Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

From MITRE ATT&CKcon Power Hour October 2020

By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege

Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928

This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.

  • Be the first to comment

  • Be the first to like this

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

  1. 1. Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman CAREER Award # 1453040 SaTC EDU Award # 2032292
  2. 2. Agenda MITRE PRE-ATT&CK and cybercrime/security education MITRE ATT&CK and research datasets Summary
  3. 3. MITRE PRE-ATT&CK & cybercrime/security education Cybercrime course Human aspects of cyberattacks/security via social engineering (SE) Multidisciplinary composition (8 groups) Objectives Applications of PRE-ATT&CK to SE Conduct threat intelligence Understand limitations 6 SE case studies with rich details Overall mapping to the PRE-ATT&CK matrix Specific expansion on tactics and techniques Identify PRE-ATT&CK mitigation strategies First attempt at this project (Fall 2020)
  4. 4. Overall mapping to the PRE-ATT&CK matrix What is the mapping %? What does this mean for: Case study? PRE-ATT&CK matrix? https://attack.mitre.org/versions/v7/matrices/pre/
  5. 5. Specific expansion on tactics and techniques
  6. 6. Identify PRE-ATT&CK mitigation strategies If none exist, students recommend mitigations
  7. 7. Agenda MITRE PRE-ATT&CK and cybercrime/security education MITRE ATT&CK and research datasets Summary
  8. 8. Cybersecurity in Action, Research and Education Offer FREE downloadable course projects and datasets Sites.temple.edu/care Social Engineering (SE) incidents Version 5; N=623; 2011 - August 2020 Critical Infrastructure Ransomware (CIRW) incidents Version 10.4; N=747; November 2013 - September 2020 Both datasets based on publicly disclosed incidents Feedback to map CIRW dataset to ATT&CK Why not for SE dataset too?
  9. 9. Mapping SE dataset to ATT&CK framework 50% (461/925) of the tactics mapped onto the ATT&CK technique or software T1566: Phishing T1566.001 T1566.002 23% (23/100) of the attackers mapped onto the ATT&CK group- attacker G0032 G0059 G0092 G0094 Variables General Start Date General End Date Target Location Social Engineering Tactic MITRE ATT&CK Technique or Software Monetary Cost Attacker MITRE ATT&CK Group - Attacker Attacker posing as Ploy Source
  10. 10. Mapping CIRW dataset to ATT&CK framework Variables Year General Date Organization Name Location CIS Targeted Strain MITRE ATT&CK Software ID [if exists] Duration Duration Rank Ransom Amount Local Currency Ransom Amount Rank Paid Status Pay Method Amount Paid Source V9 V10 NotPetya cases removed ATT&CK defined it as wiperware 56% of the strains mapped onto the ATT&CK software S0366 S0370 S0372 S0400 S0446 S0449 S0457 S0481
  11. 11. Mapping limitations/challenges Many of the SE techniques do not currently exist (ex: whaling, vishing, etc). Bulk of our data is phishing/spear phishing, skews mapping results Major strains missing (could only map 56%) Revil RansomEXX DoppelPaymer
  12. 12. Agenda MITRE PRE-ATT&CK and cybercrime/security education MITRE ATT&CK and research datasets Summary
  13. 13. Summary: PRE-ATT&CK and ATT&CK uses Education: PRE-ATT&CK benefits Develop ability to map and understand threat intelligence Develop ability to understand challenges/limitations Map SE cases (not typically done) All disciplines can engage Research datasets: ATT&CK links Educators: Class projects, research, publications Students: Course projects, dissertation/thesis Government: ICS training classes, raising awareness, assessing internal responses to CIRW attacks Industry: Trends & patterns in TTPs across RW strains, comparing the data to their own internal datasets, threat modeling, awareness & training, risk & statistical analysis
  14. 14. Summary/future directions Merging PRE-ATT&CK and ATT&CK Data repository Indictments SE case studies Focus groups/interviews Weaving it into Collegiate SE CTF Seeking collaboration! PRE- ATT&CK/ ATT&CK Social Science Education & Research
  15. 15. Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman rege@temple.edu; rachel.bleiman@temple.edu @prof_rege; @rab1928 Q&A Feedback? Visit sites.temple.edu/care for downloading CIRW dataset; SE dataset - we welcome feedback and would love to engage with the community!

×