文章目录
Tough Questions for Defenders:
- How effective are my defenses(甚至不确定敌人是否在我们的网络中)?
- Do I have a chance at detecting APT29?
- Is the data I’m collecting useful?
- Do I have overlapping tool coverage(重叠的工具覆盖范围)?
- Will this new product help my organization’s defenses?
process of applying ATT&CK to CTI:
- mod 1: understand ATT&CK;
- mod 2/3: map data to ATT&CK;
- mod 4: store & analyze ATT&CK-mapped data;
- mod 5: make defensive recommendations from mapped data.
1. What is ATT&CK and CTI
Cyber Threat Intelligence(网络威胁情报): actionable knowledge and insignt (and the process on doing that) on adversaries and their malicious activities, enabling defenders and their organizations to reduce harm through better security decision-making.
ATT&CK: A knowledge base of adversary behavior:
- Based on real-world observations
- Free, open, and globally accessible
- A common language
- Community-driven
可简单理解为一部关于攻方行为的百科全书。聚焦于敌方行为,因为优先考虑这些行为更有价值。
1.1 TTP
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
根据David Bianco’s Pyramid of Pain,对攻方来说,下面几条绕过难度依次减小:
- TTPs: Tough, where ATT&CK lives in.
- Tools: Challenging
- Network/Host Artifacts: Annoying
- Domain Names: Simple
- IP Addresses: Easy
- Hash Values: Trivial
TTP:
- Tactics, the adversary’s technical goals,ATT&CK矩阵中按列划分
- Techniques, how the goals are achieved, 可从属多tectic.
- Procedures or behaviors, specific technique implementation.
ATT&CK框架核心就是以矩阵形式展现的TTPs
Technique metadata:
ID: T1193
Tactic: Initial Access
Platform: Windows, macOS, Linux
Data Sources: File monitoring,
Packet capture, Network intrusion detection system,
Detonation chamber, Email gateway, Mail server
CAPEC ID: CAPEC-163
Version: 1.0
Created: 18 April 2018
Last Modified: 24 June 2019
other descriptions: examples, mitigations(缓解), detection(检测), references.
1.2 Group page
Groups are sets of related intrusion activity that are tracked by a common name in the security community.
和technique很像,也有metadata, 以及Associated Group Descriptions, Techniques Used, Software, References.
针对相似但不完全重叠的group,不同的公司或组织命名不一样,可以查看Associated Group Descriptions。
2. How to use ATT&CK for CTI
2.1 ATT&CK use cases
- Detection
- Threat Intelligence ( track techniques)
- Assessment and Engineering (防御评估)
- Adversary Emulation (red teaming)
2.2 Threat Intelligence – How ATT&CK Can Help
- Use knowledge of adversary behaviors to inform defenders
- Structuring threat intelligence with ATT&CK allows us to
- Compare behaviors
- Groups to each other
- Groups over time
- Groups to defenses
- Communicate in a common language (between CTI
Analyst and defender). 为了避免不同公司命名不同,以及复杂的描述,直接说id就行了。
- Compare behaviors