ThreatNG Security

View Original

MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base and framework that categorizes and describes the various tactics, techniques, and procedures (TTPs) that cyber adversaries use to plan and execute attacks. It serves as a valuable resource for both defenders and attackers:  

  • For defenders, it helps them understand the tactics and techniques that adversaries might employ, enabling them to develop proactive defenses, implement detection mechanisms, and respond effectively to incidents.  

  • For attackers (ethical hackers and red teams), it provides a structured framework for emulating adversary behavior during penetration testing and security assessments, helping identify weaknesses in an organization's defenses.  

Critical components of MITRE ATT&CK:

  • Tactics: The high-level objectives or goals adversaries aim to achieve during an attack (e.g., Initial Access, Execution, Persistence).  

  • Techniques: The specific methods or procedures adversaries use to achieve their tactical objectives (e.g., Spearphishing Attachment, PowerShell, Scheduled Task).  

  • Procedures: The detailed steps and actions adversaries take in a specific technique.

Benefits of using MITRE ATT&CK:

  • Common language: Provides a standardized vocabulary for describing adversary behavior, facilitating communication and collaboration among security professionals.  

  • Threat-informed defense: Helps organizations prioritize their security efforts by focusing on the most relevant threats and vulnerabilities.  

  • Proactive defense: Enables organizations to anticipate and proactively defend against potential attacks by understanding adversary tactics and techniques.  

  • Improved incident response: This helps organizations respond more effectively to incidents by understanding the context of an attack and the adversary's likely next steps.  

Alignment with MITRE ATT&CK

ThreatNG's various discovery and assessment capabilities directly map to multiple tactics and techniques within the MITRE ATT&CK framework. Here's a breakdown of how they align:

Reconnaissance:

  • Domain Intelligence modules like DNS, Subdomain, Certificate, and IP Intelligence help gather information about the target's infrastructure, vulnerabilities, and potential attack vectors.

  • Social Media monitoring can reveal sensitive information employees, partners, or the organization share.

  • Search Engine Exploitation helps uncover exposed sensitive data or misconfigurations that adversaries could leverage.

  • Cloud and SaaS Exposure assessment identifies potential entry points via misconfigured cloud resources or third-party services.

  • Online Sharing Exposure can expose sensitive information inadvertently shared on code-sharing platforms.

  • Archived Web Pages analysis might reveal outdated or vulnerable components in the organization's web presence.

  • Technology Stack identification gives insight into the technologies used, potentially highlighting known vulnerabilities.

Initial Access:

  • BEC & Phishing Susceptibility assessment directly evaluates the organization's vulnerability to social engineering attacks.

  • Subdomain Takeover Susceptibility identifies potential opportunities for adversaries to gain control of subdomains.

  • Exposed API Discovery and Exposed Development Environment Discovery could reveal entry points for attackers.

  • Sensitive Code Exposure might provide credentials or access keys that could be exploited for unauthorized access.

  • Cloud and SaaS Exposure, particularly misconfigured services or impersonations, can lead to unauthorized access.

  • Dark Web Presence, specifically compromised credentials, could provide direct access to the organization's systems.

Execution:

Persistence:

  • Search Engine Exploitation, if privileged folders or susceptible servers are identified, could provide persistence mechanisms.

  • Cloud and SaaS Exposure, especially in the form of unsanctioned or impersonated services, might offer avenues for maintaining access.

Privilege Escalation:

  • Sensitive Code Exposure, particularly exposed secrets, might allow privilege escalation if higher-privileged credentials are compromised.

  • Search Engine Exploitation could lead to discovering public passwords or susceptible files that enable privilege escalation.

Defense Evasion:

Credential Access:

Discovery:

Lateral Movement

Collection

Exfiltration

Impact

Complementary Solutions and Collaboration

ThreatNG's capabilities can be further enhanced when integrated with other security solutions:

  • Vulnerability Scanners: Integrate with vulnerability scanners to prioritize remediation efforts based on the severity and exploitability of identified vulnerabilities.

  • Security Information and Event Management (SIEM) Systems: Feed ThreatNG's intelligence into SIEM systems to correlate external threats with internal security events, providing a more comprehensive view of the organization's security posture.

  • Threat Intelligence Platforms: Share and enrich ThreatNG's intelligence with external threat intelligence platforms to gain broader insights into the threat landscape and emerging attack vectors.

  • Incident Response Platforms: Leverage ThreatNG's findings to proactively identify and respond to potential security incidents, minimizing their impact.

Example: Investigating a Potential Breach

ThreatNG's continuous monitoring detects a spike in mentions of the organization on the dark web and the discovery of compromised credentials. The Domain Intelligence module reveals a recently registered subdomain pointing to an unsanctioned cloud service identified by the Cloud and SaaS Exposure assessment.

Further investigation using Search Engine Exploitation uncovers sensitive information exposed to the cloud service. The Archived Web Pages analysis reveals an outdated version of a web application running on the unsanctioned service, potentially vulnerable to exploitation.

This comprehensive intelligence enables the security team to quickly:

  • Contain the breach: Block access to the compromised credentials and the unsanctioned cloud service.

  • Investigate the incident: Analyze the exposed sensitive information and the potentially vulnerable web application to understand the extent of the breach.

  • Remediate the vulnerabilities: Update or remove the outdated web application and implement stricter access controls on cloud services.

ThreatNG's extensive capabilities align seamlessly with the MITRE ATT&CK framework, enabling organizations to proactively identify and mitigate external threats across various attack stages. By working in conjunction with other security solutions, ThreatNG contributes to a comprehensive and robust cybersecurity strategy.