MITRE ATT&CK framework
Well, I found an assignment I did for class last semester on the MITRE ATT&CK framework. I remember putting in so much time and effort mulling over this assignment, right down to the scenario I staged, just to prove I knew exactly how this framework could be used.
So here's the discussion prompt:
Using the MITRE ATT&CK website, explore three threats from three different categories. For example, Command and Control and Credential Access would be two categories (columns) of the threats. Report on your findings and discuss them. Please include a reference in APA format.
Here's my response to the prompt:
According to Thomas Hazel, the founder of ChaosSearch, the MITRE ATT&CK framework “stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is publicly accessible and serves as a knowledge base of techniques used by cyber adversaries to target enterprise IT systems. Techniques are the building blocks of the MITRE ATT&CK framework. All techniques described in the framework have been used by cyber attackers and criminal organizations in the real world to infiltrate the networks of targeted organizations and steal their data.”
Each technique provides its description, a list of its sub-techniques, mitigation and detection methods, metadata, and references/resources related to that one technique. You can go down a rabbit-hole of information just researching one technique. I know I sure did. Oof.
It is “an invaluable resource for IT security teams, who can leverage the framework to enhance their cyber threat intelligence, improve threat detection capabilities, plan penetration testing scenarios, and assess cyber threat defenses for gaps in coverage.”
Given this, I’ll be explaining my threats (or “techniques”) through this scenario:
As a cybersecurity analyst, you receive a DLP alert from Microsoft Purview, indicating that several highly-sensitive (financial) items have been uploaded into an unknown cloud account, and realize that an attacker has successfully exfiltrated the network. After doing some digging, you find that the attacker used PowerShell to perform its payload from Sam’s email account (who works in Accounting/Finance). You manage to track down an email which contains a Word document, and find that the sender is emailing as “bankofamerica-finance-transactions@yahoo.com”. After speaking with Sam on the phone, you find that the sender of this email called and introduced himself as “Jane Morrison’s assistant”, and they wanted to run through the “final paperwork” before correcting the mistaken transaction. Sam says it was legitimate because just a couple of hours ago, they made a purchase by mistake and it can only be reversed by the bank. He had spoken to Jane a couple of hours prior to the call with the assistant, and Jane said she’ll be able to handle it all on her end. He thanked her through LinkedIn for going above and beyond in helping them out, and that was the end of that.
So here you are, finally able to piece together and create a story/timeline of how it most likely happened, which of course doesn’t end here, but these are the 3 threats/techniques I’d like to bring in:
According to the MITRE website, under Reconnaissance>Search Open Websites/Domains > Social Media, “adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.” Realizing this, the entire attack could’ve easily been avoided if Sam had received proper cybersecurity awareness training, especially when posting anything about the company he works for. And the attacker could’ve easily found more information through search engines to fill in the blanks. Just from reconnaissance in this scenario, an attacker can easily collect their names, job titles, the bank a company uses, how recent the transaction happened, email addresses, co-workers, etc.
Under Initial Access > Phishing > Spearphishing Attachment, “Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems… Phishing may also involve social engineering techniques, such as posing as a trusted source.” So from this point, the attacker had used social engineering to build rapport with Sam by introducing himself as Jane’s assistant, making it easy for Sam to trust an email and the attachment he was about to send. Under the Execution > Command and Scripting Interpreter > Power Shell technique in the MITRE website, “Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.” After opening the attachment in a sandbox environment, it’s been confirmed that several the system’s been breached, and that several highly-sensitive data has been uploaded to an unknown destination.
Mind you, TryHackMe also introduced me to a NEWER MITRE framework (still in the beta version), called MITRE D3FEND, https://d3fend.mitre.org/ Might be worth looking over as well.
I just totally geeked out. This was a great discussion/exercise... great food for thought.
Hazel, T. (2021, March 18). How To Use the MITRE ATT&CK Framework. https://www.chaossearch.io/blog/how-to-use-mitre-attck-framework
Learn about data loss prevention. (2023, February 6). Microsoft. https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide
Search Open Websites/Domains: Social Media. (2021, April 15). MITRE | ATT&CK. https://attack.mitre.org/techniques/T1593/001/
Command and Scripting Interpreter: PowerShell. (2022, April 19). MITRE | ATT&CK. https://attack.mitre.org/techniques/T1059/001/
Phishing: Spearphishing Attachment. (2021, October 18). MITRE | ATT&CK. https://attack.mitre.org/techniques/T1566/001/