MITRE

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hello and welcome to Lesson 1.2.2.
00:00
In this lesson we're going to talk about
00:00
the MITRE ATT&CK framework.
00:00
Now MITRE is a federally funded non-profit company
00:00
and their stated mission is to
00:00
solve problems for a safer world.
00:00
Now the MITRE organization
00:00
is involved in a lot of different things,
00:00
but one of the things that they do
00:00
is they've created this ATT&CK framework,
00:00
which is essentially just a matrix of
00:00
different attacker tactics and techniques.
00:00
If you think about a grid
00:00
that shows all of the different attackers,
00:00
the different threat actors they're actually
00:00
identified and all of
00:00
the techniques that those attackers use.
00:00
The idea behind this matrix is that you can use it
00:00
to identify who or what is going on in your environment.
00:00
For example, if you have the signature of
00:00
a certain threat actor in
00:00
your environment that you find,
00:00
and someone has been tampering with
00:00
your environment and you think you know who it is,
00:00
then you can go look this threat actor up and
00:00
you can see all of the techniques that they
00:00
use so you can maybe get in front of their next steps.
00:00
You can get in front of the attack and
00:00
maybe stop it or vice versa.
00:00
If you see a specific signature
00:00
a certain tactic was used.
00:00
You can go look that tactic up
00:00
and you can reverse engineer into
00:00
who that threat actor might be
00:00
and then go look at what their other tactics are,
00:00
so again, you can get in front of it.
00:00
Before we show you the MITRE ATT&CK framework,
00:00
let's first talk about the cyber kill chain.
00:00
Now the idea of a kill chain has been
00:00
around in warfare for a while,
00:00
but the idea of a cyber kill chain was
00:00
introduced by Lockheed Martin not too long ago.
00:00
The cyber kill chain is just a series of steps that
00:00
an attacker has to take to get to their objective.
00:00
If the attacker is trying to take down your environment,
00:00
there's a series of steps that they need to
00:00
do to be able to take down that environment.
00:00
It's broken up into
00:00
very general steps for any type of attack.
00:00
The first thing that any attacker
00:00
needs to do is reconnaissance.
00:00
That can be in the form of port scanning,
00:00
looking for vulnerabilities on your perimeter.
00:00
It could be calling
00:00
different phone numbers in your organization
00:00
trying to get intelligence.
00:00
It could be doing LinkedIn searches to find out who
00:00
the major players are in
00:00
the organization to try to exploit those people.
00:00
It's just information gathering.
00:00
Once the information is gathered
00:00
it's turned into a weapon.
00:00
The best way to think about this is in terms of malware.
00:00
It's not always the case,
00:00
but it's the most common.
00:00
That's what we'll talk about the rest of this kill chain.
00:00
We've taken all of the information that we learned during
00:00
the reconnaissance phase and we
00:00
created a piece of malware with it.
00:00
Now we need to deliver it.
00:00
That delivery mechanism can be,
00:00
the most common one again is phishing.
00:00
I'm going to send you an email,
00:00
it's going to have a link in it or an attachment
00:00
and if you click the link or open the attachment,
00:00
that's how I'm going to deliver my malware to you.
00:00
Once I've delivered it, that malware,
00:00
when you click it, it's going
00:00
to exploit some vulnerability.
00:00
It has to be able to exploit some vulnerability on
00:00
the system to be able to be around in your environment.
00:00
Once it exploits a vulnerability,
00:00
it's going to install itself on your system.
00:00
Then it's going to start calling back to the mothership.
00:00
Not all the time, but a lot of times
00:00
malware calls back for further instructions.
00:00
Some malware is hard-coded so that it
00:00
just executes a certain thing and that's all it does.
00:00
Other malware is coded to callback
00:00
for instructions so it can
00:00
maintain persistence in your environment.
00:00
This is especially the case when you're talking
00:00
about advanced persistent threats or APTs.
00:00
Getting into the environment is the first part.
00:00
But then there's some lateral
00:00
movement that needs to happen in
00:00
the environment so the attacker can
00:00
understand what steps they want to take next,
00:00
so they need to maintain that persistence
00:00
and that's what command and control is all about.
00:00
Then finally, there's the act on objectives.
00:00
That's just exactly what it sounds like.
00:00
That's executing whatever it
00:00
is that was the objective to begin with.
00:00
If the objective was to take down the website,
00:00
this is when the website goes down.
00:00
If it was to steal data,
00:00
this is when the data's stolen.
00:00
Now that we understand this kill chain,
00:00
let's take a look at how that looks
00:00
in the MITRE ATT&CK framework.
00:00
What you're looking at here is
00:00
the enterprise matrix from MITRE ATT&CK framework.
00:00
Essentially, what we're dealing with is across
00:00
the top we've got a series of categories,
00:00
initial access, execution, persistence, and so forth.
00:00
In top to bottom a list of
00:00
tactics or techniques within each of those categories.
00:00
If we wanted to take a look at, for example,
00:00
let's see all of the initial access techniques
00:00
that involve exploiting public-facing application.
00:00
We can click into this category and we get more details.
00:00
We have a little blurb about it in the beginning.
00:00
It talks a little bit about what that
00:00
exploit is and what it means.
00:00
We have some examples.
00:00
In this case, axiom has been observed
00:00
using SQL injection to gain access to systems.
00:00
Then we have some mitigation steps we can
00:00
take to mitigate that particular technique.
00:00
Any of these we click into is going to drill
00:00
down and give us even more information.
00:00
Same setup where we have a little bit at
00:00
the top and then all of the different categories.
00:00
We can also look at groups.
00:00
Now when we go into groups,
00:00
these are specific threat actors.
00:00
These are entities out there that are known attackers.
00:00
Attackers are just human beings.
00:00
They're made up of a bunch of human beings.
00:00
Human beings have tendencies.
00:00
They tend to do the same thing over and over,
00:00
especially if an attacker has
00:00
developed a certain technique that's worked successfully,
00:00
they're going to be very likely to
00:00
continue to use that same technique because that's
00:00
a lot more efficient than inventing
00:00
some completely new technique
00:00
every time you do a different attack.
00:00
That's how a matrix like this is even created,
00:00
it's because those human being,
00:00
threat actors do the same things over and over again.
00:00
We can click into any of these threat groups.
00:00
Let's take a look at say, APT1
00:00
and we can get more details.
00:00
This particular one is a threat group
00:00
that's attributed to China.
00:00
APT remember is advanced persistent threats.
00:00
We know that's associated with a nation-state.
00:00
We can see all of
00:00
the different techniques that
00:00
this particular attacker uses.
00:00
We can see that this particular
00:00
does domain registration hijacking.
00:00
They use Dynamic DNS as part of their pre-attack.
00:00
They use
00:00
account directory and command line interface techniques
00:00
once they get into the environment.
00:00
We click on any of these
00:00
particular techniques, and again,
00:00
it brings us to the same format
00:00
where we can see a blurb about it.
00:00
We can see some examples and then
00:00
there's some mitigation steps at the end.
00:00
This wraps up our talk on the MITRE ATT&CK framework.
00:00
Next, we're going to talk about malware in lesson 1.3.
Up Next