WEBVTT 1 00:00:00.090 --> 00:00:01.140 In this lesson, 2 00:00:01.140 --> 00:00:04.620 we will learn about the MITRE Adversarial Tactics, 3 00:00:04.620 --> 00:00:09.300 Techniques, and Common Knowledge, or the ATT&CK Framework. 4 00:00:09.300 --> 00:00:11.910 The MITRE ATT&CK Framework categorizes 5 00:00:11.910 --> 00:00:15.210 and documents the tactics, techniques and procedures 6 00:00:15.210 --> 00:00:19.290 (TTPs) used by adversaries to compromise 7 00:00:19.290 --> 00:00:21.270 and exploit systems. 8 00:00:21.270 --> 00:00:24.060 The framework is organized into matrices 9 00:00:24.060 --> 00:00:27.390 that outline the various stages of an attack 10 00:00:27.390 --> 00:00:29.280 with each matrix entry, 11 00:00:29.280 --> 00:00:33.690 detailing specific attributes like the required permissions, 12 00:00:33.690 --> 00:00:37.560 platforms, and potential mitigation strategies. 13 00:00:37.560 --> 00:00:42.240 MITRE ATT&CK matrices include the Enterprise ATT&CK matrix, 14 00:00:42.240 --> 00:00:46.950 ATT&CK for mobile, PRE-ATT&CK and ATT&CK for ICS 15 00:00:46.950 --> 00:00:49.650 or Industrial Control Systems. 16 00:00:49.650 --> 00:00:52.500 Also, part of the MITRE ATT&CK framework 17 00:00:52.500 --> 00:00:54.900 is the ATT&CK Navigator. 18 00:00:54.900 --> 00:00:56.940 The ATT&CK Navigator is a tool 19 00:00:56.940 --> 00:01:00.270 that allows security professionals to visually map 20 00:01:00.270 --> 00:01:04.440 and analyze how specific techniques might be used 21 00:01:04.440 --> 00:01:08.280 by specific threat actors against their systems. 22 00:01:08.280 --> 00:01:11.700 Let's learn more about the MITRE ATT&CK framework. 23 00:01:11.700 --> 00:01:14.700 The MITRE Adversarial Tactics Techniques 24 00:01:14.700 --> 00:01:17.610 and Common Knowledge, or ATT&CK framework, 25 00:01:17.610 --> 00:01:20.010 is a comprehensive model developed 26 00:01:20.010 --> 00:01:22.710 to document the tactics, techniques, 27 00:01:22.710 --> 00:01:27.330 and procedures used by adversaries in cyber attacks. 28 00:01:27.330 --> 00:01:31.110 It organizes this information into matrices 29 00:01:31.110 --> 00:01:33.780 which break down each stage of an attack 30 00:01:33.780 --> 00:01:37.530 with specific entries detailing the techniques used, 31 00:01:37.530 --> 00:01:41.040 the permissions required, the platforms affected, 32 00:01:41.040 --> 00:01:44.550 and the potential strategies for mitigation. 33 00:01:44.550 --> 00:01:47.790 This structure makes the MITRE ATT&CK framework 34 00:01:47.790 --> 00:01:51.390 a valuable tool for defenders to understand 35 00:01:51.390 --> 00:01:55.050 and anticipate threats, allowing them to assess 36 00:01:55.050 --> 00:01:57.360 and reinforce their defenses 37 00:01:57.360 --> 00:02:01.320 based on categorized real world attack methods. 38 00:02:01.320 --> 00:02:05.880 The MITRE ATT&CK framework is divided into several matrices, 39 00:02:05.880 --> 00:02:10.170 each targeting different environments and types of systems. 40 00:02:10.170 --> 00:02:14.910 The Enterprise ATT&CK Matrix is the most widely recognized 41 00:02:14.910 --> 00:02:18.900 and used, covering techniques applicable to desktops, 42 00:02:18.900 --> 00:02:21.600 servers, and cloud environments. 43 00:02:21.600 --> 00:02:25.980 Next, the ATT&CK for Mobile Matrix focuses on tactics 44 00:02:25.980 --> 00:02:30.540 and techniques used in attacks against mobile devices, 45 00:02:30.540 --> 00:02:34.230 offering insights into security risks specific 46 00:02:34.230 --> 00:02:38.010 to mobile applications and operating systems. 47 00:02:38.010 --> 00:02:41.160 Then the PRE-ATT&CK Matrix focuses 48 00:02:41.160 --> 00:02:43.800 on adversary behavior that occurs 49 00:02:43.800 --> 00:02:46.620 before an actual attack begins, 50 00:02:46.620 --> 00:02:50.850 such as reconnaissance in planning, allowing defenders 51 00:02:50.850 --> 00:02:54.480 to anticipate threats at their earliest stages. 52 00:02:54.480 --> 00:02:56.730 Finally, the ATT&CK Matrix 53 00:02:56.730 --> 00:02:58.890 for Industrial Control Systems 54 00:02:58.890 --> 00:03:01.920 addresses techniques attackers might use 55 00:03:01.920 --> 00:03:04.500 to target industrial environments, 56 00:03:04.500 --> 00:03:08.250 such as energy or manufacturing sectors. 57 00:03:08.250 --> 00:03:12.210 Together, these matrices provide a robust view 58 00:03:12.210 --> 00:03:16.200 of the different tactics used across various platforms 59 00:03:16.200 --> 00:03:17.850 and industries. 60 00:03:17.850 --> 00:03:21.900 Part of the ATT&CK framework is the ATT&CK Navigator. 61 00:03:21.900 --> 00:03:24.990 The ATT&CK Navigator is a visual tool 62 00:03:24.990 --> 00:03:27.210 that allows security teams to map 63 00:03:27.210 --> 00:03:30.720 and analyze how specific techniques align 64 00:03:30.720 --> 00:03:33.060 with real world threat actors. 65 00:03:33.060 --> 00:03:36.390 For example, if a security team wants 66 00:03:36.390 --> 00:03:40.763 to assess the threat posed by a known actor like APT29, 67 00:03:42.270 --> 00:03:44.610 they can use the ATT&CK Navigator 68 00:03:44.610 --> 00:03:49.080 to map out APT29's commonly used techniques. 69 00:03:49.080 --> 00:03:52.080 By highlighting these techniques on a matrix, 70 00:03:52.080 --> 00:03:57.080 the team can visualize which tactics APT29 employs 71 00:03:57.090 --> 00:04:00.540 and compare them to their own defenses. 72 00:04:00.540 --> 00:04:02.610 This process makes it easy 73 00:04:02.610 --> 00:04:04.920 to spot any potential gaps 74 00:04:04.920 --> 00:04:08.400 in the organization's current security protocols, 75 00:04:08.400 --> 00:04:11.280 helping the team prioritize improvements 76 00:04:11.280 --> 00:04:16.280 to counter the specific methods that APT29 is known to use. 77 00:04:17.220 --> 00:04:19.440 From a defensive perspective, 78 00:04:19.440 --> 00:04:22.500 the MITRE ATT&CK framework is incredibly useful 79 00:04:22.500 --> 00:04:25.440 for identifying and addressing weaknesses 80 00:04:25.440 --> 00:04:28.830 within an organization's security posture. 81 00:04:28.830 --> 00:04:32.970 For instance, a cybersecurity team can use ATT&CK 82 00:04:32.970 --> 00:04:36.840 to understand how a specific attacker might progress 83 00:04:36.840 --> 00:04:39.180 through each stage of an attack 84 00:04:39.180 --> 00:04:42.810 and determine where the organization's security measures 85 00:04:42.810 --> 00:04:44.580 might be vulnerable. 86 00:04:44.580 --> 00:04:45.840 With this knowledge, 87 00:04:45.840 --> 00:04:48.870 the team can set up defenses specifically 88 00:04:48.870 --> 00:04:50.460 for high risk techniques 89 00:04:50.460 --> 00:04:54.630 or tactics that are likely to target their environment. 90 00:04:54.630 --> 00:04:57.900 For example, let's say an organization wants 91 00:04:57.900 --> 00:05:01.860 to ensure it's prepared for a credential dumping attack. 92 00:05:01.860 --> 00:05:05.730 Credential dumping is a common technique used by attackers 93 00:05:05.730 --> 00:05:09.750 to gain unauthorized access to account credentials. 94 00:05:09.750 --> 00:05:12.060 By referencing the ATT&CK Matrix, 95 00:05:12.060 --> 00:05:15.870 the security team can find information on specific 96 00:05:15.870 --> 00:05:17.970 credential dumping techniques, 97 00:05:17.970 --> 00:05:21.540 the permissions attackers need to perform these techniques 98 00:05:21.540 --> 00:05:25.050 and how best to detect or prevent them. 99 00:05:25.050 --> 00:05:28.620 Then, given a high probability threat actor 100 00:05:28.620 --> 00:05:30.900 and using the ATT&CK Navigator, 101 00:05:30.900 --> 00:05:34.530 they can then map these anticipated attacker techniques 102 00:05:34.530 --> 00:05:38.160 against their current defenses to identify areas 103 00:05:38.160 --> 00:05:41.970 where they may lack coverage, like missing audit logs 104 00:05:41.970 --> 00:05:44.280 for credential related events. 105 00:05:44.280 --> 00:05:45.840 Based on these insights, 106 00:05:45.840 --> 00:05:48.480 the team can implement targeted measures 107 00:05:48.480 --> 00:05:52.740 such as setting up alerts for suspicious access attempts, 108 00:05:52.740 --> 00:05:55.530 or restricting administrative permissions 109 00:05:55.530 --> 00:05:57.510 to sensitive accounts. 110 00:05:57.510 --> 00:06:00.420 Let's take a walk through the process. 111 00:06:00.420 --> 00:06:02.490 For our demonstration 112 00:06:02.490 --> 00:06:04.890 in the MITRE ATT&CK framework, 113 00:06:04.890 --> 00:06:07.500 we will research APT29 114 00:06:07.500 --> 00:06:10.590 as the threat actor we are concerned with. 115 00:06:10.590 --> 00:06:14.100 So let's learn about APT29 116 00:06:14.100 --> 00:06:18.150 under the Cyber Threat Intelligence and group selections. 117 00:06:18.150 --> 00:06:22.650 Then we'll select APT29. 118 00:06:22.650 --> 00:06:26.940 We can see that APT29 is a threat group associated 119 00:06:26.940 --> 00:06:30.600 and attributed to Russia's Foreign Intelligence Service 120 00:06:30.600 --> 00:06:32.700 or SVR. 121 00:06:32.700 --> 00:06:35.370 We can also see that there are a lot 122 00:06:35.370 --> 00:06:37.590 of associated group descriptions 123 00:06:37.590 --> 00:06:41.580 or names associated with APT29. 124 00:06:41.580 --> 00:06:44.970 Additionally, as a nation state sponsored actor, 125 00:06:44.970 --> 00:06:48.000 they're likely to target critical infrastructure 126 00:06:48.000 --> 00:06:52.440 or military related organizations for strategic advantage. 127 00:06:52.440 --> 00:06:54.060 Next, we can learn about 128 00:06:54.060 --> 00:06:59.060 what attack campaigns have been attributed to APT29. 129 00:06:59.070 --> 00:07:02.790 As we continue to scroll down, we can see a large list 130 00:07:02.790 --> 00:07:07.790 of techniques that APT29 has been known to use. 131 00:07:08.010 --> 00:07:09.870 This is all great information, 132 00:07:09.870 --> 00:07:14.280 but without a picture to help orient me to where in the path 133 00:07:14.280 --> 00:07:17.880 of an attack all of these techniques would be used, 134 00:07:17.880 --> 00:07:21.420 it's hard to operationalize this information. 135 00:07:21.420 --> 00:07:23.530 So, there is a handy link 136 00:07:24.480 --> 00:07:26.700 to overlay the techniques 137 00:07:26.700 --> 00:07:30.630 onto the Enterprise ATT&CK Matrix. 138 00:07:30.630 --> 00:07:33.810 Now I can see what specific tactics 139 00:07:33.810 --> 00:07:35.970 have been used in the wild 140 00:07:35.970 --> 00:07:40.290 to support APT29 attack scenarios. 141 00:07:40.290 --> 00:07:44.460 These identified TTPs can be further associated 142 00:07:44.460 --> 00:07:48.270 with campaigns that have been attributed to APT29. 143 00:07:48.270 --> 00:07:51.000 For example, in the legend, 144 00:07:51.000 --> 00:07:54.750 we can see that the blue TTPs are associated 145 00:07:54.750 --> 00:07:57.450 with APT29 directly. 146 00:07:57.450 --> 00:08:00.210 The red TTPs are associated 147 00:08:00.210 --> 00:08:04.530 with campaigns attributed to APT29, 148 00:08:04.530 --> 00:08:07.650 and the pink TTPs are identified 149 00:08:07.650 --> 00:08:10.860 as both being used by APT29 150 00:08:10.860 --> 00:08:14.970 and in a campaign attributed to APT29. 151 00:08:14.970 --> 00:08:16.590 With this information, 152 00:08:16.590 --> 00:08:19.770 we can now review our network infrastructure 153 00:08:19.770 --> 00:08:22.620 and identify systems, permissions, 154 00:08:22.620 --> 00:08:27.323 and platforms that are high probability targets for APT29. 155 00:08:28.530 --> 00:08:30.900 Then we can harden the network 156 00:08:30.900 --> 00:08:35.100 or look for indicators of compromise and attack. 157 00:08:35.100 --> 00:08:37.860 So by following this process, 158 00:08:37.860 --> 00:08:39.960 we have used the ATT&CK Navigator 159 00:08:39.960 --> 00:08:44.550 to map out APT29's likely attack pathways. 160 00:08:44.550 --> 00:08:47.310 We could then analyze our defenses, 161 00:08:47.310 --> 00:08:49.380 determine where they are weak, 162 00:08:49.380 --> 00:08:51.270 and take proactive measures 163 00:08:51.270 --> 00:08:54.060 to strengthen our security posture. 164 00:08:54.060 --> 00:08:58.740 This proactive approach ensures our network infrastructure 165 00:08:58.740 --> 00:09:00.090 will be better prepared 166 00:09:00.090 --> 00:09:04.830 to defend against APT29's tactics. 167 00:09:04.830 --> 00:09:08.370 So remember, the MITRE ATT&CK framework 168 00:09:08.370 --> 00:09:12.240 is a comprehensive tool that categorizes the tactics, 169 00:09:12.240 --> 00:09:17.240 techniques, and procedures or TTPs used by attackers. 170 00:09:17.580 --> 00:09:21.900 Organized into various matrices, the MITRE ATT&CK framework 171 00:09:21.900 --> 00:09:24.390 outlines the stages of an attack 172 00:09:24.390 --> 00:09:27.120 detailing each technique's requirements, 173 00:09:27.120 --> 00:09:31.530 platforms affected, and potential defensive strategies. 174 00:09:31.530 --> 00:09:35.970 Key matrices include Enterprise ATT&CK for General Systems, 175 00:09:35.970 --> 00:09:39.870 ATT&CK for Mobile, PRE-ATT&CK for early planning, 176 00:09:39.870 --> 00:09:44.250 and ATT&CK for Industrial Control Systems or ICS, 177 00:09:44.250 --> 00:09:47.880 each of these tailored to different environments. 178 00:09:47.880 --> 00:09:51.870 Additionally, the ATT&CK Navigator is a visual tool 179 00:09:51.870 --> 00:09:55.050 that helps security teams map out these techniques 180 00:09:55.050 --> 00:09:56.940 to specific threat actors, 181 00:09:56.940 --> 00:10:00.330 allowing them to analyze potential attack paths 182 00:10:00.330 --> 00:10:02.040 and defenses. 183 00:10:02.040 --> 00:10:06.180 Overall, the MITRE ATT&CK framework supports defenders 184 00:10:06.180 --> 00:10:08.460 in identifying vulnerabilities 185 00:10:08.460 --> 00:10:12.000 and strengthening security by aligning their defenses 186 00:10:12.000 --> 00:10:15.333 with real world observed attack patterns.