MITRE is a not-for-profit organization that operates federally-funded research and development centers. Their ATT&CK framework is a useful cybersecurity model illustrating how adversaries behave and explaining the tactics you should use to mitigate risk and improve security. ATT&CK stands for “adversarial tactics, techniques and common knowledge.”
This presentation explores a methodology for pairing proven industry frameworks like MITRE ATT&CK with threat modeling practices to quickly detect and respond to cyber threats. With this approach, industrial organizations can slice their infrastructure into smaller components, making it easier to secure their assets and minimize the attack surface.
Takeaways include how to:
-Make the most out of their threat intelligence feeds
-Report on progress and compliance
-Negotiate trust relationships in the intelligence sharing cycle
-Improve their organization’s overall security posture
32. Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command & Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management
Automated Collection Automated Exfiltration Commonly Used Port
Legitimate Credentials
Credential Dumping Application Window Discovery
Third-party Software
Accessibility Features Binary Padding
Application Deployment Software
Command-Line Clipboard Data Data Compressed
Communication Through Removable
Media
AppInit DLLs Code Signing
Credential Manipulation File and Directory Discovery Execution through API
Data Staged Data Encrypted
Local Port Monitor Component Firmware Exploitation of Vulnerability Data from Local System Data Transfer Size Limits
New Service DLL Side-Loading Credentials in Files
Local Network Configuration Discovery
Logon Scripts
Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol
Custom Command and Control
Protocol
Path Interception Disabling Security Tools Input Capture Pass the Hash
Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Ticket InstallUtil Data from Removable Media
Exfiltration Over Command and
Control Channel
Custom Cryptographic Protocol
File System Permissions Weakness
File System Logical Offsets
Two-Factor Authentication
Interception
Network Service Scanning
Remote Desk Protocol PowerShell Email Collection
Exfiltration Over Other Network
Medium
Data Obfuscation
Service Registry Permission Weakness Remote File Copy Process Hollowing Input Capture Fallback Channels
Web Shell Indicator Blocking Peripheral Device Discovery Remote Service Regsvcs/Regasm Screen Capture
Exfiltration Over Other Physical
Medium
Multi-Stage Channels
Basic Input/Output System Exploitation of Vulnerability Permissions Group Discovery Replication Through Removable Media Regscvr32 Audio Capture Multiband Communication
Bootkit Bypass User Account Control Process Discovery Shared Webroot Rundll32 Video Capture Scheduled Transfer
Multilayer Encryption
Change Default File Association DLL Injection Query Registry Taint Shared Content Scheduled Task
Component Firmware Component Object Model Hijacking Remote System Discovery Windows Admin Shares Scripting Peer Connections
Hypervisor Indicator Removal from Tools Security Software Discovery Service Execution Remote File Copy
Logon Scripts Indicator Removal on Host System Information Discovery
Windows Management
Instrumentation
Standard Application Layer Protocol
Modify Existing Service InstallUtil System Owner / User Discovery
Redundant Access Masquerading
System Service Discovery
MSBuild
Standard Cryptographic Protocol
Registry Run Keys/Start Folder Modify Registry Execution Through Module Load
Security Support Provider NTFS Extended Attributes System Time Discovery
Standard Non-Application Layer
Protocol
Shortcut Modification Obfuscated Files or Information
Windows Management Process Hollowing Uncommonly Used Port
Instrument Event Subscription Redundant Access Web Service
Winlogon Helper DLL Regsvcs/Regasm Data Encoding
Netsh Helper DLL Regsvr
Authentication Package Rootkit
External Remote Services Rundll32
Scripting
Software Packing
Timestomp
MSBuild
Network Share Removal
Install Root Certificate
33. Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command & Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management
Automated Collection Automated Exfiltration Commonly Used Port
Legitimate Credentials
Credential Dumping Application Window Discovery
Third-party Software
Accessibility Features Binary Padding
Application Deployment Software
Command-Line Clipboard Data Data Compressed
Communication Through Removable
Media
AppInit DLLs Code Signing
Credential Manipulation File and Directory Discovery Execution through API
Data Staged Data Encrypted
Local Port Monitor Component Firmware Exploitation of Vulnerability Data from Local System Data Transfer Size Limits
New Service DLL Side-Loading Credentials in Files
Local Network Configuration Discovery
Logon Scripts
Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol
Custom Command and Control
Protocol
Path Interception Disabling Security Tools Input Capture Pass the Hash
Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Ticket InstallUtil Data from Removable Media
Exfiltration Over Command and
Control Channel
Custom Cryptographic Protocol
File System Permissions Weakness
File System Logical Offsets
Two-Factor Authentication
Interception
Network Service Scanning
Remote Desk Protocol PowerShell Email Collection
Exfiltration Over Other Network
Medium
Data Obfuscation
Service Registry Permission Weakness Remote File Copy Process Hollowing Input Capture Fallback Channels
Web Shell Indicator Blocking Peripheral Device Discovery Remote Service Regsvcs/Regasm Screen Capture
Exfiltration Over Other Physical
Medium
Multi-Stage Channels
Basic Input/Output System Exploitation of Vulnerability Permissions Group Discovery Replication Through Removable Media Regscvr32 Audio Capture Multiband Communication
Bootkit Bypass User Account Control Process Discovery Shared Webroot Rundll32 Video Capture Scheduled Transfer
Multilayer Encryption
Change Default File Association DLL Injection Query Registry Taint Shared Content Scheduled Task
Component Firmware Component Object Model Hijacking Remote System Discovery Windows Admin Shares Scripting Peer Connections
Hypervisor Indicator Removal from Tools Security Software Discovery Service Execution Remote File Copy
Logon Scripts Indicator Removal on Host System Information Discovery
Windows Management
Instrumentation
Standard Application Layer Protocol
Modify Existing Service Install Util System Owner / User Discovery
Redundant Access Masquerading
System Service Discovery
MSBuild
Standard Cryptographic Protocol
Registry Run Keys/Start Folder Modify Registry Execution Through Module Load
Security Support Provider NTFS Extended Attributes System Time Discovery
Standard Non-Application Layer
Protocol
Shortcut Modification Obfuscated Files or Information
Windows Management Process Hollowing Uncommonly Used Port
Instrument Event Subscription Redundant Access Web Service
Winlogon Helper DLL Regsvcs/Regasm Data Encoding
Netsh Helper DLL Regsvr
Authentication Package Rootkit
External Remote Services Rundll32
Scripting
Software Packing
Timestomp
MSBuild
Network Share Removal
Install Root Certificate
Assess Current
Coverage
Identify Critical
Gaps
Address Gaps