Module1-Introducing training and understanding ATT&CK

Tough Questions for Defenders:

• How effective are my defenses(甚至不确定敌人是否在我们的网络中)?
• Do I have a chance at detecting APT29?
• Is the data I’m collecting useful?
• Do I have overlapping tool coverage(重叠的工具覆盖范围)?
• Will this new product help my organization’s defenses?

process of applying ATT&CK to CTI:

1. mod 1: understand ATT&CK;
2. mod 2/3: map data to ATT&CK;
3. mod 4: store & analyze ATT&CK-mapped data;
4. mod 5: make defensive recommendations from mapped data.

1. What is ATT&CK and CTI

Cyber Threat Intelligence(网络威胁情报): actionable knowledge and insignt (and the process on doing that) on adversaries and their malicious activities, enabling defenders and their organizations to reduce harm through better security decision-making.

ATT&CK: A knowledge base of adversary behavior:

• Based on real-world observations
• Free, open, and globally accessible
• A common language
• Community-driven

可简单理解为一部关于攻方行为的百科全书。聚焦于敌方行为，因为优先考虑这些行为更有价值。

1.1 TTP

https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

根据David Bianco’s Pyramid of Pain，对攻方来说，下面几条绕过难度依次减小：

1. TTPs: Tough, where ATT&CK lives in.
2. Tools: Challenging
3. Network/Host Artifacts: Annoying
4. Domain Names: Simple
5. IP Addresses: Easy
6. Hash Values: Trivial

---

TTP:

• Tactics, the adversary’s technical goals，ATT&CK矩阵中按列划分
• Techniques, how the goals are achieved, 可从属多tectic.
• Procedures or behaviors, specific technique implementation.

ATT&CK框架核心就是以矩阵形式展现的TTPs

Technique metadata:

ID: T1193
Tactic: Initial Access
Platform: Windows, macOS, Linux
Data Sources: File monitoring,
    Packet capture, Network intrusion detection system,
    Detonation chamber, Email gateway, Mail server
CAPEC ID: CAPEC-163
Version: 1.0
Created: 18 April 2018
Last Modified: 24 June 2019

other descriptions: examples, mitigations(缓解), detection(检测), references.

1.2 Group page

Groups are sets of related intrusion activity that are tracked by a common name in the security community.

和technique很像，也有metadata, 以及Associated Group Descriptions, Techniques Used, Software, References.

针对相似但不完全重叠的group，不同的公司或组织命名不一样，可以查看Associated Group Descriptions。

2. How to use ATT&CK for CTI

2.1 ATT&CK use cases

• Detection
• Threat Intelligence ( track techniques)
• Assessment and Engineering (防御评估)
• Adversary Emulation (red teaming)

2.2 Threat Intelligence – How ATT&CK Can Help

• Use knowledge of adversary behaviors to inform defenders
• Structuring threat intelligence with ATT&CK allows us to
  1. Compare behaviors
     1. Groups to each other
     2. Groups over time
     3. Groups to defenses
  2. Communicate in a common language (between CTI
     Analyst and defender). 为了避免不同公司命名不同，以及复杂的描述，直接说id就行了。