Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Transcription

00:00
Hello and welcome to lesson one dot to dot to
00:04
and this lesson, we're gonna talk about the miter attack framework.
00:08
The miter is a federally funded nonprofit company, and their stated mission is to solve problems for a safer world.
00:16
Now the miter organization is involved in a lot of different things. But one of the things that they do is if created this attack framework, which is essentially just a matrix of different attacker tactics and techniques.
00:29
So if you think about a grid that shows all of the different Attackers that the different threat actors, they're actually identified and all of the techniques that those Attackers use,
00:40
the idea behind this matrix is that you can use it to identify who or what is going on in your environment. So, for example, if you have the signature of a certain threat actor in your environment that you find that someone's been tampering with your environment, you think you know who it is.
00:56
Then you can go look this threat actor up, and you can see all of the techniques that they use
01:00
so you can maybe get in front of the net. They're next steps. You can get in front of the attack and maybe stop it or vice versa. If you see a specific signature, Ah, certain tactic was used. You can go look that tactic up, and you can reverse engineer into who that threat actor might be,
01:18
and then go look at what their other tactics are. So again, you can get in front of it.
01:23
And before we show you the miter attack framework, let's first talk about the cyber kill chain.
01:30
Now the idea of a kill chain has been around in warfare for a while, but the idea of a cyber killed chain was introduced by Lockheed Martin not too long ago.
01:40
The cyber kill chain is just a series of steps that an attacker has to take
01:45
to get to their objective. So if the Attackers trying to take down your environment, there's a series of steps that they need to do to be able to take down that environment, it's broken up into very general steps for any type of attack.
01:57
The first thing that any attacker needs to do is reconnaissance that could be in the form of port scanning, looking for vulnerabilities on your perimeter. It could be calling different phone numbers in your organization, trying to get intelligence.
02:10
It could be doing linked in searches to find out who the major players are in the organization to try to exploit those people.
02:17
It's just information gathering.
02:21
Once the information is gathered, it's turned into a weapon, and the best way to think about this is in terms of malware. It's not always the case, but it's the most common. So well, that's what we'll talk about the rest of this kill chain.
02:34
We've taken all of the information that we learned during the reconnaissance face, and we created a piece of malware with it.
02:39
Now we need to deliver it.
02:42
That delivery mechanism can be, you know, the most common one again is fishing. I'm going to send you an email. It's gonna have a link in it or an attachment. And if you click the link or open the attachment, that's how I'm going to deliver my malware to you.
02:55
Once I've delivered it, that malware, when you click it, it's gonna exploit some vulnerability. It has to be able to exploit some vulnerability on the system to be able to be around in your environment.
03:07
Once it exploits a vulnerability, it's gonna install itself on your system.
03:13
And then it's going to start calling back to the mother ship. Not all the time, but a lot of times. Malware
03:19
calls back for further instructions. Some our is hard coded so that it it just executes a certain thing, and that's all it does. Other malware is coated to call back for instructions so it can maintain persistence in your environment. This is especially the case when you're talking about advanced, persistent threats or A Pts
03:38
getting into the environment is the first part. But then there's some lateral movement that needs to happen in the environment, so the attacker can understand what steps they want to take next. So they need to maintain that persistence, and that's what commanding control is all about.
03:52
And then finally, there's the act on objectives, and that's just exactly what it sounds like. That's executing whatever it is. That was the objective to begin with. If the objective was to take down the website, this is when the website goes down. If it was to still data, this is when the data stolen.
04:06
So now that we understand this killed chain. Let's take a look at how that looks in the minor attack framework.
04:14
What you're looking at here is the enterprise matrix for minor attack framework. And essentially, what we're dealing with is across the top, we've got a series of categories initial access, execution, persistence and so forth
04:27
and in top to bottom or list of tactics or techniques within each of those categories.
04:32
So if we wanted to take a look at, for example, let's see all of the initial actor access techniques that involved exploiting a public facing application,
04:43
we could click into this category and we get more details.
04:46
We have a little blurb about it in the beginning, talks a little bit about what that exploit is and what it means. We have some examples. So in this case, Axiom has been observed using sequel injection to gain access to systems.
05:00
And then we have some mitigation steps we can take to mitigate that particular. That particular technique,
05:08
any of these we click into is going to drill down and give us even more information. Same kind of a set up where we have a little bit at the top and then all of the different
05:16
categories.
05:18
We can also look at groups. Now. We go into groups, these air specific threat actors. So these air entities out there that are known Attackers
05:30
human Attackers are just human beings right there, made up of a bunch of human beings. Human beings have tendencies. They tend to do the same thing over and over, especially if an attacker has developed a certain technique that's worked successfully.
05:44
They're gonna be very likely to continue to use that same technique because that's a lot more efficient than inventing some completely new technique
05:50
every time you do a different attack.
05:54
That's how a matrix like this is even created. It's because those human being threat actors do the same things over and over again
06:02
so we can click into any of these threat groups. Let's take a look at, say, a P T one, and we can get more details, so this particular one is ah, threat Group That's attributed Teoh China
06:13
and a PT remembers advanced, persistent threats. So we know that's associated with a nation state.
06:20
We can see all of the different text techniques that this particular attacker uses. We can see that you know this particular does domain registration. Hijacking used dynamic DNS is part of their pre attack. You know, they use account, directory and command line interface techniques once they get into the environment,
06:39
would click on any of these particular techniques. And again, it brings us to the same sort of format where we can see a blurb about it. We can see some examples, and then there's some mitigation steps at the end.
06:53
So this wraps up our talk on the miter attack framework. Next, we're gonna talk about malware in less than 1.3.

Up Next

Infrastructure Security

This course will cover the concepts needed to identify and prevent threats across an enterprise environment. The course content will cover the practical application of security principles, models, and technology covered in previous courses.

Instructed By

Instructor Profile Image
Scott Russ
Security Architect at Nerdery
Instructor