1 00:00:06,530 --> 00:00:08,010 - [Narrator] The MITRE ATT&CK Framework 2 00:00:08,010 --> 00:00:11,210 is one of the most successful projects from MITRE 3 00:00:11,210 --> 00:00:13,990 and actually very popular in the industry. 4 00:00:13,990 --> 00:00:16,580 I am a big fan of the MITRE ATT&CK Framework 5 00:00:16,580 --> 00:00:20,290 because it provides a set of matrices 6 00:00:20,290 --> 00:00:22,060 of the tactics and techniques 7 00:00:22,060 --> 00:00:25,740 that real life attackers use 8 00:00:25,740 --> 00:00:27,930 to perform many different attacks 9 00:00:27,930 --> 00:00:31,700 and of course impact to many different organizations. 10 00:00:31,700 --> 00:00:34,350 Now, this is a collection of matrices, right? 11 00:00:34,350 --> 00:00:36,450 And there's several of them, as you see here, 12 00:00:36,450 --> 00:00:39,120 there's the matrix for enterprise 13 00:00:39,120 --> 00:00:41,320 which is actually the most popular. 14 00:00:41,320 --> 00:00:43,940 Within it there's different matrix. 15 00:00:43,940 --> 00:00:46,780 One for Windows, the pre is pre attack 16 00:00:46,780 --> 00:00:48,470 but it's actually combined with reconnaissance 17 00:00:48,470 --> 00:00:50,520 and we'll get to that in a second 18 00:00:50,520 --> 00:00:53,020 but you have one for Windows, one for Mac, 19 00:00:53,020 --> 00:00:57,650 one for Linux, one for Cloud, and also one for network. 20 00:00:57,650 --> 00:00:58,550 And as a matter of fact, 21 00:00:58,550 --> 00:01:02,790 I contributed to the network matrix 22 00:01:02,790 --> 00:01:05,960 and specifically some real life attacks 23 00:01:05,960 --> 00:01:07,870 that we have actually observe 24 00:01:07,870 --> 00:01:09,940 against network infrastructure devices, right? 25 00:01:09,940 --> 00:01:11,200 There's one for mobile, 26 00:01:11,200 --> 00:01:15,060 one for ICS as well for Industrial Control Systems. 27 00:01:15,060 --> 00:01:18,490 Now, if I go back to the main page, right? 28 00:01:18,490 --> 00:01:21,150 Think it shows a little bit better 29 00:01:21,150 --> 00:01:23,310 all the different tactics and techniques. 30 00:01:23,310 --> 00:01:27,830 So you see different areas of the life cycle of an attack 31 00:01:27,830 --> 00:01:31,360 from reconnaissance all the way to impact, right? 32 00:01:31,360 --> 00:01:36,140 And that includes basically the day in the life of an attack 33 00:01:36,140 --> 00:01:38,170 from the moment that an attacker 34 00:01:38,170 --> 00:01:42,140 is trying to gather information from its victim 35 00:01:42,140 --> 00:01:45,890 all the way to command and control ex filtration, 36 00:01:45,890 --> 00:01:48,980 and of course, the overall impact to the organization. 37 00:01:48,980 --> 00:01:50,140 One of the cool things 38 00:01:50,140 --> 00:01:52,730 that I like about the MITRE ATT&CK Framework 39 00:01:52,730 --> 00:01:57,730 is that they provide an amazing set of resources 40 00:01:58,480 --> 00:01:59,930 for you to get familiar 41 00:01:59,930 --> 00:02:03,210 with these different tactics and techniques, 42 00:02:03,210 --> 00:02:05,150 whether you are in the defensive side. 43 00:02:05,150 --> 00:02:07,130 So you're an instant responder 44 00:02:07,130 --> 00:02:09,210 in a security operations center, 45 00:02:09,210 --> 00:02:12,660 or whether you are in the ethical hacking 46 00:02:12,660 --> 00:02:14,430 or offensive security. 47 00:02:14,430 --> 00:02:19,170 This provides you with basically a real life description 48 00:02:19,170 --> 00:02:21,970 and examples of the techniques 49 00:02:21,970 --> 00:02:23,750 and tactics that attackers actually have used. 50 00:02:23,750 --> 00:02:26,490 For example, let's go over previous escalation, right? 51 00:02:26,490 --> 00:02:27,900 So you have the description 52 00:02:28,961 --> 00:02:29,820 and you have different techniques. 53 00:02:29,820 --> 00:02:32,633 Within those techniques there's different sub-techniques 54 00:02:32,633 --> 00:02:34,813 related to that activity, right? 55 00:02:34,813 --> 00:02:37,890 So for example, for previous escalation, 56 00:02:37,890 --> 00:02:40,360 you see the ID for the main technique, 57 00:02:40,360 --> 00:02:44,660 and then you have 0.001, that's a sub technique. 58 00:02:44,660 --> 00:02:46,950 And in this case it's actually setting the UID 59 00:02:46,950 --> 00:02:51,950 and set UID, and set group ID for a Linux environment 60 00:02:52,520 --> 00:02:57,270 to abuse that configuration to perform previous escalation. 61 00:02:57,270 --> 00:02:59,190 And the other cool thing that they actually have 62 00:02:59,190 --> 00:03:01,889 is that they give you even the commands 63 00:03:01,889 --> 00:03:03,685 that have been used. 64 00:03:03,685 --> 00:03:05,871 In this case is really, really simple, right? 65 00:03:05,871 --> 00:03:07,480 But the commands that have been used 66 00:03:07,480 --> 00:03:09,470 by attackers and adversaries 67 00:03:09,470 --> 00:03:11,573 to perform these tactics and techniques, right. 68 00:03:11,573 --> 00:03:14,620 It also provides with very detailed information 69 00:03:14,620 --> 00:03:17,100 about the different examples 70 00:03:17,100 --> 00:03:19,722 and basically real life attacks. 71 00:03:19,722 --> 00:03:23,780 If it is in the MITRE ATT&CK Framework, it is a given 72 00:03:23,780 --> 00:03:27,320 that will be a real life confirm attack, right? 73 00:03:27,320 --> 00:03:29,770 And in the bottom of each of their pages 74 00:03:29,770 --> 00:03:32,220 they actually have different references 75 00:03:32,220 --> 00:03:36,560 that go over whether it's an article about a breach 76 00:03:36,560 --> 00:03:39,100 or some blog post from a technical person 77 00:03:39,100 --> 00:03:40,790 describing the attack, 78 00:03:40,790 --> 00:03:44,930 or things that are already in the public domain, right. 79 00:03:44,930 --> 00:03:45,870 Let's click on another one, 80 00:03:45,870 --> 00:03:47,650 like defense evasion, for example. 81 00:03:47,650 --> 00:03:49,590 In this one you actually see a whole bunch 82 00:03:49,590 --> 00:03:51,890 of other sub techniques, right? 83 00:03:51,890 --> 00:03:54,190 within the defense evasion category 84 00:03:54,190 --> 00:03:56,240 or defense evasion technique. 85 00:03:56,240 --> 00:03:58,720 And if you click on, like, 86 00:03:58,720 --> 00:04:00,720 token impersonation and theft, right? 87 00:04:00,720 --> 00:04:05,486 You also see different, true real life examples, right? 88 00:04:05,486 --> 00:04:08,440 And if you go over any of the other ones 89 00:04:08,440 --> 00:04:10,850 you see, again, different examples 90 00:04:10,850 --> 00:04:14,330 on how you can perform these adversarial technique, right? 91 00:04:14,330 --> 00:04:16,360 In the case of adversary elimination 92 00:04:16,360 --> 00:04:18,190 what a lot of people actually call some 93 00:04:18,190 --> 00:04:20,360 of the activities of the purple team, right? 94 00:04:20,360 --> 00:04:22,900 So you know, that the blue team is the defensive side 95 00:04:22,900 --> 00:04:25,320 the red team is at the offensive side. 96 00:04:25,320 --> 00:04:28,190 So it's kind of a hybrid between both 97 00:04:28,190 --> 00:04:31,570 into the way that you can absolutely take advantage 98 00:04:31,570 --> 00:04:36,570 of these resources to potentially perform 99 00:04:36,630 --> 00:04:38,600 automated adversarial emulation. 100 00:04:38,600 --> 00:04:40,110 I will get to that in a second. 101 00:04:40,110 --> 00:04:43,330 There's actually even different tools that also 102 00:04:43,330 --> 00:04:46,710 the community and MITRE have created to perform those type 103 00:04:46,710 --> 00:04:48,150 of emulations. 104 00:04:48,150 --> 00:04:48,983 As you're seeing here, 105 00:04:48,983 --> 00:04:50,818 I mean, all these procedural examples are basically 106 00:04:50,818 --> 00:04:52,852 real life attackers, right? 107 00:04:52,852 --> 00:04:57,547 Or types of malware or types of tools 108 00:04:57,547 --> 00:05:00,163 that actually use these type of techniques, right? 109 00:05:00,163 --> 00:05:04,910 Now, if you actually see any of these sub techniques 110 00:05:04,910 --> 00:05:07,070 and descriptions and so on, yes, 111 00:05:07,070 --> 00:05:10,050 you can absolutely take advantage of it to learn. 112 00:05:10,050 --> 00:05:12,920 So absolutely that's, I have done it 113 00:05:12,920 --> 00:05:15,490 and I suggest for people to do, 114 00:05:15,490 --> 00:05:18,120 however, this goes beyond learning. 115 00:05:18,120 --> 00:05:20,960 What a lot of companies have done 116 00:05:20,960 --> 00:05:23,870 is that they have integrated the MITRE ATT&CK Framework 117 00:05:23,870 --> 00:05:25,420 within their tools. 118 00:05:25,420 --> 00:05:27,870 So if there's a detection, for example, 119 00:05:27,870 --> 00:05:31,290 or some type of alert, it actually can be mapped 120 00:05:31,290 --> 00:05:34,810 to the specific tactic and techniques from the adversary. 121 00:05:34,810 --> 00:05:38,560 So then you can perform additional things. 122 00:05:38,560 --> 00:05:40,274 It can help you in threat hunting. 123 00:05:40,274 --> 00:05:43,200 It can help you in other areas 124 00:05:43,200 --> 00:05:46,328 within the security operations center itself, right. 125 00:05:46,328 --> 00:05:48,196 Now if you go under resources, 126 00:05:48,196 --> 00:05:50,670 there are a few things in here 127 00:05:50,670 --> 00:05:52,950 they have from things on how to get started 128 00:05:52,950 --> 00:05:55,430 with the ATT&CK Framework, training, 129 00:05:55,430 --> 00:05:57,040 you know they have provided for free, 130 00:05:57,040 --> 00:05:59,040 AAT&CKcon is a conference 131 00:05:59,040 --> 00:06:01,080 that they have in an annual basis. 132 00:06:01,080 --> 00:06:02,940 And they have tons and tons of presentations. 133 00:06:02,940 --> 00:06:03,773 As a matter of fact 134 00:06:03,773 --> 00:06:04,620 if you're actually click in here, 135 00:06:04,620 --> 00:06:07,940 of course you see different presentations that are there 136 00:06:07,940 --> 00:06:11,370 but if you go all the way to the related projects 137 00:06:11,370 --> 00:06:15,690 there are a few things that are related to the 138 00:06:15,690 --> 00:06:17,637 MITRE ATT&CK ecosystem, if you will, right. 139 00:06:17,637 --> 00:06:22,637 There's a GitHub repository within the framework. 140 00:06:22,672 --> 00:06:26,810 There are different tools that allow you to illustrate 141 00:06:26,810 --> 00:06:28,820 and navigate to the framework. 142 00:06:28,820 --> 00:06:31,210 And one of them is actually called ATT&CK Navigator. 143 00:06:31,210 --> 00:06:32,930 And we'll get into that in a second. 144 00:06:32,930 --> 00:06:37,640 I'll show you an example and then you have related formats. 145 00:06:37,640 --> 00:06:38,473 So in other words, 146 00:06:38,473 --> 00:06:41,410 if you actually have a specific observable 147 00:06:41,410 --> 00:06:42,773 or a specific technique, 148 00:06:43,850 --> 00:06:47,510 the community and specifically MITRE 149 00:06:47,510 --> 00:06:48,810 with the CTI community 150 00:06:48,810 --> 00:06:51,250 and CTI stands for Cyber Threat Intelligence, 151 00:06:51,250 --> 00:06:54,590 they have created an express attack 152 00:06:54,590 --> 00:06:56,860 in STIX format and STIX stands for 153 00:06:56,860 --> 00:07:00,470 the Structured Threat Information and Expression. 154 00:07:00,470 --> 00:07:01,580 As you're see here, 155 00:07:01,580 --> 00:07:05,830 its basically a language to share a threat intelligence. 156 00:07:05,830 --> 00:07:08,510 And you will learn this throughout the course here. 157 00:07:08,510 --> 00:07:11,755 And it's basically that is a machine readable format. 158 00:07:11,755 --> 00:07:15,233 And in that case, it's JSON format that you can use 159 00:07:15,233 --> 00:07:18,870 of course, to exchange threat intelligence information 160 00:07:18,870 --> 00:07:20,200 among participants. 161 00:07:20,200 --> 00:07:23,790 And specifically, if you want to share things related 162 00:07:23,790 --> 00:07:26,770 to the tactics and techniques of an attack, 163 00:07:26,770 --> 00:07:29,928 that's where the integration of the ATT&CK Framework 164 00:07:29,928 --> 00:07:33,040 expression STIX comes into play. 165 00:07:33,040 --> 00:07:35,050 Now, another thing in this page 166 00:07:35,050 --> 00:07:38,950 that I want to draw your attention is a tool called Caldera. 167 00:07:38,950 --> 00:07:41,510 And it's an automated adversarial elimination tool 168 00:07:41,510 --> 00:07:44,012 that basically you can use 169 00:07:44,012 --> 00:07:46,860 with a whole bunch of different plugins 170 00:07:46,860 --> 00:07:49,100 to basically simulate what an attacker can do 171 00:07:49,100 --> 00:07:52,910 and is completely mapped to the ATT&CK Framework. 172 00:07:52,910 --> 00:07:55,210 There's another ecosystem underneath 173 00:07:55,210 --> 00:07:57,050 called the Atomic Red Team. 174 00:07:57,050 --> 00:07:58,979 I'm not gonna go into a lot of that detail 175 00:07:58,979 --> 00:08:01,550 for the scope of this course. 176 00:08:01,550 --> 00:08:04,150 However, these are tools that are highly recommended 177 00:08:05,180 --> 00:08:08,150 for you to actually learn and explore. 178 00:08:08,150 --> 00:08:10,160 And specifically, if you are looking 179 00:08:10,160 --> 00:08:13,140 into a career as an analyst, 180 00:08:13,140 --> 00:08:15,530 whether it's a junior or a senior analyst 181 00:08:15,530 --> 00:08:17,740 in a security operation center. 182 00:08:17,740 --> 00:08:20,410 Now, if I go back to the framework 183 00:08:20,410 --> 00:08:22,400 and I click on software here 184 00:08:22,400 --> 00:08:24,510 this is like a list of different 185 00:08:24,510 --> 00:08:27,939 either pieces of malware or legitimate software 186 00:08:27,939 --> 00:08:30,918 that has been used by attackers to perform 187 00:08:30,918 --> 00:08:33,730 different types of activities, right? 188 00:08:33,730 --> 00:08:37,340 And this can be things, for example, let me actually go back 189 00:08:37,340 --> 00:08:42,280 to the letter C and look for Cobalt Strike. 190 00:08:42,280 --> 00:08:46,017 Cobalt Strike is a commercial adversarial emulation 191 00:08:46,017 --> 00:08:49,561 / pen testing / red teaming tool, right? 192 00:08:49,561 --> 00:08:51,525 It actually has been used 193 00:08:51,525 --> 00:08:56,525 by many Fortune 500 companies and government institutions. 194 00:08:56,570 --> 00:09:00,450 However, attackers have also taken advantage 195 00:09:00,450 --> 00:09:04,860 of these tools to perform a plethora of different attacks. 196 00:09:04,860 --> 00:09:05,836 And if you see here, 197 00:09:05,836 --> 00:09:09,732 it's a very extensive list of all the different tactics 198 00:09:09,732 --> 00:09:12,689 and techniques that you can basically emulate 199 00:09:12,689 --> 00:09:14,509 with that tool, right? 200 00:09:14,509 --> 00:09:17,112 So I picked this one because it's a little bit controversial 201 00:09:17,112 --> 00:09:19,335 in the security world because 202 00:09:19,335 --> 00:09:22,460 the dual use of that tool, right? 203 00:09:22,460 --> 00:09:26,200 Now I wanted to take advantage of this screen 204 00:09:26,200 --> 00:09:30,030 and basically show you the ATT&CK navigator, right? 205 00:09:30,030 --> 00:09:32,430 And just like we are right now 206 00:09:32,430 --> 00:09:34,630 we're their software on Cobalt Strike. 207 00:09:34,630 --> 00:09:36,230 I'm gonna click on the ATT&CK navigator 208 00:09:36,230 --> 00:09:37,890 and you can do two things. 209 00:09:37,890 --> 00:09:40,820 You can download this information 210 00:09:40,820 --> 00:09:42,240 in a machine readable format 211 00:09:42,240 --> 00:09:44,840 that then you can actually, basically in JSON, 212 00:09:44,840 --> 00:09:48,064 that you can then import to a local 213 00:09:48,064 --> 00:09:52,560 instance of the ATT&CK navigator, or you can click on view. 214 00:09:52,560 --> 00:09:55,140 And that actually will take you 215 00:09:56,450 --> 00:09:59,128 to MITRE's hosted attack navigator. 216 00:09:59,128 --> 00:10:00,810 And as you can see, 217 00:10:00,810 --> 00:10:02,300 it says, Cobalt Strike, 218 00:10:02,300 --> 00:10:05,290 which is the name of the software that we selected. 219 00:10:05,290 --> 00:10:07,700 And again, this is just one example out of many 220 00:10:07,700 --> 00:10:09,336 many different things that you can actually do 221 00:10:09,336 --> 00:10:12,960 with a framework or at least show in the navigator 222 00:10:12,960 --> 00:10:15,680 and navigate, no pun intended, 223 00:10:15,680 --> 00:10:18,890 for all the different tactics and techniques. 224 00:10:18,890 --> 00:10:22,761 And every single one that are related to in this case 225 00:10:22,761 --> 00:10:25,930 Cobalt Strike are being highlighted. 226 00:10:25,930 --> 00:10:27,350 Now the cool thing about this one 227 00:10:27,350 --> 00:10:28,870 is that you see some comments, 228 00:10:28,870 --> 00:10:31,530 if I hover over these elements 229 00:10:31,530 --> 00:10:36,290 you can absolutely create your own comments and so on. 230 00:10:36,290 --> 00:10:37,123 For example, 231 00:10:37,123 --> 00:10:39,860 I can highlight this Parent PID Spoofing 232 00:10:39,860 --> 00:10:42,280 and I can add a comment in there, right. 233 00:10:42,280 --> 00:10:44,467 Either modify it or add, 234 00:10:44,467 --> 00:10:49,467 "This was observed in my investigation." Right? 235 00:10:53,020 --> 00:10:56,490 And this is of course a very lame example, 236 00:10:56,490 --> 00:10:57,720 but you get the point. 237 00:10:57,720 --> 00:11:00,132 Basically you can actually put any type of comments. 238 00:11:00,132 --> 00:11:02,670 And what is actually useful is because you can 239 00:11:02,670 --> 00:11:06,650 exchange this information in machine readable format. 240 00:11:06,650 --> 00:11:09,930 And again, a lot of commercial tools already integrate 241 00:11:09,930 --> 00:11:13,130 the ATT&CK Framework and the elements that you get 242 00:11:13,130 --> 00:11:15,120 from the navigator within their tools 243 00:11:15,120 --> 00:11:17,210 and Cisco is actually one of them, right? 244 00:11:17,210 --> 00:11:19,377 So if you download that you can see that 245 00:11:19,377 --> 00:11:23,280 I'm able to download it in machine readable format 246 00:11:23,280 --> 00:11:24,113 in this case. 247 00:11:24,113 --> 00:11:28,079 And it's JSON file that has all the different elements 248 00:11:28,079 --> 00:11:32,230 about the observe, all the techniques and tactics 249 00:11:32,230 --> 00:11:33,840 that Cobalt Strike is actually doing. 250 00:11:33,840 --> 00:11:36,770 So this is a view from a software perspective 251 00:11:36,770 --> 00:11:38,860 you can also do the same thing as a view 252 00:11:38,860 --> 00:11:43,256 from a specific tactics or map whatever emulation 253 00:11:43,256 --> 00:11:44,460 you're trying to do, 254 00:11:44,460 --> 00:11:48,090 or whatever type of threat hunting activity 255 00:11:48,090 --> 00:11:49,000 that you would like to do. 256 00:11:49,000 --> 00:11:51,260 You can absolutely do the same. 257 00:11:51,260 --> 00:11:54,820 Now, as I mentioned, there's different commercial tools 258 00:11:54,820 --> 00:11:57,695 that take advantage of the ATT&CK Framework. 259 00:11:57,695 --> 00:11:59,330 Pretty good example of it. 260 00:11:59,330 --> 00:12:01,770 You know, of course, part of the Secure X ecosystem 261 00:12:01,770 --> 00:12:04,470 at Cisco within Threat Grid, 262 00:12:04,470 --> 00:12:07,630 and you learn that Threat Grid is basically a sandboxing. 263 00:12:07,630 --> 00:12:09,240 And actually it goes beyond sandboxing 264 00:12:09,240 --> 00:12:11,734 but a behavioral analysis and sandboxing 265 00:12:11,734 --> 00:12:14,434 a solution from Cisco that is integrated 266 00:12:14,434 --> 00:12:17,970 in many, many different other platforms, right? 267 00:12:17,970 --> 00:12:21,080 Like M4M Points, Fire Power Threat Defense, 268 00:12:21,080 --> 00:12:21,995 and many others, right? 269 00:12:21,995 --> 00:12:26,540 But basically, as you see here, they have the mapping 270 00:12:26,540 --> 00:12:29,780 of the ATT&CK Framework in different behavioral indicators 271 00:12:29,780 --> 00:12:30,870 that I'm showing the screen. 272 00:12:30,870 --> 00:12:32,179 So in this case actually 273 00:12:32,179 --> 00:12:33,883 the second one that you see is says, 274 00:12:33,883 --> 00:12:37,820 " Excessive Remote Process Code Injection Detected." 275 00:12:37,820 --> 00:12:39,830 And there are two techniques 276 00:12:39,830 --> 00:12:41,080 from the MITRE ATT&CK Framework, 277 00:12:41,080 --> 00:12:43,440 defense evasion and previous escalations. 278 00:12:43,440 --> 00:12:45,968 If you click on that you will actually see 279 00:12:45,968 --> 00:12:50,450 related activity to the same behavior 280 00:12:50,450 --> 00:12:55,050 basically it's a tag that shows you other types 281 00:12:55,050 --> 00:12:56,860 of activities within the network. 282 00:12:56,860 --> 00:13:00,020 And as you can see this is a demo system 283 00:13:00,020 --> 00:13:02,880 but it has a lot of different types of attacks, right? 284 00:13:02,880 --> 00:13:05,520 That actually include defense evasion, 285 00:13:05,520 --> 00:13:06,840 the same thing if you want to go 286 00:13:06,840 --> 00:13:08,737 and see previous escalation, right? 287 00:13:08,737 --> 00:13:10,902 There's a lot of different techniques 288 00:13:10,902 --> 00:13:13,450 that also have been detected 289 00:13:13,450 --> 00:13:15,830 that are related to previous escalation, right? 290 00:13:15,830 --> 00:13:19,020 Scheduled task and registry entry 291 00:13:19,020 --> 00:13:22,610 is actually being detected that might be modified and so on. 292 00:13:22,610 --> 00:13:25,099 And as you can see, if I expand one of these 293 00:13:25,099 --> 00:13:29,060 it has a direct reference to the MITRE ATT&CK Framework. 294 00:13:29,060 --> 00:13:31,920 So again, for the purpose of this exam 295 00:13:31,920 --> 00:13:34,270 and for the purpose of this course, 296 00:13:34,270 --> 00:13:36,300 this is all what you need to actually know. 297 00:13:36,300 --> 00:13:38,983 You don't need to actually configure and go deep. 298 00:13:38,983 --> 00:13:40,860 The concentration exams 299 00:13:40,860 --> 00:13:44,230 and the C C I Lab absolutely will test you 300 00:13:44,230 --> 00:13:49,230 into the very details of the configuration 301 00:13:49,490 --> 00:13:53,363 and troubleshooting of each of these devices and solutions.