Threat Intelligence

8/6/2018
09:50 AM

Mastering MITRE's ATT&CK Matrix

This breakdown of Mitre's model for cyberattacks and defense can help organizations understand the stages of attack events and, ultimately, build better security.
2 of 12

Initial Access
Initial access is exactly what it sounds like, with an attacker first asking contact with your organization. If your security mechanisms recognize and properly respond to the attack at this stage, then the rest of the matrix is simply interesting reading. If not ...
The initial access stage can take many forms, from a spear-phishing link, to a malicious thumb drive found in a parking lot, to a trusted, authorized user who turns evil. In every form, though, a failure of human behavior, IT process, or security mechanism enables the attack to proceed.
While most attacks commonly at this stage, it is not necessarily the only way. As we walk across the horizontal axis of the ATT&CK matrix, we'll see classes of attack that begin further across the process in an attempt to slide beneath the radar of most security products.
(Image: Africa Studio VIA SHUTTERSTOCK)

Initial Access

Initial access is exactly what it sounds like, with an attacker first asking contact with your organization. If your security mechanisms recognize and properly respond to the attack at this stage, then the rest of the matrix is simply interesting reading. If not ...

The initial access stage can take many forms, from a spear-phishing link, to a malicious thumb drive found in a parking lot, to a trusted, authorized user who turns evil. In every form, though, a failure of human behavior, IT process, or security mechanism enables the attack to proceed.

While most attacks commonly at this stage, it is not necessarily the only way. As we walk across the horizontal axis of the ATT&CK matrix, we'll see classes of attack that begin further across the process in an attempt to slide beneath the radar of most security products.

(Image: Africa Studio VIA SHUTTERSTOCK)

2 of 12
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Kunchen
100%
0%
Kunchen,
User Rank: Apprentice
8/9/2018 | 2:20:02 PM
Good post
This is indeed a very good post.  I enjoyed reading and I see a sequel in the future? "What happens after C&C?" At least from a an IR, CIRT, or from a security team's perspective.  Lessons learned? Controls review? Mitigation of damages? Investigation? Handling with LEO? 
Sbdr204
100%
0%
Sbdr204,
User Rank: Apprentice
8/9/2018 | 10:46:11 AM
Red Team Integration
Great article! We've integrated the MITRE framework in our red team engagements to drive more value to our customers. Traditional red team penetration testing is dead, or it should be. Just going after privileged access like DA is a waste of time, as it's almost always easily accomplished through SE, MiTM, or trivial payload obfuscation. A much more valuable pentest involves evaluating the effectiveness of your controls against a number of probable attack vectors. That's where MITRE comes in. MITRE does a great job of identifying a wide range of attacks, and allows you to understand how effective your controls are in detecting and preventing it. Not to mention providing interpretable metrics that better establish what your organizations risk really is.
fredheen
50%
50%
fredheen,
User Rank: Apprentice
8/8/2018 | 5:57:47 AM
My opinion
In my opinion, it's quite interesting to read 
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7715
PUBLISHED: 2019-03-26
An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The main shell handler function uses the value of the environment variable ipcom.shell.greeting as the first argument to printf(). Setting this variable using the sysvar command results in a user-c...
CVE-2019-8981
PUBLISHED: 2019-03-26
tls1.c in Cameron Hamilton-Rich axTLS before 2.1.5 has a Buffer Overflow via a crafted sequence of TLS packets because the need_bytes value is mismanaged.
CVE-2019-10061
PUBLISHED: 2019-03-26
utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands.
CVE-2019-7711
PUBLISHED: 2019-03-26
An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The undocumented shell command "prompt" sets the (user controlled) shell's prompt value, which is used as a format string input to printf, resulting in an information leak of memory addre...
CVE-2019-7712
PUBLISHED: 2019-03-26
An issue was discovered in handler_ipcom_shell_pwd in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. When using the pwd command, the current working directory path is used as the first argument to printf() without a proper check. An attacker may thus forge a path contain...