MITRE ATT&CK

Framework

Ali
Digitally signed
by Ali Ali
DN: c=LB,
st=Beirut, l=AA,

Ali
o=MISC, ou=ISC,
cn=Ali Ali
Date: 2024.08.31
08:21:44 +03'00'

A Ali Ali Ali Ali

MITRE ATT&CK Framework
Intro

• The MITRE ATT&CK framework is a comprehensive knowledge base

of adversary tactics and techniques based on real-world observations
• It helps SOC teams understand and anticipate cyber threats,
enhancing their ability to detect, respond to, and mitigate attacks

1. Introduction 6. Operationalizing ATT&CK

2. What is a “MITRE ATT&CK“ 7. Adversary Emulation

3. Benefits of Using ATT&CK

4. Mapping to ATT&CK

5. Analyzing ATT&CK Data

Ali Ali
MITRE ATT&CK Framework
What is MITRE ATT&CK?

• MITRE ATT&CK (Adversarial Tactics, Techniques, and Common

Knowledge) is a comprehensive framework that provides detailed
information about the tactics and techniques adversaries use to
infiltrate and operate within networks
• It serves as a knowledge base for understanding and categorizing
cyber threats

• Key Components:
1. Tactics: These are the high-level objectives or goals that adversaries
aim to achieve during an attack. Think of them as the “why” behind
an attack

2. Techniques: These are the specific methods adversaries use to achieve

their objectives. They represent the “how” of an attack Ali Ali
MITRE ATT&CK Framework
What is MITRE ATT&CK?

• Detailed Explanation with Examples

1. Tactics
Tactics are the stages of an attack lifecycle. Each tactic represents a
distinct goal that adversaries aim to accomplish
There are 14 tactics in the MITRE ATT&CK framework, including:
 Initial Access: How adversaries gain entry into a network
 Execution: How adversaries run malicious code
 Persistence: How adversaries maintain their foothold
 Privilege Escalation: How adversaries gain higher-level permissions
 Defense Evasion: How adversaries avoid detection
 Credential Access: How adversaries steal account credentials
Ali Ali
MITRE ATT&CK Framework
What is MITRE ATT&CK?

 Discovery: How adversaries gather information about the network

 Lateral Movement: How adversaries move through the network
 Collection: How adversaries gather data of interest
 Exfiltration: How adversaries steal data
 Command and Control: How adversaries communicate with
compromised systems

2. Techniques
Techniques are the specific actions adversaries take to achieve their goals
Each tactic can have multiple techniques associated with it
Ali Ali
MITRE ATT&CK Framework
What is MITRE ATT&CK?

Here are some examples:

 Phishing (T1566): Under the Initial Access tactic, phishing involves
sending deceptive emails to trick users into revealing sensitive
information or downloading malware
o Example: An attacker sends an email with a malicious
attachment that, when opened, installs malware on the victim’s
computer

 PowerShell (T1059.001): Under the Execution tactic, PowerShell is a

scripting language used to execute commands and scripts
o Example: An attacker uses a PowerShell script to download and
execute a payload from a remote server

Ali Ali
MITRE ATT&CK Framework
What is MITRE ATT&CK?

 Registry Run Keys / Startup Folder (T1547.001): Under the

Persistence tactic, this technique involves adding entries to the
Windows Registry or Startup folder to ensure malware runs on
system startup
o Example: Malware modifies the registry to include a new run
key that executes the malicious program every time the system
boots

 Credential Dumping (T1003): Under the Credential Access tactic,

credential dumping involves extracting account credentials from
operating systems and software
o Example: An attacker uses tools like Mimikatz to dump
password hashes from the memory of a compromised system

Ali Ali
MITRE ATT&CK Framework
What is MITRE ATT&CK?

 Remote Desktop Protocol (RDP) (T1021.001): Under the Lateral

Movement tactic, RDP is used to remotely control another
computer over a network
o Example: An attacker uses stolen credentials to access another
machine within the network via RDP

• Tools for Implementing MITRE ATT&CK

To effectively use the MITRE ATT&CK framework, various tools can be
employed:
 ATT&CK Navigator: A web-based tool for visualizing and mapping
techniques
 SIEMs (Security Information and Event Management): Tools like
Splunk, IBM QRadar, Wazuh, and ArcSight for log analysis and
correlation Ali Ali
MITRE ATT&CK Framework
What is MITRE ATT&CK?

 EDR (Endpoint Detection and Response): Tools like CrowdStrike

Falcon and Carbon Black for endpoint monitoring and response

 Threat Intelligence Platforms (TIPs): Such as MISP (Malware

Information Sharing Platform) for sharing and analyzing threat
data

 Adversary Emulation Tools: Such as CALDERA and Atomic Red

Team for simulating adversary behavior

Ali Ali
MITRE ATT&CK Framework
Benefits of Using The MITRE ATT&CK

1. Enhanced Threat Detection

 By mapping observed behaviors to ATT&CK techniques, SOC teams
can more accurately identify and respond to threats
 This mapping helps in recognizing patterns and understanding the
methods adversaries use, leading to more effective threat detection
 Example: Imagine a SOC team detects unusual PowerShell activity
on a network. By mapping this behavior to the ATT&CK technique
T1059.001 (PowerShell), they can identify it as a potential
execution technique used by adversaries. This insight allows the
team to investigate further, uncovering a script that downloads and
executes malware from a remote server

Ali Ali
MITRE ATT&CK Framework
Benefits of Using The MITRE ATT&CK

 Tools:
o SIEMs (e.g., Splunk, Wazuh): For correlating logs and detecting
suspicious activities
o EDR (e.g., CrowdStrike Falcon, Carbon Black): For monitoring
and responding to endpoint activities

2. Improved Incident Response

 ATT&CK provides a common language for describing adversary
behavior, which enhances communication and coordination during
incident response
 This standardized approach ensures that all team members and
stakeholders understand the nature of the threat and the necessary
steps to mitigate it
Ali Ali
MITRE ATT&CK Framework
Benefits of Using The MITRE ATT&CK

 Example: During an incident, the SOC team identifies that the

adversary is using credential dumping (T1003) to extract
passwords. By referencing the ATT&CK framework, they can
quickly communicate this technique to other teams, such as IT and
management, ensuring everyone understands the threat and can
take appropriate actions, like resetting passwords and
strengthening access controls
 Tools:
o Incident Response Platforms (e.g., TheHive, IBM Resilient): For
managing and coordinating incident response activities
o Threat Intelligence Platforms (e.g., MISP): For sharing and
analyzing threat data

Ali Ali
MITRE ATT&CK Framework
Benefits of Using The MITRE ATT&CK

3. Proactive Defense
 Understanding adversary tactics allows SOC teams to develop
proactive defense measures and threat hunting strategies
 By anticipating the methods adversaries might use, teams can
implement controls and monitoring to detect and prevent attacks
before they cause significant damage

 Example: A SOC team uses the ATT&CK framework to study

common tactics and techniques used by ransomware groups. They
identify that these groups often use lateral movement techniques
like Remote Desktop Protocol (RDP) (T1021.001). To proactively
defend against this, the team implements stricter RDP access
controls, monitors RDP traffic for anomalies, and conducts regular
threat hunts to identify any unauthorized RDP usage
Ali Ali
MITRE ATT&CK Framework
Mapping to ATT&CK

• Mapping to ATT&CK involves aligning observed adversary behaviors

with specific ATT&CK techniques
• This process helps SOC teams understand the methods used by
adversaries and plan appropriate defenses
1. Aligning Observed Behaviors
 When a SOC team detects suspicious activity, they can map these
behaviors to specific techniques in the ATT&CK framework
 This mapping helps in identifying the tactics and techniques used
by adversaries, providing a clearer picture of the attack
 Example: Suppose a SOC team observes unusual PowerShell
activity on a network. By mapping this behavior to the ATT&CK
technique T1059.001 (PowerShell), they can identify it as a
potential execution technique used by adversaries. This insight
allows the team to investigate further and understand the context
of the activity Ali Ali
MITRE ATT&CK Framework
Mapping to ATT&CK

2. Understanding Adversary Methods

 Mapping behaviors to ATT&CK techniques helps in understanding
the adversary’s methods. This understanding is crucial for
developing effective defenses and response strategies

 Example: If an adversary uses credential dumping to extract

passwords, this can be mapped to the ATT&CK technique T1003
(Credential Dumping). By recognizing this technique, the SOC
team can implement specific defenses, such as monitoring for
unusual access to credential stores and deploying tools to detect
and prevent credential dumping

Ali Ali
MITRE ATT&CK Framework
Mapping to ATT&CK

• Tools for Mapping to ATT&CK

1. ATT&CK Navigator
 ATT&CK Navigator is a web-based tool that allows SOC teams to
visualize and map techniques. It provides an interactive interface
for exploring the ATT&CK framework and creating custom views of
techniques relevant to specific threats or environments

 Example: A SOC team can use ATT&CK Navigator to create a

heatmap of techniques observed in recent incidents. This
visualization helps in identifying the most frequently used
techniques and prioritizing defenses accordingly

Ali Ali
MITRE ATT&CK Framework
Mapping to ATT&CK

2. Threat Intelligence Platforms (TIPs)

 Threat Intelligence Platforms (TIPs), such as MISP (Malware
Information Sharing Platform), are used to collect, analyze, and
share threat intelligence. These platforms can integrate with the
ATT&CK framework to map observed behaviors to specific
techniques

 Example: A SOC team uses MISP to collect threat intelligence from

various sources. When they receive information about a new
malware campaign, they can map the observed behaviors to
ATT&CK techniques using MISP’s integration with the ATT&CK
framework. This mapping helps in understanding the campaign’s
methods and planning appropriate defenses

Ali Ali
MITRE ATT&CK Framework
Mapping to ATT&CK

• Examples of Mapping to ATT&CK

1. Example 1: Phishing Campaign
 Observed Behavior: An email with a malicious attachment is
detected

 Mapped Technique: T1566 (Phishing)

 Response: The SOC team can implement email filtering rules,

educate users about phishing, and monitor for similar emails

Ali Ali
MITRE ATT&CK Framework
Mapping to ATT&CK

2. Example 2: Lateral Movement

 Observed Behavior: Unauthorized use of Remote Desktop Protocol
(RDP)

 Mapped Technique: T1021.001 (Remote Desktop Protocol)

 Response: The SOC team can restrict RDP access, monitor RDP
traffic, and use multi-factor authentication

Ali Ali
MITRE ATT&CK Framework
Mapping to ATT&CK

3. Example 3: Data Exfiltration

 Observed Behavior: Large volumes of data being transferred to an
external server

 Mapped Technique: T1041 (Exfiltration Over C2 Channel)

 Response: The SOC team can monitor network traffic for unusual
data transfers, implement data loss prevention (DLP) tools, and
block suspicious outbound connections

Ali Ali
MITRE ATT&CK Framework
Analyzing ATT&CK Data

• Analyzing ATT&CK data involves examining the techniques used by

adversaries to identify patterns and trends
• This process helps SOC teams understand the methods and behaviors
of attackers, enabling them to enhance their defenses and response
strategies
1. Identifying Patterns and Trends
 By analyzing ATT&CK data, SOC teams can identify common
techniques used by different adversaries. This analysis helps in
recognizing patterns and trends, which can be crucial for
predicting and preventing future attacks
 Example: Suppose a SOC team analyzes past incidents and finds
that multiple adversaries have used the technique Credential
Dumping (T1003) to extract passwords. This pattern indicates that
credential dumping is a popular method among attackers,
prompting the team to strengthen their defenses against this
technique Ali Ali
MITRE ATT&CK Framework
Analyzing ATT&CK Data

2. Examining Techniques
 Analyzing specific techniques involves looking at how adversaries
execute their attacks. This examination helps in understanding the
intricacies of each technique and the potential impact on the
organization

 Example: If an adversary uses PowerShell (T1059.001) for

execution, the SOC team can analyze the specific commands and
scripts used. This analysis helps in identifying the intent behind the
attack and the potential damage it could cause

Ali Ali
MITRE ATT&CK Framework
Analyzing ATT&CK Data

• Tools for Analyzing ATT&CK Data

1. Wazuh is a comprehensive security platform that provides capabilities
for threat detection, log analysis, and compliance management
 It allows SOC teams to collect, analyze, and correlate log data
from various sources, helping them identify suspicious activities
and map them to ATT&CK techniques

 Example: A SOC team uses Wazuh to monitor logs from different

endpoints and servers. They configure Wazuh to detect
unauthorized file changes. By correlating these logs with other
data, they can determine if the file changes are part of a larger
attack and map it to the ATT&CK technique T1070.004 (Indicator
Removal on Host)

Ali Ali
MITRE ATT&CK Framework
Analyzing ATT&CK Data

 Steps:
o Collect Logs: Gather logs from endpoints, servers, and network
devices using Wazuh agents

o Create Detection Rules: Develop rules in Wazuh to identify

specific activities, such as unauthorized file changes

o Correlate Data: Correlate the identified activities with other

logs to understand the context

o Map to ATT&CK: Map the correlated data to ATT&CK

techniques to identify patterns and trends
Ali Ali
MITRE ATT&CK Framework
Analyzing ATT&CK Data

2. Elastic Stack (ELK), which includes Elasticsearch, Logstash, and Kibana,

is another powerful tool for searching, analyzing, and visualizing log
data
 It helps SOC teams to process large volumes of data and gain
insights into adversary behaviors

 Example: A SOC team uses ELK to analyze network traffic logs.

They set up Logstash to ingest logs, Elasticsearch to index and
search the data, and Kibana to visualize the results. By creating
visualizations and dashboards, they can identify unusual network
activities and map them to ATT&CK techniques

Ali Ali
MITRE ATT&CK Framework
Analyzing ATT&CK Data

 Steps:
o Ingest Logs: Use Logstash to collect and process logs from
various sources
o Index Data: Store the processed logs in Elasticsearch for fast
searching
o Create Visualizations: Use Kibana to create visualizations and
dashboards to identify patterns.
o Map to ATT&CK: Map the identified patterns to ATT&CK
techniques to understand adversary behaviors

Ali Ali
MITRE ATT&CK Framework
Operationalizing ATT&CK

• Operationalizing ATT&CK involves integrating the ATT&CK

framework into daily SOC operations to enhance alerting, detection,
and response processes
• This integration helps SOC teams to systematically identify and
respond to threats using a structured approach based on known
adversary tactics and techniques

1. Integrating ATT&CK into Daily Operations

 Operationalizing ATT&CK means embedding the framework into
the core functions of a SOC, such as monitoring, alerting, and
incident response
 This integration ensures that the SOC team can leverage the
comprehensive knowledge provided by ATT&CK to improve their
security posture
Ali Ali
MITRE ATT&CK Framework
Operationalizing ATT&CK

 Example: A SOC team integrates ATT&CK into their SIEM system to

create detection rules based on specific techniques
 For example, they might create a rule to detect the use of
PowerShell for malicious purposes, mapped to ATT&CK technique
T1059.001 (PowerShell)

2. Creating Detection Rules

 Creating detection rules involves defining specific conditions that,
when met, trigger alerts
 These rules are based on ATT&CK techniques and help in
identifying suspicious activities that align with known adversary
behaviors

Ali Ali
MITRE ATT&CK Framework
Operationalizing ATT&CK

 Example: The SOC team uses Splunk to create a detection rule for
identifying instances of credential dumping (T1003). They
configure the rule to trigger an alert whenever there is an attempt
to access the LSASS process memory, which is a common method
for extracting credentials
 Steps:
o Identify Techniques: Determine which ATT&CK techniques are
relevant to your environment
o Define Conditions: Specify the conditions that indicate the use
of these techniques
o Create Rules: Implement these conditions as detection rules in
your SIEM or EDR tools
o Test and Refine: Test the rules to ensure they accurately detect
the intended activities and refine them as needed
Ali Ali
MITRE ATT&CK Framework
Operationalizing ATT&CK

3. Enhancing Alerting and Response

 By mapping alerts to ATT&CK techniques, SOC teams can
prioritize and respond to incidents more effectively

 This mapping provides context to alerts, helping analysts

understand the potential impact and required response actions

 Example: An alert is generated in IBM QRadar for unusual network

traffic patterns that match the ATT&CK technique T1071
(Application Layer Protocol). The SOC team investigates and finds
that the traffic is part of a command and control (C2)
communication. They respond by blocking the malicious IP
addresses and isolating the affected systems
Ali Ali
MITRE ATT&CK Framework
Operationalizing ATT&CK

 Steps:
o Map Alerts to Techniques: Ensure that alerts generated by
detection rules are mapped to specific ATT&CK techniques
o Prioritize Alerts: Use the context provided by ATT&CK to
prioritize alerts based on the severity and potential impact
o Investigate and Respond: Follow a structured response process
to investigate and mitigate the threat

• Tools for Operationalizing ATT&CK

1. SIEMs (Security Information and Event Management)
2. EDR (Endpoint Detection and Response)
Ali Ali
MITRE ATT&CK Framework
Adversary emulation

• Adversary emulation involves simulating the tactics, techniques, and

procedures (TTPs) of real-world adversaries to test and improve an
organization’s defenses
• This practice helps SOC teams understand how well their security
measures can detect, prevent, and respond to actual attacks

1. Simulating Adversary Tactics and Techniques

 Adversary emulation involves using known adversary behaviors to
simulate attacks
 This simulation helps in identifying gaps in defenses and improving
detection and response capabilities

Ali Ali
MITRE ATT&CK Framework
Adversary emulation

 Example: A red team simulates an attack that mimics the behavior

of a known threat actor. They use Remote Desktop Protocol (RDP)
(T1021.001) for lateral movement within the network. This
simulation tests the organization’s ability to detect and respond to
such activities

2. Testing and Improving Defenses

 By emulating adversary tactics, SOC teams can test their defenses
in a controlled environment. This testing helps in identifying
weaknesses and improving security measures
 Example: During an adversary emulation exercise, the red team
uses PowerShell (T1059.001) to execute malicious scripts. The SOC
team monitors the activity and assesses their ability to detect and
respond to the PowerShell execution. Based on the results, they
refine their detection rules and response procedures
Ali Ali
MITRE ATT&CK Framework
Adversary emulation

• Tools for Adversary Emulation

1. CALDERA
 CALDERA is an automated adversary emulation system developed
by MITRE
 It uses the ATT&CK framework to simulate adversary behaviors
and test defenses

 Example: A SOC team uses CALDERA to simulate a phishing attack

(T1566). CALDERA automates the delivery of phishing emails and
tracks the responses. The SOC team analyzes the results to
understand how well their email filtering and user training
programs are working

Ali Ali
MITRE ATT&CK Framework
Adversary emulation

 Steps:
o Set Up Scenarios: Define the adversary behaviors to be
simulated, such as phishing or lateral movement

o Run Simulations: Use CALDERA to automate the execution of

these behaviors

o Analyze Results: Review the outcomes to identify detection and

response gaps

o Improve Defenses: Implement changes based on the findings to

enhance security measures
Ali Ali
MITRE ATT&CK Framework
Adversary emulation

2. Atomic Red Team

 Atomic Red Team is a library of simple tests mapped to ATT&CK
techniques

 It allows SOC teams to execute specific adversary behaviors to test

their defenses

 Example: A SOC team uses Atomic Red Team to test their detection
capabilities for Credential Dumping (T1003). They run a test that
simulates the extraction of credentials from the LSASS process. The
team monitors their SIEM and EDR tools to ensure that the activity
is detected and generates appropriate alerts

Ali Ali
MITRE ATT&CK Framework
Adversary emulation

 Steps:
o Select Tests: Choose relevant tests from the Atomic Red Team
library that match the techniques you want to simulate

o Execute Tests: Run the tests on your network or endpoints

o Monitor and Analyze: Observe the detection and response

mechanisms in place

o Refine Defenses: Make necessary adjustments to improve

detection and response based on the test results
Ali Ali
It’s NOT BUSINESS, It’s Very PERSONAL
Questions

Ali Ali

Ali Ali