interception
Discovery
Account Discovery
Application Window Discovery BrowserBookmarkDiscovery Domain Trust Discovery
File and Directory Discovery NetworkServiceScanning NetworkShareDiscovery NetworkSniffing
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery
Query Registry
Remote System Discovery Security Software Discovery SystemInformationDiscovery System Network Configuration Discovery
SDyisctoevmerNyetwork Connections System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
DistributedComponentObject Model
Exploitation of Remote Services Logon Scripts
PasstheHash
PasstheTicket RemoteDesktopProtocol Remote File Copy
Remote Services
RMepdliacation Through Removable Shared W ebroot
SSH Hijacking
Taint Shared Content Third-party Software WindowsAdminShares Windows Remote Management
Collection
Audio Capture
Automated Collection ClipboardData
Data from Information Repositories Data from Local System DatafromNetworkSharedDrive DatafromRemovableMedia DataStaged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
CommounliycaUtisoendTPhorrotugh Removable Media ConnectionProxy
Custom Command and Control Protocol
Custom Cryptographic Protocol DataEncoding DataObfuscation DomainFronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
Multi-Stage Channels Multiband Communication Multilayer Encryption
Port Knocking RemoteAccessTools
Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol SPtraontodcaorld Non-Application Layer Uncommonly Used Port
Web Service
APT28
APT29 Both
Exfiltration
Automated Exfiltration
Data Compressed
DataEncrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerlCommandand ExfiltrationOverOtherNetwork Medium ExfiltrationOverPhysicalMedium Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact Defacement
Disk Content Wipe
Disk Structure Wipe EndpointDenialofService FirmwareCorruption InhibitSystemRecovery Network Denial of Service Resource Hijacking
Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
Scheduled Task Obfuscated Files or Information Screensaver Plist Modification
reg.hostname == cmd.hostname)
output reg_and_cmd
Use ATT&CK to Build Your Defensive Platform
Timestomp
Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service
XSL Script Processing
Indicator Blocking IndicatorRemovalfrom Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil
Launchctl
LC_MAIN Hijacking Masquerading
Modify Registry
Mshta
Legend
Tools
Tools
Two-Factor Authentication
Hypervisor
Service Registry Permissions
Weakness File Deletion System Time Discovery
Rundll32
Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery SPtraontodcaorld Non-Application Layer
Injection Exploitatio
Interception
Detection
at Intelligence
ay to structure, compare, and analyze threat intelligence.
ATT&CK includes resources designed to help cyber defenders develop analytics that
Use ATT&CK for Adversary Emulation and Red Teaming
Initial Access
Drive-by Compromise
Exploit Public-Facing Application External Remote Services Hardware Additions
Replication Through Removable Media
Spearphishing Attachment SpearphishingLink Spearphishing via Service Supply Chain Compromise Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface Compiled HTML File
Control Panel Items DynamicDataExchange ExecutionthroughAPI Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution Signed Script Proxy Execution Source
Space after Filename Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management Instrumentation
Windows Remote Management XSL Script Processing
Persistence
.bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs
AppInit DLLs ApplicationShimming AuthenticationPackage BITS Jobs
Privilege Escalation
Access Token Manipulation Accessibility Features AppCert DLLs
AppInit DLLs
Defense Evasion
Access Token Manipulation Binary Padding
BITS Jobs
Bypass User Account Control Clear Command History CMSTP
CodeSigning
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking Control Panel Items
DCShadow
DIneforbmfuasticoante/Decode Files or Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion Extra Window Memory Injection File Deletion
File Permissions Modification
File System Logical Of fsets Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories Hidden Users
Hidden Window
HISTCONTROL
ImnjeacgteioFnile Execution Options Indicator Blocking
Indicator Removal from
Indicator Removal on Host
Indirect Command Execution Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
ModifyRegistry
Mshta
NRetmwovrkalShare Connection
NTFS File Attributes
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files CredentialsinRegistry ExploitationforCredential Access Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LRLeMlaNyR/NBT -NS Poisoning and Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
TInwteor-cFeapcttionr Authentication
Discovery
Account Discovery
Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery
File and Directory Discovery NetworkServiceScanning NetworkShareDiscovery Network Snif fing
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery
Query Registry
Remote System Discovery Security Software Discovery System Information Discovery SDyisctoevmerNyetwork Configuration SDyisctoevmerNyetwork Connections System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software DMiosdtreibluted Component Object Exploitation of Remote Services Logon Scripts
PasstheHash
PasstheTicket
Remote Desktop Protocol Remote File Copy
Remote Services
RMepdliacation Through Removable Shared W ebroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories Data from Local System DatafromNetworkSharedDrive DatafromRemovableMedia
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port CRoemmovuanbilceaMtioendiTahrough Connection Proxy CPruosttocmolCommand and Control Custom Cryptographic Protocol DataEncoding DataObfuscation
Domain Fronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol SPtraontodcaorld Non-Application Layer Uncommonly Used Port
Web Service
Low Priority High Priority
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerlCommandand EMxefdiltiruamtionOverOtherNetwork Exfiltration Over Physical Medium Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact Defacement
Disk Content Wipe
Disk Structure Wipe EndpointDenialofService FirmwareCorruption
Inhibit System Recovery Network Denial of Service Resource Hijacking
Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
Time Providers Rundll32
Trap Scripting
Assessment and Engineering
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
Plist Modification
Weakness
analytics to detect threats.
behavior framework base
d
on threat
i
ntelligence that red teams can use to emulate
Application Shimming
BypassUser AccountControl DLLSearchOrderHijacking
Dylib Hijacking
Exploitation for Privilege Escalation Extra Window Memory Injection
File System Permissions W eakness Hooking
ImnjeacgteioFnile Execution Options Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
SWeeravikcneeRssegistry Permissions
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
D r i v e – b y C o m p r o m i s e Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts
S c h e d u l e d T a s k
Launchctl Local Job Scheduling LSASS Driver Trap
AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API
N e t w o r k S n i f f i n g
A p p l e S c r i p t Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts
Pass the Hash Pass the Ticket Remote Desktop Protocol
A u d i o C a p t u r e Automated Collection Clipboard Data
Data from Information Repositories
Data from Local System Data from Network Shared Drive
Data from Removable Media Data Staged
Email Collection
Input Capture
Man in the Browser Screen Capture
Video Capture
C o m m o n l y U s e d P o r t Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol
Data Encoding
Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy
A u t o m a t e d E x f i l t r a t i o n Data Compressed Data Encrypted
Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer
D a t a D e s t r u c t i o n Data Encrypted for Impact Defacement
Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
ImnjeacgteioFnile Execution Options
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task Obfuscated Files or Information
Virtualization/Sandbox Evasion Web Service
XSL Script Processing
Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking
Account Discovery AppliDcaisticoonvWeryindow
Browser Bookmark Discovery
Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery
PasstheHash
Pass the Ticket RemoteDesktopProtocol Remote File Copy
Remote Services
RMepdliacation Through Removable
Change Default File Association
ComponentFirmware
File System Permissions W eakness
Hooking
Component Object Model Hijacking ControlPanelItems
Input Prompt Kerberoasting
Permission Groups Discovery ProcessDiscovery
RMepdliacation Through Removable
SharedWebroot
Man in the Browser ScreenCapture
Multi-hop Proxy Multi-StageChannels
ases
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten
Comparing APT28 to APT29
reg = filter processes where (exe == “reg.exe” and parent_exe
Control Panel Items Scheduled TaskDynamicDataExchange Screensaver ExecutionthroughAPI
SecuritySupportEPxreocvutiidoenrthroughModuleLoad Service Registry PExeprlomitaistisoinofnorsClient Execution
Se
curity Supp
and Trust
Provider Hi
Graphical User Interface
ort Provider
Port Knocki
ProcessDoppelgänging
ServiceRegistryPermissions Weakness
SetuidandSetgid
Shortcut Modification
jacking
SIP
Startup Items
System Firmware Regsvr32
File SystPemroPcersmsisHsionlsloWwienagkness HookingProcess Injection Image File Execution Options Injection
ng
Spearphishing Attachment SpearphishingLink SpearphishingviaService Supply Chain Compromise Trusted Relationship
Valid Accounts
cmd = filter processes where (exe == “cmd.exe” and Time Providers Rundll32
er.exe””)
Valid Accounts
Redundant Access
DCShadow Deobfuscate/Decode Files or Information
Disabling Security Tools DLLSearchOrderHijacking DLL Side-Loading
Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion
File Permissions Modification File System Logical Of fsets Gatekeeper Bypass
Group Policy Modification Hidden Files and Directories Hidden Users
Hidden Window HISTCONTROL
ImnjeacgteioFnile Execution Options
Systemd Service Rootkit
Traep Valid Accounts
Scriptingor Signed Binary Proxy Execution
parent_ex reg_and_cmd = joinSpace after Filename
Template In
Timestomp
Virtualization/Sandbox Evasion Web Service
XSL Script Processing
!= “expl
b Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL Software Pa(cking
Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting
Service Execution
Windows ManageSmigneendtBinary Proxy Execution Instrumentation ESvigenetdSucrbipstcPrriopxtyioEnxecution
Winlogon HelperSDoLurLce
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities User Execution
Windows Management Instrumentation WindowsRemoteManagement XSL Script Processing
Plist Modification
We
Signed Scri
pt Proxy Ex
ecution SIP and Trust Provider Hijacking
Port Monitors
ProcessRInujenctdiolln32
SchedulSedcrTiapstking SWeravkicneeRSsseiginsterydPBerimnaisrsyionPsroxy Execution
reg, cmd) where (reg.ppid == cmd.pid and Trusted Developer Utilities
Setuid and Setgid
Signed Script Proxy Execution
SID-History Injection
Startup ISteImPs and Trust Provider Hijacking
Sudo Software Packing Sudo CaSchpinagce after Filename Valid Accounts
Template Injection
Web Shell
jection
Web Shell
Legend
32 Scripting
Find ing Ga p s in Defense
Space after FExitleernanl RaemoteServices Third-party Software
Group Policy Modification
B
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
SpearphishingLink Spearphishing via Service Supply Chain Compromise Trusted Relationship
Valid Accounts
Screensaver Plist Modification
Security Support Provider Service Registry Permissions Weakness
Setuid and Setgid
Port Knocking
Process Doppelgänging
Process Hollowing
Uncommonly Used Port Web Service
APT28 APT29 Both
Signed Script Proxy Executio Source
Space after Filename Third-party Software
Trap
Trusted Developer Utilities
gent Launch Daemon
Launchctl
tartup Items Sudo
Sudo Caching
Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms
Scheduled Transfer
Network Denial of Service Resource Hijacking Runtime Data Manipulation ServiceStop
XSL Script Processing
Netsh He
st
InstallU
ew
Ser
vice
Syst
Rundll
g
Signed Binary Proxy Execution
ipulatio
Signed SIncitriiapl tAccess Proxy Execution
Bootkit
Sudo Caching
Modification
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry ExploitationforCredential Access Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and Relay
Network Snif fing
Password Filter DLL
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object Model
Exploitation of Remote Services Logon Scripts
Pass the Hash
PasstheTicket
Remote Desktop Protocol Remote File Copy
Remote Services
RMepdliacation Through Removable Shared W ebroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories Data from Local System
Data from Network Shared Drive DatafromRemovableMedia
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol Data Encoding DataObfuscation
Domain Fronting
Domain Generation Algorithms Fallback Channels
Multi-hop Proxy
Multi-Stage Channels Multiband Communication Multilayer Encryption
Port Knocking Remote Access Tools
Web Service
Impact
Data Destruction
Data Encrypted for Impact Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service FirmwareCorruption
Inhibit System Recovery Network Denial of Service Resource Hijacking
Runtime Data Manipulation Service Stop
Stored Data Manipulation Transmitted Data Manipulation
adversary examples you can use to start detecting adversary behavior with ATT&CK.
Graphical User Interface InstallUtil
Launchctl
Local Job Scheduling LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution Kernel Modules and Extensions
n
Get
St
a
rted
and m
organ
tions, providing a
Finding Gaps in Defense
processes—and then fix t
m.
ExMecoudtiuolne tL
Exploitation for
Client Execution
horaodugh
y
til
N
LL
Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ ATT
Cre
ning
and
Dyl
ib Hija
ate Ac
cking
Path
Interce
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Plist Modification
Port Monitors
Process Injection
Scheduled Task
SDyisctoevmerNyetwork Configuration SDyisctoevmerNyetwork Connections System Owner/User Discovery System Service Discovery
with ATT&CK
Gatekeeper Bypass
Group Policy Modification Hidden Files and Directories
Hooking
Image File Execution Options Injection
Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion SID-History Injection File System Logical Of fsets
Launch A
S
lper D
In
Ins
InstallUti
Redundant Access
Startup Items SystemFirmwarePowerShell
Launch Daemon
Regsvcs/Regasm
New Service
PathInteRrcegptsiovnr32
Systemd Service Time Providers Trap
Valid Accounts
Rootkit
TT&CK or p
ided by an
, cyber defend
n create a comprehensive
t of
Web Shell Service Execution .bash_profile and .bashrc
analyti
cs to d
ct thre
SID-History Injection Persistence Sudo
Drive-by Compromise SourcEexploit Public-Facing Application
.bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs
on Trusted DeveloRMpepdeliacratiUtilities
Component Firmware
Hidden Files and Directories
Ha
T
rd
w
a
re
Ad
d
h Spearphishing Attachment
h
itions
Com
r
o
u
g
Removable
C
Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil
Launchctl
Local Job Scheduling LSASS Driver
Mshta
PowerShell
Mshta
Injection
La
unch Da
LC_LOAD_DYLIB Addition Valid Accounts Hidden Users
Local J
ob Schedu
ling
We
b Shell
Hidden W
emon
Rem
ption
DLL
Se
Login Item
Logon Scripts Image File Execution Options
exploitation for client execution
Cyberthreatintelligencece
o
LSASS Deriver r Inidincator Bflockoing rm
User Execution
Windows Management
Instrumentation
Windows Remote Management Modify Existing Service Indicator Removal from
High Priority
. ATT&CK gives Thrawnal
LL
New Service Indirect Command Execution
Office A
ioz ar e
e
pplicat
Path Interception
od
Port Knocking
Port Monitors
on
ctl LC_MAIN Hijacking Masquerading
Plist M
ificati
Launch
ion S
tartup
n Authentication Package
EBxIeTcuStioJnobs
AppleScript
BrowCsMeSTrP Extensions
ChCaomnmganed-LDineeIntfearfaucelt File Association
n
A
ccou
nt M
pi
led
H
an
TM
el
Dynamic Data Exchange ExecutionthroughAPI
on
d History
tro
lP
an
Ite
Shi
om
L
Fil
m
s
AppInit DLLs
Application Shimming AuthenticationPackage
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association Component Firmware
Component Object Model Hijacking Create Account
DLL Search Order Hijacking
Dylib Hijacking
m
e
y
Accessibility Features AppCert DLLs
BITS Jobs
Clear Command History
Sta
oto
rtu
p Ite
ete
ats.
Screensaver
Security Support Provider
ms
LL
Execution Guardrails
P
Exploitation for
Exploitation for
Defense Evasion
File Deletion
Privilege EscalatFioinle PermissionDesfense Evasion
Access Token Manipulation Access Token Manipulation AccessibilityFeialteuresSystem LogicalBOinarfyfPsaeddtinsg
AppCert DLLs Gatekeeper BypBaITSsJsobs
rivi
lege
Es
cala
tio
AppInit DLLs
r Account Control
Application
m
D
eobfus
Injectio
di
cator R
Port Knocking
Service Registry Permissions Process Doppelgänging
n
cate/D
em
tall Ro
m
ing Bypass User Account Con DLLSearchOrderHijacking
Dylib Hijacking
Exploitation for Privilege Escalation Extra Window Memory Injection
File System Permissions W eakness Hooking
Image File Execution Options Injection
Launch Daemon
New Service
Path Interception
C
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking Control Panel Items
DCShadow Deobfuscate/Decode Files or Information
Disabling Security Tools DLL Search Order Hijacking
ecode Fi
les or
LLMN
Information Relay
tion
arch O
rder Hi
jac
DLL Side-Loading
Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection
Private Keys Securityd Memory
Two-Factor Authentication Interception
Windows Remote Management
Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol
Standard Non-Application Layer Protocol
Uncommonly Used Port
Web Service
Low Priority
HISTCONTROL
Legend
indow
oval on
ot Ce
Ho
rtificat
l
Privilege Escalation
Modify Registry Access MToksehntaManipulation
Accessibility Features AppCertNDeLLtwsorkShareConnection
Removal
AppInit DLLs
NTFS File Attributes
Application Shimming BypassUOsberfuAscaoutendtCFonilteroslorInformation
DLLSeaPrclhisOtMrdeordHiifjiaccakitniogn DylibHijPacokirntgKnocking ExploitatPiornofcoer PsrsivDileogeppEesclagläatniogning Extra Window Memory Injection
C
ls
ontr
D
S
H
trol
ol Pa
king
Pas
Tools
R/NB
swor
The best defense is a well-tested defense. ATT&CK provides a common adversary
Setuid and Setgid Process Hollowing
Shortcut Modification
SIP and Trust Provider Hijacking
Process Injection Redundant Access Regsvcs/Regasm
Startup Items
System F
irmware Systemd Service
Regs
Valid Accounts Signed Binary Proxy Execution Web Shell Signed Script Proxy Execution Windows Management SIP and Trust Provider Hijacking
Instrume
Winlo
DLL Search Order Hijacking Image File Execution Options Injection Plist Modification
Valid Accounts
ntation Event Subscriptio
gon Helper
DLL
Software Packing
Space after Filename TemplateInjection Timestomp
Trusted Developer Utilities
B i n a r y P a d d i n V ga l i d A c c o u n t s
n
Access Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection
vr32 Rootkit
T -NS
Poiso
count
DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
d Filte
r DLL
S
AdhveersaryEmulation
specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and
Password Policy Discovery
AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy
Use ATT&CK to Build Your Defensive Platform
A
Dylib Hijacking
File System Permissions Weakness Hooking
rvices
pplica
tion Sh
imming
Code S
Compiled HTML File
Component Firmware Component Object Model
igning
Perm
Process Discovery Query Discovery Remote System Discovery
Inpu
Kerberoasting Keychain LLMNR/NBT-NS Poisoning
t Prom
Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption ATT&CK includes resources designed to help cyber defenders develop analytics that
nel
Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking
ide-
idden Users
Loa
Item
din
le
pa
s
Tain
ss
U
ar CMSTP CodeSigning
C
an
se
Pass
nt
wo
rd Filt
er D
PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools detect the techniques used by an adversary. Based on threat intelligence included in
y
Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Windows Remote Remote File Copy
RegsvrA32
Setuird aond Svetgid DisablinlgySecsurity Tsools Interception eSysrtemsNetcworak Management Standard Apspliecation Layer
pt
R
Replication Through Removable Media Shared Webroot
ystem
Info
ote S
ystem Dis
is
onf
rmatio
sion
Groups
Disco
igu
em
Infor
cov
n Discove
ery
Tain
ry
Wind
tSh
ared
Conte
ows A
dmin
Shares
Re
mes from many sources, including knowledge of past incidents,
nt
Multil
Comparing APT28 to APT29
ratio
nnec
System Owner/User
Discovery System Service Discovery System Time Discovery VirDtuisacolivzearytion/Sandbox
Evasion
Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery
File and Directory Discovery Network Service Scanning NetworkShareDiscovery Network Snif fing
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery
Query Registry
Remote System Discovery Security Software Discovery System Information Discovery
Co
tio
ns D
mati
n Disc
isco
on
over
very
col Standard Cryptographic
Protocol Standard Non-Application Layer Protocol UncommExofilntralytioUn sed Port
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol ECxofniltroaltiConhaOnvnerl Command and EMxefdiltiruamtionOverOtherNetwork Exfiltration Over Physical Medium Scheduled Transfer
ver
emote
Se
M
C
t Sh
are
dC
onte
ayer E
mote
Acces
ncrypt
ul
ti-St
ion
Tran
s Tools
age C
Pr
ha
nne
smitted D
ata Ma
nipula
hypervisor
w
i
n
d
bypass user account control
o
w
s
e
v
browser extensions
en
tl
application shimming
og
s
applescript
s
s
t
e
m
c
a
l
l
s
web service
spearphishing via service
s
spearphishing link
s
l
/
t
l
s
i
n
s
p
e
c
t
i
o
n
obfuscated files or information
ob
install root certificate
n
e
s
y
o
cti
e
t
e
ds
n
o
i
endpoint denial of service
u
s
t
r
t
i
m
k
r
standard cryptographic protocol
sta
o
w
t
e
n
drive-by compromise
s
g
domain fronting
n
o
l
e
c
i
v
e
d
k
r
e
o
s
w
r
t
template injection
e
e
n
v
e
r
e
r
a
w
l
standard non-application layer protocol
a
spearphishing attachment
m
remote access tools
obfuscated files or information
network denial of service
endpoint denial of service
-by compromise
protocol
ATT&CK and CTI
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Threat Intelligence – How ATT&CK Can Help
▪Use knowledge of adversary behaviors to inform defenders
▪ Structuring threat intelligence with ATT&CK allows us to… – Compare behaviors
▪ Groups to each other ▪ Groups over time
▪ Groups to defenses
– Communicate in a common language
| 21 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Communicate to Defenders
THIS is what the adversary is doing! The Run key is AdobeUpdater.
Registry Run Keys / Startup Folder (T1060)
Oh, we have Registry data, we can detect that!
CTI Analyst
Defender
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Communicate Across the Community
Company A
APT1337 is using autorun
Registry Run Keys / Startup Folder (T1060)
Oh, you mean T1060!
CTI Consumer
Company B
FUZZYDUCK used a Run key
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI
Understand ATT&CK
Module 1
Map data to ATT&CK
Module 2 Module 3
Store & analyze ATT&CK-mapped data
Module 4
Make defensive recommendations from ATT&CK- mapped data
Module 5
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
End of Module 1
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.