MITRE ATT&CK

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that helps model the tactics and techniques used by cyber adversaries, as well as understand how to detect and stop them.

CTI: SEARCHING FOR POTENTIAL ATTACKER GROUPS

• Go to the MITRE ATT&CK groups page

UNDERSTANDING THE INFORMATION

• ID: This is the identifier assigned to the group by MITRE. Other services use names based on associated countries, animals, etc.

• Name: The group's name.

• Associated Groups: A list of additional names or designations associated with the group.

• Description: A brief description of the group, including the sectors and countries they target.

IDENTIFYING POTENTIAL ATTACKER GROUPS

To do this, simply use the "search" function in your browser to list all groups associated with your domain (here: telecommunications).

Then, create a table with the important information seen earlier.

Example:

MATRIX: IDENTIFYING TECHNIQUES USED

Now that the attacker groups are identified and prioritized, simply go to their dedicated page. In this article, we will use G1007, even though it is not classified as P1 according to our scale.

UNDERSTANDING THE INFORMATION

• Domain:

  • Enterprise includes techniques used for Windows, macOS, Linux, PRE, Office Suite, Identity Provider, SaaS, IaaS, Network, and Containers platforms.

  • Mobile includes techniques used against Android and iOS.

  • ICS is dedicated to industrial systems.

• ID: The techniques represent the "how" an adversary achieves a tactical goal by performing an action. In this case, the first number corresponds to the main technique and the second (after the dot) designates the sub-technique used.

  • Example: Active Scanning has three sub-techniques: Scanning IP Blocks, Vulnerability Scanning, and Wordlist Scanning.

• Name: The name of the technique.

• Use: Use case for the technique.

IDENTIFYING PROTECTIONS BY TECHNIQUE

Now that you’ve identified what your company is concerned about, it’s necessary to review available protection measures.

For this, select each identified technique and visit its dedicated page. You will find a chapter titled:

• Mitigations: Contains mitigation measures that can be used to prevent the execution of a technique or sub-technique.

• Detection: Contains detection measures that can be used to spot the execution of a technique or sub-technique.

Example of result:

MATRIX: IDENTIFYING SOFTWARE

On the same page as before, there is also a table dedicated to the software used by attackers.

As with techniques, create a dedicated table:

NAVIGATOR: MAPPING

Now that we have some nice tables, it’s time to create a more visual mapping to determine what should be managed as a priority.

For this, we will use attack-navigator

CASE 1: ONE GROUP ONLY

Let’s assume you're in an ideal case where only one group is targeting you (or you’re creating a map dedicated to this attacker in your infrastructure following a compromise).

• Go to the group's dedicated page.

• Click on the "ATT&CK Navigator Layers" button.

• Click on "view".

CASE 2: MULTIPLE GROUPS

• Select "Create New Layer".

• Choose the desired model (enterprise, mobile, ICS).

• Select the magnifying glass icon

• In the "Threat Group" section, select the groups you previously identified.

• Click on "Layer Controls".

• Click on "layer settings"

• Fill in the details.

EXPORTING THE MAP

To export the map you created:

• Select the export button:

• Choose your unit of measurement (1).

• Select the paper size and orientation (2).

• Choose the information to display (3).

• Start the download (4).

Example result: