8 hours 28 minutes

Video Transcription

hello and welcome to another application of the minor attack framework discussion today we're going to briefly look at where is the minor attack from work being used to? This is just a very short discussion, So let's dive right in.
So first and foremost minor is being used with red teams, and the way that they're using this is that it can be used or that they can use the framework as a common ground for communication and research. And so it's a standard that's been put together by a very smart group of people.
And instead of reinventing the will and trying to figure out
how to explain different attack vectors or how to lay out, you know, the different threat groups or how to discuss deterrents or detection or mitigation factors,
the framework does that. Now the great thing about this for Red teams is that it gives us a methodology of essentially step one to step 100 so we can start off in the initial access and go all the way through to impact at the end of the frame. Working within that,
we've got potential vectors within each of those
where we contest a system or set of controls. And so the great thing about that is
again, we don't have to think up all of the different areas. Now. There is some element of creativity that comes into things like penetration, testing and what have you. But it definitely has been official for a Red team member to be able to sit down,
look at a particular software that's maybe been implemented for either detection or prevention measures
and then going Okay,
what areas this is really protected against. What can I do? What mitigating factors do we have in place, and are they working? And can I circumvent this?
Now? That kind of falls into using the framework is a common grounds for training. So if I have a new penetration tester that's a part of my team I can use. That framework is kind of a a boot camp to show them OK here the different ways that we could potentially gain initial access in here, the tools associated with
these vectors and the things that we can do,
and I can build ah framework for training around the attack framework that makes sense,
and then they can use the framework is a guide for system testing, so we already talked about that briefly. But essentially, if I have unturned all system, if I have an external system like a firewall that we want to test or if we've got email protections that we want to test,
I can line up different areas of the framework
with those particular systems and then say OK, I'm going to start at initial access here with the email server and we're gonna try spear phishing links, and we're going to see if the email server mitigates that we're going to see if the users catch. Then if we get on the system,
then you know that success and we're good together. We weren't able Teoh detect that. Maybe we need to make some modifications. But
if it is detected, how did we respond? What did we do? Etcetera. So the framework definitely lends itself to help in red teams.
Now we can't make a mention of red teams without talking about blue teams as well. And so, with Blue team's again, the framework is used to identify common attack vectors, not reinventing the wheel. Blue teams can use this framework to start to understand where their organizations have gaps in their controls
or in the security systems that they're using again,
solutions are not. The answer is faras like software solutions or intrusion prevention or detection systems. It's not a one stop shop with respect to protecting infrastructure, protecting a business, protecting data, whatever it is that you're trying to accomplish,
there's always going to be some kind of gap or some type of risk that you will ultimately have to accept. And so
being able to use this framework to identify the areas that would be most likely on entry point into your network and an attack vector
versus the things that are least likely, And then you know you can do minimal Oh, are you know, barely any controls around that This definitely would eight itself in doing that, and then you could use the framework to potentially backtrack and find a point of entry. So again
things happen. Maybe we get an alert, are some solution, provides us with some kind of feedback. Or maybe we get a hit off the firewall that something has happened. We can then look at the signs or symptoms and say, Oh, this is indicative of this particular tool or this particular threat group for this particular person,
it looks like they just got access to the system.
What would be some ways that they would laterally move through? Where do we need to start focusing and what do we need to do next?
Framework definitely can provide some insights and capability there. So if you get to unfortunately the point where system becomes encrypted,
that's kind of being that's impact.
So how can we work back to find, if if, anyway,
the initial point of entry and what the threat actor did up to that point? Unfortunately, you know their own actors are pretty good about clearing logs and making sure that they try to cover their tracks if they're being sneaky.
So it may be difficult or impossible to find those things unless you had solutions in place that stored log information. And then from that point, you could do some review of that information and then potentially tracking all the way back to the initial email or whatever the case may be,
And then they could use the framework to assist in the implementation of compensating or mitigating controls. And so that's kind of been. The mantra that we've discussed between both red teams
and blue teams is that
you can use this framework these air common attack vectors, common attack areas and ways that each of these phases that threat actors air, getting into systems, damaging systems and laterally moving through systems.
So again you could start mapping controls and mitigating factors into your overall security posture. By using the framework again,
you could implement every control
across the board in every one of these categories and every one of these attack vectors. It doesn't mean that you eliminate all risk. Red actors are constantly changing their tune and capability and their always evolving. So
you know, it's about finding the most high risk assets and the most high impact areas for the organization. And then looking at the potential ways that a threat ack trick again access to that system and then applying those mitigating compensating controls as well as the detection pieces so that you could,
if those things fail,
see one of threat actors on a system.
Now we have to mention vendors in all of this, and it's definitely something that we've started to see. Vendors using to kind of square up their solutions or software's against here, the areas within the minor attack framework that we provide these protections. And here's what we defend against.
And so it allows a vendor to clearly define where their solution provides prevention or detection measures. Which is great
because I've seen vendors that have provided a solution that say we protect against network intrusion.
Okay, of what type of what kind, in what ways, from what vectors, what measures? So it allows consumers
to know if a product is overlapping with another. I've seen in point detection Softwares that also provide an of IRS capability and on organization will run a standalone antivirus
and this in point detection product that does some type of monitoring above and beyond what normal animals would do
well, that's an overlapping capability. If the particular and advised protectionist signature based on its dollars for dollars,
it may not make sense to have both of those solutions. And if the in point detection solution provides both additional containment and eradication capability on top of the antivirus components that maybe a cost savings and it may provide better protection. So
it's a great way to see where things are overlapping. It can again be beneficial and improving overall control coverage throughout the environment, as well as eliminating unnecessary costs and then red team's conduce proof of concept attacks against the solutions, knowing what it should defend against.
Right? So I've seen instances where I've gone into an environment working with
a particular intrusion detection and prevention system.
And the entity says, you know will alert in 15 minutes when there's this level of activity we alert, you know, if you're doing these types of things and these types of attacks.
So we got permission from the client and we ran a proof of concept against the environment with the solution in place, and we threw the kitchen sink at it. What did we find? That the reporting Tom Frame was not met. The solution provided little to no contextual information on the actual activities that were performed against the environment,
and we were able to use that to go back to the vendor and then, you know, asked for either modification improvement, cost savings, whatever the case may be.
But we were able to test against those specific vectors in specific areas. And so
if you're vendor can't break down for you. What it is that they're actually protecting against If they say everything,
If you've got an everything solution, police let me know reach out to me through cyber and I'll be happy to look at that with you and, you know, validate that that is the case and will work together. But I'm saying that because I've never heard of a solution that takes care of everything within the security spectrum.
It's just not out there. So those are the three main areas that we're looking at with respect to the minor attack friend work being applied. It can be applied in other areas and other facets, whether it be through research institutions, for folks that do attack type research or threat research. Whatever the case may be, these are just the core areas
that were mentioning in this particular discussion today.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica