Applying the MITRE ATT&CK Framework

In this course, you will gain a foundational understanding of the MITRE ATT&CK Framework. Topics covered include its definition, the goals it aims to achieve, and its essential components, such as matrices, tactics, techniques, data sources, mitigations, groups, software, campaigns, and model relationships.

Through a case study, you'll explore the real world to illustrate how these components are interconnected. You'll explore the process of prioritizing techniques using cyber threat intelligence (CTI) and assess the effectiveness of current defensive measures.

Applying the MITRE ATT&CK Framework Benefits

• In this course, you will learn how to:

  • Develop a strong foundational knowledge of the MITRE ATT&CK Framework and its components.
  • Apply the framework to real-world cyber threats, such as the SolarWinds supply chain attack.
  • Learn how to map threat intelligence, alerts, and adversary behaviors to ATT&CK.
  • Use ATT&CK-mapped data to make informed and prioritized defensive recommendations.
  • Understand the role of cyber threat intelligence and its practical applications in security.

• Training Prerequisites

  Basic knowledge of cybersecurity concepts and terminology is recommended but not required.

MITRE ATT&CK Framework Training Outline

Chapter 1: Fundamentals of MITRE ATT&CK Framework 

MITRE ATT&CK Framework Definition

Goal of MITRE ATT&CK Framework

Matrices

Tactics and Techniques

Data Sources

Mitigations

Groups

Software

Campaigns

MITRE ATT&CK Model Relationships

MITRE ATT&CK Model Relationships Example

Breakdown of Tactics, Techniques, Procedures, Mitigations, and Detection

TeamTNT

• Mitigations
• Detection

Chapter 2: Mapping SolarWinds Supply Chain Attack to MITRE ATT&CK Framework

SolarWinds Compromise Background Information

Software Components of SolarWinds Compromise

• SUNBURST and SUNSPOT

Mapping the Indicators to MITRE ATT&CK Framework

Loosely Linking Everything Together for SolarWinds

ATT&CK Navigator

• SolarWinds ATT&CK Navigator

SolarWinds Attack Timeline

Indicators of Compromise (IOC)

Mitigations That Might Reduce the Likelihood and/or Impact of Supply Chain Attacks

Review of SolarWinds Compromise and Ability to Link to ATT&CK

Chapter 3: Mapping Alerts, Adversaries, Behaviors, and TTPs to MITRE ATT&CK

Mapping Threat Intelligence to ATT&CK

• Cyber Threat Intelligence (CTI) and IoBs
• Analyzing Behavior
• UEBA Data Sources
• Data Drawn From Above Sources

Snake Malware and Turla CTI Advisories and Alerts

• Research Advisory and Alert Information
• Adversary Behavior
• Volatility Plugin
• Network Intrusion Detection Systems (NIDS)
• Host-Based Detection
• Non-Standard Icon Size and Yara Rule
• Memory Analysis

Practical Research Exercise

• Initial Analysis
• Mapping Data to MITRE ATT&CK
• Compare Results to Improve Mapping

Pyramid of Pain

Chapter 4: Make Defensive Recommendations From ATT&CK Mapped Data

Use Collected and Analyzed Data to Make Initial Recommendations

Process for Making Recommendations

Ways to Determine Priority of Techniques Using CTI

Assess Current Defensive Measures and Their Effectiveness

• MITRE CAR and D3FEND
• MITRE’s Cyber Analytics Repository (CAR)
• MITRE D3FEND
• MITRE ATT&CK and D3FEND

MITRE D3FEND Practical Exercise

MITRE D3FEND Practical Exercise Answer

Research Additional Defensive Options and Organizational Capabilities/Constraints

Consider Tradeoffs for Each Option

Sample Pros and Cons of Options

Make Recommendations

Make Recommendations—Supply Chain Compromise