State of ATT&CK
- 1. State of the ATT&CK Tenth EU MITRE ATT&CK® Community Workshop Adam Pennington ATT&CK Lead @_whatshisface ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 2. System Owner/User Discovery (T1033) adamp$ whoami • He/him/his • Lead of MITRE ATT&CK • 14 years with MITRE • Focused on threat intel and deception • Past defender and CTI analyst • Involved with ATT&CK since it was a spreadsheet with no & • First time at an ATT&CK EU WG ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 3. MITRE ATT&CK Remains Strong • Backed by 40+ MITRE staff and a growing community Enterprise Jamie Williams Mac/Linux Cat Self ICS Jake Steele Mobile Jason Ajmo Defenses Lex Crumpton Development Jared Ondricek Threat Intel Matt Malone Outreach Amy Robertson ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 4. ATT&CK 2022 April 29, 2022 Release v11 You are here October 25, 2022 Release v12 ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 5. ATT&CK for Mobile & ICS Mobile ATT&CK Enterprise ATT&CK ICS ATT&CK It’s just • Working towards feature equity with Enterprise ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 6. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Drive-By Compromise Command and Scripting Interpreter Boot or Logon Initialization Scripts Abuse Elevation Control Mechanism Download New Code at Runtime Access Notifications File and Directory Discovery Exploitation of Remote Services Access Notifications Application Layer Protocol Exfiltration Over Alternative Protocol Account Access Removal Lockscreen Bypass Native API Compromise Application Executable Exploitation for Privilege Escalation Execution Guardrails Clipboard Data Location Tracking Replication Through Removable Media Adversary-in-the- Middle Call Control Exfiltration Over C2 Channel Call Control Replication Through Removable Media Scheduled Task/Job Compromise Client Software Binary Process Injection Foreground Persistence Credentials from Password Store Network Service Scanning Archive Collected Data Dynamic Resolution Data Encrypted for Impact Supply Chain Compromise Event Triggered Execution Hide Artifacts Input Capture Process Discovery Audio Capture Encrypted Channel Data Manipulation Foreground Persistence Hooking Steal Application Access Token Software Discovery Call Control Ingress Tool Transfer Endpoint Denial of Service Hijack Execution Flow Impair Defenses System Information Discovery Clipboard Data Non-Standard Port Generate Traffic from Victim Scheduled Task/Job Indicator Removal on Host System Network Configuration Discovery Data from Local System Out of Band Data Input Injection Input Injection System Network Connections Discovery Input Capture Web Service Network Denial of Service Native API Location Tracking SMS Control Obfuscated Files or Information Protected User Data Process Injection Screen Capture Proxy Through Victim Stored Application Data Subvert Trust Controls Video Capture Virtualization/Sandbox Evasion ATT&CK for Mobile ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11. Beta in April 2022 Released in July 2022
- 7. ATT&CK for ICS ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11. ICS Detections coming in ATT&CK v12 Joined attack.mitre.org in April 2022
- 8. ATT&CK for Enterprise • A continued period of stability • No major restructuring of Techniques or new Tactics on roadmap Windows Mac Linux Cloud Containers Network Devices ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 9. Structured Detections Released in v11 ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 10. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11. Campaign A grouping of intrusion activity conducted over a specific period of time with common targets and objectives; this activity may or may not be linked to a specific threat actor. https://medium.com/mitre-attack/attack-2022-roadmap-cd5a1a3387c7
- 11. Campaigns • Familiar CTI concept, but often not used in threat group tracking • Break groups back out into clusters of activity that share • A relatively short time period (generally days or months not years) • A common objective • Individual intrusions in a campaign might not share: • Specific software or behaviors • Victim country/industry/role ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 12. A Threat Group into Campaigns ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11. Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident C0154/Solorigate C0194 C0199/GRIZZLY STEPPE C0155/PowerDuke G0016 APT29
- 13. Campaigns in ATT&CK • Introducing in ATT&CK v12 (October 25, 2022) • May or may not be connected to a Group • May or may not have a name • ATT&CK currently only tracks named threat groups • Will be tied to a period of time • Existing content will be converted as resources/contributions allow ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 14. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 17. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 18. The Campaign Object • ATT&CK’s usual fields (e.g., x_mitre_version) • name: Name used to identify the Campaign. If no name will contain CXXXX • description: Description of the Campaign • aliases: Same as in Groups • first_seen : The timeframe when this Campaign was first seen • last_seen: The timeframe when this Campaign was last seen • x_mitre_first_seen_citation: "(Citation: <citation name>)" where <citation name> is a source_name of one of the external_references • x_mitre_last_seen_citation: "(Citation: <citation name>)" where <citation name> is a source_name of one of the external_references ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 19. Thank you to the community! @ionstorm Abel Morales, Exabeam Achute Sharma, Keysight Alain Homewood, Insomnia Security Alan Neville, @abnev Alex Hinchliffe, Palo Alto Networks Alex Soler, AttackIQ Alexandros Pappas Alfredo Abarca Alfredo Oliveira, Trend Micro Allen DeRyke, ICE Anastasios Pingios Andrew Smith, @jakx_ Antonio Villani, @LDO_CyberSec, Leonardo's Cyber Security Division Arie Olshtein, Check Point Ariel Shuper, Cisco Arnim Rupp, Deutsche Lufthansa AG Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security Atul Nair, Qualys Aviran Hazum, Check Point Avneet Singh Ayan Saha, Keysight Barry Shteiman, Exabeam Bart Parys Bartosz Jerzman Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD) Bernaldo Penas Antelo Blake Strom, Microsoft 365 Defender Bobby, Filar, Elastic Brad Geesaman, @bradgeesaman Brent Murphy, Elastic Brian Wiltse @evalstrings Bryan Lee Carlos Borges, @huntingneo, CIP Carrie Roberts, @OrOneEqualsOne Casey Smith Center for Threat-Informed Defense (CTID) Chen Erlich, @chen_erlich, enSilo Chris Roffe Chris Ross @xorrior Christiaan Beek, @ChristiaanBeek Christoffer Strömblad Christopher Glyer, Mandiant, @cglyer Cody Thomas, SpecterOps Craig Aitchison CrowdStrike Falcon OverWatch Cybereason Nocturnus, @nocturnus Dan Borges, @1njection Dan Nutting, @KerberToast Daniel Oakley Daniel Prizmant, Palo Alto Networks Daniel Stepanic, Elastic Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project Daniyal Naeem, BT Security Darren Spruell Dave Westgard David Ferguson, CyberSponse David Fiser, @anu4is, Trend Micro David French, Elastic David Lu, Tripwire David Routin Deloitte Threat Library Team Diogo Fernandes Dor Edry, Microsoft Doron Karmi, @DoronKarmi Drew Church, Splunk Ed Williams, Trustwave, SpiderLabs Edward Millington Elastic Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre Eli Salem, @elisalem9 Elia Florio, Microsoft Elly Searle, CrowdStrike — contributed to tactic definitions Emile Kenning, Sophos Emily Ratliff, IBM Eric Kuehn, Secure Ideas Erik Schamper, @Schamperr, Fox-IT Erika Noerenberg, @gutterchurl, Carbon Black Erye Hernandez, Palo Alto Networks ESET Expel ExtraHop Felipe Espósito, @Pr0teus Filip Kafka, ESET FIRST.ORG's Cyber Threat Intelligence SIG FS-ISAC Gaetan van Diemen, ThreatFabric Gal Singer, @galsinger29, Team Nautilus Aqua Security Gareth Phillips, Seek Ltd. George Allen, VMware Carbon Black Gordon Long, Box, Inc., @ethicalhax Hans Christoffer Gaardløs Harry Kim, CODEMIZE Harry, CODEMIZE Harshal Tupsamudre, Qualys Heather Linn Hiroki Nagahama, NEC Corporation Ibrahim Ali Khan Idan Frimark, Cisco Idan Revivo, @idanr86, Team Nautilus Aqua Security Isif Ibrahima Itamar Mizrahi, Cymptom Itzik Kotler, SafeBreach Ivan Sinyakov Jacob Wilkin, Trustwave, SpiderLabs Jacques Pluviose, @Jacqueswildy_IT James Dunn, @jamdunnDFW, EY Jan Miller, CrowdStrike Jan Petrov, Citi Janantha Marasinghe Jannie Li, Microsoft Threat Intelligence Center (MSTIC) Jared Atkinson, @jaredcatkinson Jaron Bradley @jbradley89 Jay Chen, Palo Alto Networks Jean-Ian Boutin, ESET Jeff Felling, Red Canary Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services) Jen Burns, HubSpot Jeremy Galloway Jesse Brown, Red Canary Jimmy Astle, @AstleJimmy, Carbon Black Joas Antonio dos Santos, @C0d3Cr4zy Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics Johann Rehberger John Lambert, Microsoft Threat Intelligence Center John Strand Jon Sheedy Jon Sternstein, Stern Security Jonathan Boucher, @crash_wave, Bank of Canada Jonathan Shimonovich, Check Point Jonhnathan Ribeiro, 3CORESec, @_w0rk3r Jorell Magtibay, National Australia Bank Limited Jorge Orchilles, SCYTHE Jose Luis Sánchez Martinez Josh Abraham Josh Campbell, Cyborg Security, @cyb0rgsecur1ty Josh Day, Gigamon Josh Liburdi, @jshlbrd João Paulo de A. Filho, @Hug1nN__ Justin Warner, ICEBRG Jörg Abraham, EclecticIQ Karim Hasanen, @_karimhasanen Kaspersky Katie Nickels, Red Canary Kiyohito Yamamoto, RedLark, NTT Communications Kobi Eisenkraft, Check Point Kobi Haimovich, CardinalOps Kyaw Pyiyt Htet, @KyawPyiytHtet Kyoung-ju Kwak (S2W) Lab52 by S2 Grupo Lacework Labs Lee Christensen, SpecterOps Leo Loobeek, @leoloobeek Leo Zhang, Trend Micro Lior Ribak, SentinelOne Loic Jaquemet Lorin Wu, Trend Micro Lucas da Silva Pereira, @vulcanunsec, CIP Lukáš Štefanko, ESET Maarten van Dantzig, @MaartenVDantzig, Fox-IT Magno Logan, @magnologan, Trend Micro Manikantan Srinivasan, NEC Corporation India Marc-Etienne M.Léveillé, ESET Maril Vernon @shewhohacks Mark Wee Martin Jirkal, ESET Martin Smolár, ESET Martin Sohn Christensen, Improsec Mathieu Tartare, ESET Matias Nicolas Porolli, ESET Matt Brenton, Zurich Global Information Security Matt Brenton, Zurich Insurance Group Matt Burrough, @mattburrough, Microsoft Matt Graeber, @mattifestation, SpecterOps Matt Kelly, @breakersall Matt Snyder, VMware Matthew Demaske, Adaptforward Matthew Molyett, @s1air, Cisco Talos Matthieu Faou, ESET Mayuresh Dani, Qualys McAfee Menachem Shafran, XM Cyber Michael Cox Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security Michal Dida, ESET Microsoft Detection and Response Team (DART) Microsoft Security Microsoft Threat Intelligence Center (MSTIC) Mike Burns, Mandiant Mike Kemmerer Milos Stojadinovic Mnemonic Mnemonic AS Mugdha Peter Bansode Nathaniel Quist, Palo Alto Networks Naveen Vijayaraghavan, Nilesh Dherange (Gurucul) Netskope Nick Carr, Mandiant Nik Seetharaman, Palantir Nino Verde, @LDO_CyberSec, Leonardo's Cyber Security Division Nishan Maharjan, @loki248 Oddvar Moe, @oddvarmoe Ofir Almkias, Cybereason Ohad Mana, Check Point Oleg Kolesnikov, Securonix Oleg Skulkin, Group-IB Oleksiy Gayda Omkar Gudhate Patrick Campbell, @pjcampbe11 Patrick Sungbahadoor Paul Speulstra, AECOM Global Security Operations Center Pawan Kinger, @kingerpawan, Trend Micro Pedro Harrison Phil Stokes, SentinelOne Philip Winther Pooja Natarajan, NEC Corporation India Praetorian Prasad Somasamudram, McAfee Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team Prashant Verma, Paladion Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International Red Canary RedHuntLabs, @redhuntlabs Regina Elwell Rex Guo, @Xiaofei_REX, Confluera Ricardo Dias Richard Gold, Digital Shadows Richie Cyrus, SpecterOps Rick Cole, Mandiant Rob Smith Robby Winchester, @robwinchester3 Robert Falcone Robert Simmons, @MalwareUtkonos Robert Wilson Rodrigo Garcia, Red Canary Roi Kol, @roykol1, Team Nautilus Aqua Security Romain Dumont, ESET Rory McCune, Aqua Security Ruben Dodge, @shotgunner101 Ryan Becwar Ryan Benson, Exabeam Ryo Tamura, SecureBrain Corporation Sahar Shukrun Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC) SarathKumar Rajendran, Trimble Inc Scott Knight, @sdotknight, VMware Carbon Black Scott Lundgren, @5twenty9, Carbon Black Sebastian Salla, McAfee Sekhar Sarukkai, McAfee Sergey Persikov, Check Point Shailesh Tiwary (Indian Army) Shane Tully, @securitygypsy Shlomi Salem, SentinelOne Shotaro Hamamoto, NEC Solution Innovators, Ltd Shuhei Sasada, Cyber Defense Institute, Inc Silvio La Porta, @LDO_CyberSec, Leonardo's Cyber Security Division SOCCRATES Stan Hegt, Outflank Stefan Kanthak Steven Du, Trend Micro Sudhanshu Chauhan, @Sudhanshu_C Sunny Neo Suzy Schapperle - Microsoft Azure Red Team Swapnil Kumbhar Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) Syed Ummar Farooqh, McAfee Sylvain Gil, Exabeam Sébastien Ruel, CGI Takuma Matsumoto, LAC Co., Ltd Tatsuya Daitoku, Cyber Defense Institute, Inc. Ted Samuels, Rapid7 Teodor Cimpoesu The DFIR Report, @TheDFIRReport Thijn Bukkems, Amazon Tim (Wadhwa-)Brown Tim MalcomVetter Toby Kohlenberg Tom Ueltschi @c_APT_ure Tony Lambert, Red Canary Travis Smith, Tripwire Trend Micro Incorporated Tristan Bennett, Seamless Intelligence Vadim Khrykov Valerii Marchuk, Cybersecurity Help s.r.o. Varonis Threat Labs Veeral Patel Vikas Singh, Sophos Vinayak Wadhwa, Lucideus Vincent Le Toux Viren Chaudhari, Qualys Vishwas Manral, McAfee Walker Johnson Wayne Silva, F-Secure Countercept Wes Hurd Will Thomas, Cyjax William Cain Yaniv Agman, @AgmanYaniv, Team Nautilus Aqua Security Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank Yonatan Gotlib, Deep Instinct Yoshihiro Kori, NEC Corporation Yossi Nisani, Cymptom Yossi Weizman, Azure Defender Research Team Yusuke Kubo, RedLark, NTT Communications Yusuke Niwa, ITOCHU Corporation Yuval Avrahami, Palo Alto Networks Zaw Min Htun, @Z3TAE Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security Ziv Kaspersky, Cymptom 308 orgs and individuals ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 20. https://attack.mitre.org [email protected] @mitreattack Adam Pennington @_whatshisface ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.
- 21. URLs Related to Q&A • https://www.youtube.com/watch?v=-d38C3992aQ • https://www.youtube.com/watch?v=eZsMHSE2PDc&list=PLkTA pXQou_8JrhtrFDfAskvMqk97Yu2S2&index=14 ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00744-11.