MITRE ATT&CK

Framework description

• MITRE ATT&CK Enterprise Matrix. Official database with several interesting resources.
• ATT&CK Navigator Web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more. Linked to the official database (but search results for Threat Groups, Software etc are not perfectly aligned with those on the official site). Video tutorial. See also my lab notes.

Automated mappings to MITRE ATT&CK

I have been experimenting with Gemini for extracting automatically MITRE ATT&CK techniques from an incident report. I am not yet able to share this tool publicly but I can share the spreadsheet where I place some outputs. It may be interesting.

• Mapping of incidents Spreadsheet (it contains the prompt I use).
• Automatic extraction of attack techniques from cybersecurity reports My blog post summarizing the idea.

Alerts examples

Most alerts of important threats reference the MITRE ATT&CK tactics and techniques.

• Cuba Ransomware (see Table 6). The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors
• Understanding Ransomware Threat Actors: LockBit In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs).

Tools based on MITRE ATT&CK

Many tools and projects build on the MITRE ATT&CK framework. Just a few examples.

• DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours.
• An excel-centric approach for managing the MITRE ATT&CK tactics and techniques A simple and portable way to get a sort of awareness about which attackers' tactics/techniques a customer is able to detect and, more important, what is missing.
• Emulation libraries. Library of adversary emulation plans to allow organizations to evaluate their defensive capabilities against the real-world threats they face.

Statistics

• European Repository of Cyber Incidents (EuRepoC) Daily updated database of cyber incidents worldwide.
• CISA Risk and Vulnerability Assessments CISA analyzes and maps, to the MITRE ATT&CK framework, the findings from the Risk and Vulnerability Assessments (RVA) we conduct each year. Infographics break out the most successful techniques for each tactic and includes the success rate percentage for each tactic and technique.
• 2022 Year in Review - DFIR Report Intrusion statistics aligned to the MITRE ATT&CK framework.

ICS - Industrial Control Systems

• MITRE ATT&CK Matrix for ICS
• What is OT malware? - NCSC
• Guide to Operational Technology (OT) Security - NIST

Case studies

• Deep Dive Into PIPEDREAM’s OPC UA Module, MOUSEHOLE Very interesting because it describes the role of the Open Platform Communications Unified Architecture (OPC UA). Simply put, OPC UA is an industrial and Internet of things (IoT) communication standard and can directly impact how critical systems function.
• INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
• TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping
• APT Cyber Tools Targeting ICS/SCADA Devices (Alert AA22-103A) Cybersecurity and Infrastructure Security Agency (CISA) Advisory.
• APT37 hackers use new malware to breach air-gapped networks North Korean hackers are deploying newly uncovered tools to move data between internet-connected and air-gapped systems, spread via removable drives.