Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

8/6/2018
09:50 AM

Mastering MITRE's ATT&CK Matrix

This breakdown of Mitre's model for cyberattacks and defense can help organizations understand the stages of attack events and, ultimately, build better security.
3 of 12

Execution
For one group of attacks, execution follows a successful initial access stage. If humans, processes, or technology don't recognize the attack, then execution begins through technologies such as script execution, control panel automation, API access, or module load. Within layered security, this stage in the matrix shows that execution monitoring is a critical piece of the total security infrastructure.
Other attacks actually begin at the execution stage. How does this happen? Attacks that launch through Windows Management Instrumentation (WMI), third-party software, some DLLs, PowerShell, and other lower-level mechanisms are considered to start here, rather than at the initial access stage since the software's initial access might well have occurred during legitimate, authorized activity.
And this still does not account for every attack. Because this stage looks at initial code execution, and some threats that begin life as a benign bit of technology only turn evil later in life. Those will be part of the stage we look at next.
(Image: EtiAmmos VIA SHUTTERSTOCK)

Execution

For one group of attacks, execution follows a successful initial access stage. If humans, processes, or technology don't recognize the attack, then execution begins through technologies such as script execution, control panel automation, API access, or module load. Within layered security, this stage in the matrix shows that execution monitoring is a critical piece of the total security infrastructure.

Other attacks actually begin at the execution stage. How does this happen? Attacks that launch through Windows Management Instrumentation (WMI), third-party software, some DLLs, PowerShell, and other lower-level mechanisms are considered to start here, rather than at the initial access stage since the software's initial access might well have occurred during legitimate, authorized activity.

And this still does not account for every attack. Because this stage looks at initial code execution, and some threats that begin life as a benign bit of technology only turn evil later in life. Those will be part of the stage we look at next.

(Image: EtiAmmos VIA SHUTTERSTOCK)

3 of 12
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Kunchen
100%
0%
Kunchen,
User Rank: Apprentice
8/9/2018 | 2:20:02 PM
Good post
This is indeed a very good post.  I enjoyed reading and I see a sequel in the future? "What happens after C&C?" At least from a an IR, CIRT, or from a security team's perspective.  Lessons learned? Controls review? Mitigation of damages? Investigation? Handling with LEO? 
Sbdr204
100%
0%
Sbdr204,
User Rank: Apprentice
8/9/2018 | 10:46:11 AM
Red Team Integration
Great article! We've integrated the MITRE framework in our red team engagements to drive more value to our customers. Traditional red team penetration testing is dead, or it should be. Just going after privileged access like DA is a waste of time, as it's almost always easily accomplished through SE, MiTM, or trivial payload obfuscation. A much more valuable pentest involves evaluating the effectiveness of your controls against a number of probable attack vectors. That's where MITRE comes in. MITRE does a great job of identifying a wide range of attacks, and allows you to understand how effective your controls are in detecting and preventing it. Not to mention providing interpretable metrics that better establish what your organizations risk really is.
fredheen
50%
50%
fredheen,
User Rank: Apprentice
8/8/2018 | 5:57:47 AM
My opinion
In my opinion, it's quite interesting to read 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.