Threat Intelligence

8/6/2018
09:50 AM

Mastering MITRE's ATT&CK Matrix

This breakdown of Mitre's model for cyberattacks and defense can help organizations understand the stages of attack events and, ultimately, build better security.
2 of 12

Initial Access
Initial access is exactly what it sounds like, with an attacker first asking contact with your organization. If your security mechanisms recognize and properly respond to the attack at this stage, then the rest of the matrix is simply interesting reading. If not ...
The initial access stage can take many forms, from a spear-phishing link, to a malicious thumb drive found in a parking lot, to a trusted, authorized user who turns evil. In every form, though, a failure of human behavior, IT process, or security mechanism enables the attack to proceed.
While most attacks commonly at this stage, it is not necessarily the only way. As we walk across the horizontal axis of the ATT&CK matrix, we'll see classes of attack that begin further across the process in an attempt to slide beneath the radar of most security products.
(Image: Africa Studio VIA SHUTTERSTOCK)

Initial Access

Initial access is exactly what it sounds like, with an attacker first asking contact with your organization. If your security mechanisms recognize and properly respond to the attack at this stage, then the rest of the matrix is simply interesting reading. If not ...

The initial access stage can take many forms, from a spear-phishing link, to a malicious thumb drive found in a parking lot, to a trusted, authorized user who turns evil. In every form, though, a failure of human behavior, IT process, or security mechanism enables the attack to proceed.

While most attacks commonly at this stage, it is not necessarily the only way. As we walk across the horizontal axis of the ATT&CK matrix, we'll see classes of attack that begin further across the process in an attempt to slide beneath the radar of most security products.

(Image: Africa Studio VIA SHUTTERSTOCK)

2 of 12
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Kunchen
100%
0%
Kunchen,
User Rank: Apprentice
8/9/2018 | 2:20:02 PM
Good post
This is indeed a very good post.  I enjoyed reading and I see a sequel in the future? "What happens after C&C?" At least from a an IR, CIRT, or from a security team's perspective.  Lessons learned? Controls review? Mitigation of damages? Investigation? Handling with LEO? 
Sbdr204
100%
0%
Sbdr204,
User Rank: Apprentice
8/9/2018 | 10:46:11 AM
Red Team Integration
Great article! We've integrated the MITRE framework in our red team engagements to drive more value to our customers. Traditional red team penetration testing is dead, or it should be. Just going after privileged access like DA is a waste of time, as it's almost always easily accomplished through SE, MiTM, or trivial payload obfuscation. A much more valuable pentest involves evaluating the effectiveness of your controls against a number of probable attack vectors. That's where MITRE comes in. MITRE does a great job of identifying a wide range of attacks, and allows you to understand how effective your controls are in detecting and preventing it. Not to mention providing interpretable metrics that better establish what your organizations risk really is.
fredheen
50%
50%
fredheen,
User Rank: Apprentice
8/8/2018 | 5:57:47 AM
My opinion
In my opinion, it's quite interesting to read 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.