The Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project by MITRE is
an initiative started in 2015 with the goal of providing a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” Since its inception, ATT&CK has taken the information security industry by storm. Many vendors and information security teams the world over have moved to adopt it with blinding speed— and for good reason: It is one of the most exciting, useful and needed efforts within InfoSec in recent memory. ATT&CK provides a key capability that many organizations have struggled with in the past: a way to develop, organize and use a threat-informed defensive strategy that can be communicated in a standardized way across partner organizations, industries, vendors and products.
Comparing Layers in ATT&CK Navigator
URL:https://mitre-attack.github.io/attack-navigator/
This document provides a walkthrough of how to use the ATT&CK Navigator (https://mitreattack.github.io/attack-navigator/enterprise/) to compare two different layers. (Navigator
source code is available at https://github.com/mitre-attack/attack-navigator). This comparison
method is useful if you want to compare techniques used by two different groups, but could be
applied in many ways – to compare a group to your defensive coverage, your defensive
coverage from one week to the next…whatever you want to do!
For this Exercise, you’ll compare APT39 techniques to OceanLotus techniques to build upon the
previous exercises in the ATT&CK for CTI training. (OceanLotus is the group identified as being
behind the Cobalt Kitty campaign according to Cybereason.) To do this, you will:
1. Create a layer and assign a score to techniques used by APT39 in one layer
2. Create a second layer and assign a different score to techniques used by OceanLotus
3. Combine the two using “Create Layer from other layers” using the expression “a + b”
4. Export the layer in the format of your choice
1. Create an APT39 layer and assign a score to techniques used by APT39
Go to the ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/enterprise/). By
default, Navigator will start with a new layer called “layer,” so you’ll work with that. To help
keep yourself organized, you will rename the layer to “APT39” by clicking on the name at the
top
Next, you will assign a score to these highlighted techniques. You do this by clicking the
“Scoring” button and choosing a score. Make the score 1 for this exercise.
You may choose to give your techniques a different color, such as blue in this example, by
clicking on the “color setup” button, selecting each value, and making each value blue. This will
change all your techniques to the selected color
2. Create an OceanLotus layer and assign a score to techniques used by OceanLotus
Now, you will create a new layer and repeat this process with OceanLotus techniques. You will
click the plus sign at the top of the Navigator to create a new layer.
Now you’ll repeat what you did with APT39, but with OceanLotus this time. Toggle the “multitactic technique” selection, name your layer, and select the following 21 techniques (holding
down “Ctrl” as you do this). Give your techniques a different score than you did in the APT39
layer (use 2 for this exercise), and then color them as you choose
If you did this as we described above, you will get a layer that looks like the below.
3. Combine the existing APT39 and OceanLotus layers
But this time you will select the option to “Create Layer from other layers” to expand the
dropdown. When you expand the dropdown, Navigator helpfully gives letter names for each of
your existing layers in yellow. So, you know that Navigator identifies your APT39 layer as “a”
and your OceanLotus layer as “b.” You want to combine the scores you have in your two layers,
so you choose addition and enter the expression “a + b” into the score expression field.
Now you have your combined layer. Initially, all the techniques may appear as various colors
depending on the color setup.
However, if you scroll over techniques, you’ll see that some techniques have a score of 1 (these
are the ones used by APT39 only), some have a score of 2 (these are the ones used by
OceanLotus only), and some of have a score of 3 (these are the ones used by both APT39 and
OceanLotus).
You can change the colors that appear for each score by clicking the “Color setup” button. You
know the values are 1, 2, and 3, so make the low value 1 and the high value 3. Navigator knows
2 is halfway between 1 and 3 so will automatically use the middle color for the value of 2.
4. Export the layer
You have a couple options for how you can export the Navigator layer, and which one you
choose will depend on how you want to work with it. You can export to Excel (arguably the best
analyst tool of all time). This option will just export colors, not scores.
You can also download the layer as JSON, which might be useful if you want to script a layer’s
ingest into another tool or save it for later manipulation in the Navigator.
Maybe you want to download it as an image for a PowerPoint so you can show off what you
know about adversary groups. You can export the layer as an SVG image file.
As you export to SVG, you have lots of options on what you want to include as well as the
format, text, size, etc. Click the download button to get a copy of your SVG to use however you
see fit.
Steps
1 1
2 2
3 3
4 4
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vUoNhtPvWvU4wwkqnCpiyYjd3i-O264pExwh_296ZXinZMd1kA5_u2_xW-p6qjvVfqMkaNkjiUZYEQYb0_-7t0zdvISUkG_GH6uvJ5uhaiKw)
No comments:
Post a Comment