# Introduction to MITRE Founded in 1958 as an organization that produces innovative solutions to advance national security as an independent advisor. - Cybersec - Aerospace - AI + Machine Learning - Aviation and Transportation - Defense and Intelligence - Government Innovation - Health - Homeland Security - Telecom #### What is MITRE ATT&CK Framework? Stands for Adversarial Tactics, Techniques, and Common Knowledge The framework of a knowledge database introduced in 2013 and developed alongside technology. Intent is to analyze cyber attacks systematically through the MITRE ATT&CK framework. Divided in to certain stages and methods used can be analyzed in depth and used for studies related to cyber security. #### Why is this relevant to a SOC Analyst? Can clearly see which actions should be taken at each stage of a cyber attack and use that as a reference. This way, attack detection and mitigation techniques can be developed and utilized more effectively, attacks can be mapped, and a report can be written and archived for later use. Research can also be conducted on other attacks that have not occurred yet to develop ways to detect and avoid them. # Matrix A visualization method used to classify and see attack methods of cyber attackers. Can be customized for any subject and turned into useful visuals. ATT&CK matrices are useful to visualize details of attacker behavior. Three types of ATT&CK Matrices: - Enterprise Matrix - Mobile Matrix - ICS (Industrial Control Systems) Matrix #### Enterprise Matrix - The first MITRE matrix - used to understand cyber attacks on large organizations - Seven Sub-Matrices - PRE Windows - macOS - Linux - Cloud - Network - Containers - https://attack.mitre.org/matrices/enterprise/ #### Mobile Matrix - https://attack.mitre.org/matrices/mobile/ - Two Sub-Matrices - Android - iOS #### ICS Matrix - contains information collected for cyber security of devices in industrial control systems. - https://attack.mitre.org/matrices/ics/ # Tactics Expresses the purpose of the cyber attacker and the reason for their actions. Most important to group behaviors and see the attack steps. #### Types of Tactics - General statements that express purpose and reason for cyber attack #### Enterprise Tactics - 14 tactics - Reconnaissance - Resource Development - Initial Access - Execution - Persistence - Privilege Escalation - Defense Evasion - Credential Access - Discovery - Lateral Movement - Collection - Command and Control - Exfiltration - Impact - https://attack.mitre.org/tactics/enterprise/ #### Mobile Tactics - 14 Tactics - Initial Access - Execution - Persistence - Privilege Escalation - Defense Evasion - Credential Access - Discovery - Lateral Movement - Collection - Command and Control - Exfiltration - Impact - Network Effects - Remote Service Effects - https://attack.mitre.org/tactics/mobile/ #### ICS Tactics - 12 tactics - Initial Access - Execution - Persistence - Privilege Escalation - Evasion - Discovery - Lateral Movement - Collection - Command and Control - Inhibit Response Function - Impair Process Control - Impact - https://attack.mitre.org/tactics/ics/ # Techniques and Sub-Techniques Show methods used by the attacker to achieve goal and how exactly the attacks were conducted. Each depends on a particular tactic. Techniques are divided into 3 groups according to matrices - Enterprise Techniques - Mobile Techniques - ICS Techniques #### Enterprise Techniques - Techniques: 203 - Sub-Techniques: 453 - Current Numbers: https://attack.mitre.org/techniques/enterprise/ #### Mobile Techniques - Techniques: 73 - Sub-Techniques: 46 - Current Numbers: https://attack.mitre.org/techniques/mobile/ #### ICS Techniques - Techniques: 83 - Sub-Techniques: 0 - Current Numbers: https://attack.mitre.org/techniques/ics/ ### What is Procedure? - Usage examples of techniques and sub-techniques - which tool was utilized during the implementation of the technique - Procedures can be accessed via the MITRE page where the technique is located # Mitigations Refer to measures and actions that can be taken in response to techniques in a given matrix. Each one has a unique ID, name, and description that provides clear understandings. #### Types of Mitigations Grouped into 3, like the previous topics - Enterprise Mitigations - Mobile Mitigations - ICS Mitigations ##### Enterprise Mitigations https://attack.mitre.org/mitigations/enterprise/ ##### Mobile Mitigations https://attack.mitre.org/mitigations/mobile/ ##### ICS Mitigations https://attack.mitre.org/mitigations/ics/ # Groups APT Groups may include people and groups that carry out cyber attacks in a targeted and systematic way. Typically have a specific directive, such as financial or political. Within the ATT&CK Framework, information about APT groups is collected which helps identify which group is targeting which systems, and which techniques are being implemented. Once data is gathered and evaluated within the matrix, the attack map of the APT group can be revealed. **Groups**: https://attack.mitre.org/groups/ Using the above menu, information about listed APT groups can be accessed. Each group has a unique Group ID, Name, and Description. The Techniques they use are closer to the bottom of the page. Under "Techniques," the tools, software, and techniques the APT leveraged during the attack are available. # Software The programs used by APT groups. Within MITRE, each has a unique ID, name, and description. **Software**: https://attack.mitre.org/software/