Using ATT&CK for Cyber Threat Intelligence

Using the Att@ck framework for CTI

The ATT&CK framework is based off adversary behaviors, it is based on real world observations which is cool. It is also community driven and focused. The ATT&CK addresses the ‘tough’ section of the pyramid of pain produced by David Bianco as shown below.

We can use the ATT&CK framework to quickly gather TTP’s from open source intelligence reports or raw data pulled from systems we have in our existing environment. (I will go over this later)

 It’s commonly used for Detection, Identifying gaps, emulating specific ATP’s using Red Team tactics and also Cyber threat intelligence whereby you can track adversary behaviour, map to already known about ATP’s and much more – The goal when using this method is to make the intelligence actionable.

How it’s split up – You have the tactics across the top, underneath are the techniques.

What is useful is that if you need to know more about the techniques you can simply click and you are taken to a wealth of information as show below.

Mapping data from an intelligence report needs a shift in thinking, instead of thinking about indicators for threat intelligence we need to be thinking about behaviours, we can do this in easy to follow steps:

  1. Find the behaviour
  2. Research the behaviour
  3. Translate behaviour into a tactic
  4. Figure out what technique applies to the behaviour

Once we have answered all these questions, we can then move on to actually mapping this out on the attack Navigator.

We extracted the following piece of information from an Intelligence report

Example: CVE-2020-xxxx is a local kernel vulnerability, with successful exploitation would give any users SYSTEM access on the local machine.

Sample.exe uses  Powershell command “cmd.exe” c/whoami to check for permissions, creates a persistence by creating a new scheduled task.

When executed it establishes a SOCKS5 connection to 197.244.123.xxx using tcp port 3434

  1. Find the behaviours

Example: CVE-2020-xxxx is a local kernel vulnerability, with successful exploitation would give any users SYSTEM access on the local machine.

Sample.exe uses  Powershell command “cmd.exe” c/whoami to check for permissions, creates a persistence by creating a new scheduled task.

When executed it establishes a SOCKS5 connection to 197.244.123.xxx using tcp port 3434

  • Search the behaviours if you’re not sure what they mean, for example the TCP port number!
  • And 4) Translate the behaviours into tactics, behaviours into techniques

Behavior: Establishes a SOCKS5 Connection

Tactic: Command & Control

Technique: Standard non-application layer protocol (T1095)

Behavior: TCP Port 3434

Tactic: Command & Control

Technique: Uncommonly used port (T1065)

Behavior: successful exploitation would give SYSTEM level access

Tactic: Privilege Escalation

Technique: Exploitation for privilege escalation (T1068)

Behavior: cmd.exe

Tactic: Execution

Technique: Command Line interface (T1059)

Behavior: /C whoami

Tactic: Discovery

Technique: System Owner/ User Discovery

Behavior: Persistence by creating following scheduled task

Tactic: Persistence

Technique: Scheduled Task (T1053)

We can then map this to the attack navigator as show below:

Some quick links to get you started

https://threathunterplaybook.com/introduction.html

https://mitre-attack.github.io/caret/#/

https://github.com/atc-project/atomic-threat-coverage

https://www.malwarearchaeology.com/cheat-sheets

Leave a comment

Your email address will not be published. Required fields are marked *