Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
From MITRE ATT&CKcon Power Hour October 2020 By: Aunshul Rege, Associate Professor, Temple University, @prof_rege Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928 This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Similar to Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research (20)
More from MITRE - ATT&CKcon
More from MITRE - ATT&CKcon (19)
Recently uploaded
Recently uploaded (20)
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
- 1. Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman CAREER Award # 1453040 SaTC EDU Award # 2032292
- 2. Agenda MITRE PRE-ATT&CK and cybercrime/security education MITRE ATT&CK and research datasets Summary
- 3. MITRE PRE-ATT&CK & cybercrime/security education Cybercrime course Human aspects of cyberattacks/security via social engineering (SE) Multidisciplinary composition (8 groups) Objectives Applications of PRE-ATT&CK to SE Conduct threat intelligence Understand limitations 6 SE case studies with rich details Overall mapping to the PRE-ATT&CK matrix Specific expansion on tactics and techniques Identify PRE-ATT&CK mitigation strategies First attempt at this project (Fall 2020)
- 4. Overall mapping to the PRE-ATT&CK matrix What is the mapping %? What does this mean for: Case study? PRE-ATT&CK matrix? https://attack.mitre.org/versions/v7/matrices/pre/
- 5. Specific expansion on tactics and techniques
- 6. Identify PRE-ATT&CK mitigation strategies If none exist, students recommend mitigations
- 7. Agenda MITRE PRE-ATT&CK and cybercrime/security education MITRE ATT&CK and research datasets Summary
- 8. Cybersecurity in Action, Research and Education Offer FREE downloadable course projects and datasets Sites.temple.edu/care Social Engineering (SE) incidents Version 5; N=623; 2011 - August 2020 Critical Infrastructure Ransomware (CIRW) incidents Version 10.4; N=747; November 2013 - September 2020 Both datasets based on publicly disclosed incidents Feedback to map CIRW dataset to ATT&CK Why not for SE dataset too?
- 9. Mapping SE dataset to ATT&CK framework 50% (461/925) of the tactics mapped onto the ATT&CK technique or software T1566: Phishing T1566.001 T1566.002 23% (23/100) of the attackers mapped onto the ATT&CK group- attacker G0032 G0059 G0092 G0094 Variables General Start Date General End Date Target Location Social Engineering Tactic MITRE ATT&CK Technique or Software Monetary Cost Attacker MITRE ATT&CK Group - Attacker Attacker posing as Ploy Source
- 10. Mapping CIRW dataset to ATT&CK framework Variables Year General Date Organization Name Location CIS Targeted Strain MITRE ATT&CK Software ID [if exists] Duration Duration Rank Ransom Amount Local Currency Ransom Amount Rank Paid Status Pay Method Amount Paid Source V9 V10 NotPetya cases removed ATT&CK defined it as wiperware 56% of the strains mapped onto the ATT&CK software S0366 S0370 S0372 S0400 S0446 S0449 S0457 S0481
- 11. Mapping limitations/challenges Many of the SE techniques do not currently exist (ex: whaling, vishing, etc). Bulk of our data is phishing/spear phishing, skews mapping results Major strains missing (could only map 56%) Revil RansomEXX DoppelPaymer
- 12. Agenda MITRE PRE-ATT&CK and cybercrime/security education MITRE ATT&CK and research datasets Summary
- 13. Summary: PRE-ATT&CK and ATT&CK uses Education: PRE-ATT&CK benefits Develop ability to map and understand threat intelligence Develop ability to understand challenges/limitations Map SE cases (not typically done) All disciplines can engage Research datasets: ATT&CK links Educators: Class projects, research, publications Students: Course projects, dissertation/thesis Government: ICS training classes, raising awareness, assessing internal responses to CIRW attacks Industry: Trends & patterns in TTPs across RW strains, comparing the data to their own internal datasets, threat modeling, awareness & training, risk & statistical analysis
- 15. Summary/future directions Merging PRE-ATT&CK and ATT&CK Data repository Indictments SE case studies Focus groups/interviews Weaving it into Collegiate SE CTF Seeking collaboration! PRE- ATT&CK/ ATT&CK Social Science Education & Research
- 16. Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman rege@temple.edu; rachel.bleiman@temple.edu @prof_rege; @rab1928 Q&A Feedback? Visit sites.temple.edu/care for downloading CIRW dataset; SE dataset - we welcome feedback and would love to engage with the community!