MITRE ATT&CK DEFENDER (MAD): https://mitre-engenuity.org/mad/ (Link: "Get training" → Cybrary → Free when training from MAD) https://mitre-engenuity.org/blog/2021/03/25/mad-press-release/https://www.cybrary.it/catalog/refined/?q=mit Getting Started ATT&CK: https://attack.mitre.org/resources/getting-started/
Sysmon, Osquery → Splunk, etc. Tactics/Techniques detection
Tactic vs. Technique vs. Procedure:
Tactics: Adversary's Technical Goals
Techniques: How those Goals are achieved.
Procedures: Specific implementations of techniques.
"Atomic Indicator": IP address, File Hash, etc. (Indicadores mínimos de presencia de un adversario)
Usage: Incident Report / Observable Behavior → Mapping to MITRE ATT&CK
Recommendations:
- UNDERSTAND ATT&CK
- FIND BEHAVIOR
- RESEARCH BEHAVIOR
- TRANSLATE THE BEHAVIOR → TACTIC
- WHICH TECHNIQUES APPLIES TO THE BEHAVIOR
- COMPARE RESULTS
Pdf: Getting started with ATT&CK (GOOD)
MITRE ATT&CK FOR DUMMIES PDF
MITRE ATT&CK GROUPS
CISA_Best_Practices_for_MITRE_ATTCK_Mapping_.pdf
Example: Searching for ecommerce industry:
Use the Navigator directly for a custom Matrix or select it from APT Group, technique, or even Software (i.e. Mimikatz) and see the Matrix already highlighted for the tactic, technique, group or swoftware:
Directly into a Navigator highlighting this group's tactics & techniques
Ejemplo: Conti (Software)
attack-scripts/scripts at master · mitre-attack/attack-scripts
Attack scripts
Usage (Extract logs → Integrate a SIEM → Use Datasets for testing → Analyze with MITRE CAR)
- Use SIGMA for translating CAR analytics into other languages
