What is the ATT&CK® framework? According to the website, MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework.
The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for a penetration tester and/or red teamer.
If you havent done so, navigate to the ATT&CK® website.
Direct your attention to the bottom of the page to view the ATT&CK® Matrix for Enterprise. Across the top of the matrix, there are 14 categories. Each category contains the techniques an adversary could use to perform the tactic. The categories cover the seven-stage Cyber Attack Lifecycle (credit Lockheed Martin for the Cyber Kill Chain).
Under Initial Access, there are 9 techniques. Some of the techniques have sub-techniques, such as Phishing.
If we click on the gray bar to the right, a new layer appears listing the sub-techniques.
To get a better understanding of this technique and its associated sub-techniques, click on Phishing.
We have been directed to a page dedicated to the technique known as Phishing and all related information regarding the technique, such as a brief description, Procedure Examples, and Mitigations.
You can alternatively resort to using the Search feature to retrieve all associated information regarding a given technique, sub-technique, and/or group.
Lastly, the same data can be viewed via the MITRE ATT&CK® Navigator: The ATT&CK® Navigator is designed to provide basic navigation and annotation of ATT&CK® matrices, something that people are already doing today in tools like Excel. Weve designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques, or anything else you want to do.
You can access the Navigator view when visiting a group or tool page. The ATT&CK® Navigator Layers button will be available.
In the sub-menu select view.
Lets get acquainted with this tool. Click here to view the ATT&CK® Navigator for Carbanak.
At the top left, there are 3 sets of controls: selection controls, layer controls, and technique controls. I encourage you to inspect each of the options under each control to get familiar with them. The question mark at the far right will provide additional information regarding the navigator.
To summarize, we can use the ATT&CK Matrix to map a threat group to their tactics and techniques. There are various methods the search can be initiated.
The questions below will help you become more familiar with the ATT&CK®. It is recommended to start answering the questions from the Phishing page. Note, that this link is for version 8 of the ATT&CK Matrix.
Answer the questions below
Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)?
How to: You can find this answer in the second paragraph above.
Answer: Nay
What is the ID for this technique?
How to: The last paragraph recommands you to start at the Phishing page, this is the technique it is talking about. Once you are on the page, on the right hand side you will see a box with information in it, inside of the box is the ID and the answer to this question.
Answer: T1566
Hint: https://attack.mitre.org/versions/v8/techniques/T1566/
Based on this technique, what mitigation covers identifying social engineering techniques?
How to: Staying on the Phishing page, scroll down till you see the table labeled Mitigation. Then read through till you find which mitigation covers social engineering techniques. This is the answers.
Answer: User Training
There are other possible areas for detection for this technique, which occurs after what other technique?
How to: It took me a while to figure this out and find it, the question is worded very odd. But the hint is a URL so if you go to that site then the answer can be found in the final paragraph of Detection.
Answer: User Execution
Hint: https://attack.mitre.org/versions/v8/techniques/T1566/
What group has used spear phishing in their campaigns?
How to: Stay on the page that TryHackMe gave you in the previous question as a hint (https://attack.mitre.org/versions/v8/techniques/T1566/). Scroll to Procedure Example, the answer is one of the names in Procedure Example.
Answer: Dragonfly
Based on the information for this group, what are their associated groups?
How to: This question is based off of the answer of the previous question. Click on the group to go to it's MITRE page, once there on the right side of the screen will be a box. Inside the box is the Associated Groups, copy them and paste in the answer.
Answer: TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear
What tool is attributed to this group to transfer tools or files from one host to another within a compromised environment?
How to: Scroll down till you see the Software catergory, look through and read the descriptions till you find which one can transfer tools and files. This will be your answer.
Answer: PsExec
Based on the information about this tool, what group used a customized version of it?
How to: Click on the tool that was the answer for the previous question. This will take you to that tool's page, scroll down till you see Groups That Use This Software. Look through the groups and their descriptions to see who uses the customized version of the tool.
Answer: FIN5
This group has been active since what year?
How to: Click on the Group that was the answer for the previous question. You will be brought to the Groups page, in the desription paragraph at the top of the page will have the answer to this question.
Answer: 2008
Instead of Mimikatz, what OS Credential Dumping tool does this group use?
How to: Staying on this page scroll down till you see the Software category, look through the different software this group uses till you find the one that does OS Credential Dumping tool that is not Mimikatz. This is your answer.
Answer: Windows Credential Editor