Presented on effective approaches to detection of CyberSecurity threats at Infosec Intelligence Conclave. Discussed effective utilisation of MITRE's ATT&CK frameworkTactics represent the highest level of abstraction within the ATT&CK model. They are the tactical goals an adversary has during an operation. The ATT&CK tactic categories are listed here
- Persistence – Any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures.
- Privilege Escalation – The result of techniques that cause an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout a remote operation.
- Defense Evasion – Techniques an adversary may use for the purpose of evading detection or avoiding other defenses.
- Credential Access – Techniques resulting in the access of, or control over, system, domain, or service credentials that are used within an enterprise environment.
- Discovery – Techniques that allow an adversary to gain knowledge about a system and its internal network.
- Lateral Movement – Techniques that enable an adversary to access and control remote systems on a network. Often the next step for lateral movement is remote execution of tools introduced by an adversary.
- Execution – Techniques that result in execution of adversary-controlled code on a local or remote system.
- Collection – Techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration.
- Exfiltration – Techniques and attributes that result or aid in an adversary removing files and information from a target network. This category also covers locations on a system or network where an adversary may look for information to exfiltrate.
- Command and Control – Techniques and attributes of how adversaries communicate with systems under their control within a target network. Examples include using legitimate protocols such as HTTP to carry C2 information.
Techniques The techniques in the ATT&CK model describe the actions adversaries take to achieve their tactical objectives. Within each tactic category there are a finite number of actions that will accomplish that tactic’s goal. Throughout the course of their post-compromise operations, an adversary constantly makes decisions about which technique to use based on knowledge, information obtained about the target environment, information needed for future actions, and capabilities currently available.Opinions expressed are personal and not that of any organization, individual, community, affliate or participant in the event
ATT&CK is copyright of The MITRE Corporation (MITRE)