MITRE TryHackMe Room Walkthrough

Task 3 ATT&CK® Framework

What is the ATT&CK® framework? According to the website, “MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework.

The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for red teamers.

If you haven’t done so, navigate to the ATT&CK® website.

Direct your attention to the bottom of the page to view the ATT&CK® Matrix for Enterprise. Across the top of the matrix, there are 14 categories. Each category contains the techniques an adversary could use to perform the tactic. The categories cover the seven-stage Cyber Attack Lifecycle (credit Lockheed Martin for the Cyber Kill Chain).

(ATT&CK Matrix v11.2)

Under Initial Access, there are 9 techniques. Some of the techniques have sub-techniques, such as Phishing.

If we click on the gray bar to the right, a new layer appears listing the sub-techniques.

To get a better understanding of this technique and it’s associated sub-techniques, click on Phishing.

We have been directed to a page dedicated to the technique known as Phishing and all related information regarding the technique, such as a brief description, Procedure Examples, and Mitigations.

You can alternatively resort to using the Search feature to retrieve all associated information regarding a given technique, sub-technique, and/or group.

Lastly, the same data can be viewed via the MITRE ATT&CK® Navigator: “The ATT&CK® Navigator is designed to provide basic navigation and annotation of ATT&CK® matrices, something that people are already doing today in tools like Excel. We’ve designed it to be simple and generic — you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques, or anything else you want to do.”

You can access the Navigator view when visiting a group or tool page. The ATT&CK® Navigator Layers button will be available.

In the sub-menu select view.

Let’s get acquainted with this tool. Click here to view the ATT&CK® Navigator for Carbanak.

At the top left, there are 3 sets of controls: selection controls, layer controls, and technique controls. I encourage you to inspect each of the options under each control to get familiar with them. The question mark at the far right will provide additional information regarding the navigator.

To summarize, we can use the ATT&CK Matrix to map a threat group to their tactics and techniques. There are various methods the search can be initiated.

The questions below will help you become more familiar with the ATT&CK®. It is recommended to start answering the questions from the Phishing page. Note, that this link is for version 8 of the ATT&CK Matrix.

Answer the questions below

Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)

Correct Answer

What is the ID for this technique?

Correct Answer

Hint

Based on this technique, what mitigation covers identifying social engineering techniques?

Correct Answer

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

Correct Answer

What groups have used spear-phishing in their campaigns? (format: group1,group2)

Correct Answer

Based on the information for the first group, what are their associated groups?

Correct Answer

What software is associated with this group that lists phishing as a technique?

Correct Answer

What is the description for this software?

Answer: Application Log,File,Nework Traffic

This group overlaps (slightly) with which other group?

Correct Answer

How many techniques are attributed to this group?

Correct Answer