Scribd
Upload
46 views

MITREExplained

The MITRE ATT&CK framework documents cyber attacker tactics and techniques based on real-world observations. It provides a common language for security professionals to discuss adversary methods. The framework helps organizations understand attacker models, mitigate risks, and build defensive strategies. It is widely used by blue and red teams to simulate attacks and strengthen cyber defenses.

Uploaded by

tomas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
46 views

MITREExplained

The MITRE ATT&CK framework documents cyber attacker tactics and techniques based on real-world observations. It provides a common language for security professionals to discuss adversary methods. The framework helps organizations understand attacker models, mitigate risks, and build defensive strategies. It is widely used by blue and red teams to simulate attacks and strengthen cyber defenses.

Uploaded by

tomas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 24

MITRE ATT&CK Framework

• By Kimberly Bailey, Reena Madan,

• Cybersecurity Students for Life


Not Quite
WannaCry: Under the Hood

Delete Copy Encrypt Execute Scheduled Tasks


Ransom Note / Background
3 1 2 REGEDIT

X cmd.exe /c reg add /v "<Random>" /t


REG_SZ /d "\"<Full_Path>\
tasksche.exe\"" /f
@[email protected]

u.wnry
taskse.exe
mssecsvc.exe Delete

taskdl.exe
3
tasksche.exe Copy Encrypt

Creates File Encryption


t.wnry 1 2
b.wnry

mssecsvc2.0
Sets Up Service

Sources: Cisco webinar (Anatomy of the attacks: WannaCry ransomware and Google OAuth phishing)
https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
Cyber Kill Chain® Background

• Lockheed Martin’s process to


explain and defensively mitigate
future threats
• Deconstructs a hack to
individual components
Cyber Kill Chain® Background

• Lockheed Martin’s process to


explain and defensively MITRE
mitigateATT&CK
future threats FOCUSES ON
• Deconstructs a hack to
individual components
What is the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework was created by MITRE in 2013 to document attacker tactics and
techniques based on real-world observations. This index continues to evolve with the threat
landscape and has become a renowned knowledge base for the industry to understand attacker
models, methodologies, and mitigation.
Biggest and most current library of CVE Index ( Common Vulnerabilities and Exposures)
How does the MITRE ATT&CK Framework help an organization?
The ATT&CK Framework is widely recognized as an authority on understanding the behaviors and
techniques that hackers use against organizations today. It not only removes ambiguity and
provides a common vocabulary for industry professionals to discuss and collaborate on combating
these adversary methods, but it also has practical applications for security teams.
Used by Blue and Red Teams to create Attack Emulations
Use ATT&CK for Cyber Threat Intelligence
Use ATT&CK to Build Your Defensive Platform
Use ATT&CK for Adversary Emulation and Red Teaming
MITRE ATT&CK Focus
How does an Adversary Move within your Network
https://attack.mitre.org/docs/MITRE_ATTACK_Enterprise_11x17.pdf
MITRE ATT&CK Contains
Thank you!
Petya Attack
Breaking the Cyber Kill Chain®
Breaking the Cyber Kill Chain® for WannaCry

Package & Delivery Load & Run Encryption Replication Ransom / Extortion

• Controls • Controls • Controls • Controls • Controls


• User Education • User reporting • Advanced File Integrity • IAM • DR Planning
• Email filters • Continuous patching monitoring tools • Network isolation • Backups (tested
• Sandboxing • Proactive Active threat • "Canary" files • “Least privilege” regularly)
hunting • Incident Response
plans
Tools for proactively fighting attacks
WannaCry: Infection Vector

NSA tools (Equation Group)


released by Shadowbrokers Exploits SMB
vulnerability

1 ETERNAL BLUE
Subnet
TCP 445
2 DOUBLE PULSAR 4
Scan IP
Scan IP
TCP 445
Subnets

3 Backdoor
Implant
C&C Channel
Kernel execution of:
-ping
-kill
-exec
Source: https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/; Wikipedia

You might also like