MITRE ATT&CK

Syed Muneeb
Exploring MITRE ATT&CK for Cybersecurity Analysis

Instructions: Use the MITRE ATT&CK website (https://attack.mitre.org/) to find

information and answer the following questions. Provide detailed explanations for your
answers wherenecessary.

Part 1:

a) What does "MITRE ATT&CK" stand for, and what is its primary purpose
in the field of cyber security?

Answer: MITRE ATT&CK stands for MITRE Adversarial Techniques Tactics and
Common Knowledge. It is a globally accessible database that contains information about
how cyber threat agents perform malicious activities. This database is based on real world
observations and events. The MITRE ATT&CK database contains a log of several ways
an attacker might try to gains access into the target system. This database was used to
make several threat models for the private sector. It is also used to gather information on
threat detection and defense.

b) Explain how MITRE ATT&CK can be utilized in each phase of the information
security process studied in chapter 2.

Answer: MITRE ATT&CK can be utilized in each phase of information security process
in the following way:

➢ Preparation: this database can be used to gather valuable information such as

techniques followed by hackers. This can help to in the formation of a threat model
of an organization.

➢ Risk Assessment: the potentially effected systems can be compared against MITRE
database to conduct an efficient risk assessment.

➢ Security Controls: it can help to implement security controls by comparing security

controls that are already in place against the ATT&CK database. This can make the
security controls more effective against attacks.

➢ Monitoring: cyber security experts can monitor their systems by comparing them
with MITRE database to make the monitoring process more effective and accurate.
 ➢ Incident Response: during this phase cyber security analyst can refer to this database
to identify the techniques used by the threat actor this will make the incident response
more accurate.

Part 2:

Instructions: Choose an APT (Advanced Persistent Threat) group from the “Groups"
section of MITREATT&CK. Provide the following information:

a) The name of the APT group.

Answer APT 1 Comment Crew. Exposing one of China’s Cyber Espionage Unit

b) A brief overview of the group's activities and targets.

Answer: The target of APT 1 was several organizations in USA and other English-
speaking countries which also included some European countries. The main target of APT
were aerospace industry, the defense sector and the telecommunication industry. Space
satellites were the main targets in Europeans countries. Telecommunication companies of
Japan and Europe were also targeted.

c) A list and a brief description of common techniques and software’s commonly

associated with this APT group.

Answer: Following techniques were used by this APT group:

➢ Account Discovery: commands such as net.localgroup, net.user were used to find

accounts on a system.

➢ Account Infrastructure Domains: the APT 1 group registered a lot of domain

names so it could be used in their operations.

➢ Spear Phishing: an email was sent that contained a malicious link to steal login
credentials of a specific target.

➢ Malware: open source tools was used to create malware to help bypass security
mechanisms and root functionality (privilege escalation) in the target system.

➢ Email Collection: services such as GETMAIL were used to steal email addresses.
 The following software were used by the APT group:

➢ Biscuit: command and scripting interpreter.

➢ Cachedump: operating system’s credential dumping.

➢ Calendar: windows command shell.

➢ Mimikatz: access token manipulation and account manipulation.

➢ PoisonIvy: Create and modify system process.

d) How this information can be used by SOC team

Answer: The SOC team can use the above information in the following way:

➢ Threat detection: the SOC team can study the techniques and software used by the
APT group to create rules that are specific to their malicious activity. This can help
to detect malicious activity.

➢ Phishing email detection: employees of the SOC team can be educated about how
to identify potential phishing email.

➢ Behavior analysis: the SOC team can focus on studying the pattern of network
traffic to identify potential malicious behavior and suspicious patterns that might
indicate or replicate the attack pattern followed by the APT group.

➢ Threat Hunting: the SOC team can look for threats in the network or the system by
looking for indicators of compromise (IOC). This means they can look for threats by
looking for signs that might indicate suspicious behavior.

➢ Vulnerability Management: the SOC team can look for vulnerabilities in MITRE
database that were exploited by this APT group and recommend patch updates to
strengthen the vulnerabilities.

Part 3:
Instructions: Using the MITRE ATT&CK framework, for each of the scenarios given below,
 • Identify the technique ID and the tactic ID each scenario belongs to
• Explain two mitigation strategies and two detection strategies.

a) Spear phishing attachment

Technique ID: T1566
Tactic ID: TA0001
Mitigation Strategy:
➢ Antivirus can detect the malicious attachment in the phishing email.
➢ Intrusion detection and prevention systems can scan and remove malicious
attachments in emails.
Detection Strategy:
➢ Monitor newly constructed files for spear phishing attachments.
➢ Scan the attachment send through email.

b) Exploit Public-Facing Application

Technique ID: T1190
Tactic ID: TA0001
Mitigation Strategy:
➢ Isolate the application to limit or prevent its malicious instruction form executing.
➢ Firewalls can help to prevent malicious traffic from exploiting the application.
Detection Strategy:
➢ Web application firewalls can detect such exploitation attempts.
➢ Real time monitoring can be used to detect application exploit attempts.

c) Account Manipulation
Technique ID: T1098
Tactic ID: TA0003
Mitigation Strategy:
➢ Multifactor authentication can be used to prevent your account from unauthorized
access and manipulation.
➢ Access control can be used to limit applications from accessing user accounts.
Detection Strategy:
 ➢ Monitor accounts when linked with new devices.
➢ Monitor change in account related information

d) Input Capture
Technique ID: T1056
Tactic ID: TA0006
Mitigation Strategy:
➢ Do not install application form unknown sources.
➢ Strong firewall can prevent input capture.
Detection Strategy:
➢ Keep an eye on permission being given to newly installed applications.
➢ Use task manager to monitor suspicious task being executed.

e) Masquerading
Technique ID: T0849
Tactic ID: TA0005
Mitigation Strategy:
➢ Access controls methods can prevent masquerading.
➢ Use protected folder access to prevent application form accessing protected folders.
Detection Strategy:
➢ Collect and compare file hashes.
➢ Monitor task manager to look for suspicious task being executed in the system.

Part 4
Instructions: Using the MITRE ATT&CK Navigator at https://mitre-attack.github.io/attack-
navigator/v2/enterprise/, compare the techniques used by APT28 to those used by APT29.
Answer the following questions and provide a screenshot for each step. The following
tutorial can help you with this task(link).

a) Create an APT28 layer and assign the first two numbers of your student ID
 as a score to techniques used by APT28 in one layer

Solution:

➢ Navigate to the URL https://mitre-attack.github.io/attack-navigator/

Figure 1

➢ Select “Create New Layer” and then select “Enterprise” option.

Figure 2

➢ After selection
 Figure 3

➢ On “Selection Controls” selection the search option, under “Threat Groups” select
“APT 28”.

Figure 4

➢ After selection.
 Figure 5

➢ Under “technique controls” select the score option then enter a score (first two number
of student ID in our case).

Figure 6

b) Create a second layer and assign the last two numbers of your student ID
as a score to techniques used by APT29
Solution:

➢ Create a new layer and select APT 29 in “Threat Groups”.

 Figure 7

➢ After selection.

Figure 8

➢ Assign a score (last two numbers of student ID in our case).

Figure 9
c) Combine the two using “Create Layer from other layers” using the expression “a +
b”
➢ Open a new tab in the attack navigator and click “Create Layer form other layers”.

Figure 10

➢ In the “domain” option select the “Enterprise ATT&CK v13”.

Figure 11

➢ In “score expression” type “a+b”.

 Figure 12

➢ Scroll to the bottom of the page and click “Create” to see the final result.

Figure 13

d) Export the layer in the image format and add it to your report.
Solution:
➢ On “layers control” select the download option.
➢ Downloaded file
 Figure 14

➢ The option to download layer in image format was not provided so it was downloaded
in html format.

e) Provide the list of the techniques that overlap between the two groups
Following is the list of techniques that overlap:
➢ Exploit public facing application
➢ Trusted relationship
➢ Valid accounts
➢ Exploitation for client execution
➢ External remote services
➢ Exploitation for privilege escalation.
➢ Deobfuscate /decode files for information
➢ Files and directory discovery
➢ Data from local system
➢ Data from information repositories
➢ Ingress tool transfer

f) Explain how this information can be useful to the SOC team.

Answer: This information can help the SOC team to create specific rules that work to identify
only these techniques. This can help them to monitor for specific threats by making rules
according to the threats faced by the organization from a specific group such as APT 28 and
APT 29. Threat hunting will be more accurate when and anomalies in the organizations
network will be detected more easily.