What is Att&ck Miter?
Miter Att&ck is a knowledge base of Tactics, Techniques and Procedures that attackers use to compromise an environment, based on real cases and bringing the modus operandi of large groups of cybercriminals, whether they are individual groups or linked to the government.
How to qualify professionally to work in the information security area?
Where to start in the information security field?
SIEM: Security Event Management and Correlation
How to become a great PenTester?
My WhatsApp has been cloned, should I pay a Kiddie Script to retrieve it?
In theory, Miter helps both Red Team and Blue Team professionals, bringing techniques that attackers use in certain environments. When accessing the site, you will realize that it has techniques for business environments, cloud environments, containers and so on. And these TTPs are essential to assist the Blue Team team in implementing security controls and risk mitigation. In addition to being a good provider of techniques for Red Team professionals who need to test their company's security controls, in order to verify whether or not they are well applied.
And that's where a very interesting concept comes in.
Adversary Emulation is based on testing the environment using TTPs to verify the effectiveness of the implemented security controls and analyze how your environment is prone to being invaded, either by a specific TTP or by several TTPs. Usually when talking about Adversary Emulation, it's a process that comes after a PenTest and good vulnerability management, so it's something organizations do more as a post-commitment than a pre-commitment. As well? The Post-compromise, would be the actions that an attacker would do after having access to a specific environment, based on that, using TTPs you can see if the security controls will be efficient in detecting a criminal who is already inside your network. The PenTest, on the other hand, has the pre-commitment principle, analyzing the degree of exposure and risks of your company externally and in the post-commitment, generally not being very in-depth.
Of course, both types of operations can be worked on with pre and post commitment, but generally you will find Adversary Emulation being worked on as post commitment.
And then you have tools that can help you and everything else, see a repository I made.
In short, that's it, of course the concept is much deeper and from it I'm creating another framework called Cracking The Perimeter or Cracking The Bridge as some prefer to call it.
How to contribute to Miter?
Unlike the CVE's we submitted, to contribute to the Miter Att&ck matrix, you need to take a look at this article first:
As Miter Att&ck is always being updated, after all cybercriminals are always creating new techniques, our contribution is fundamental. So if you have a technique that adds to a sub-technique in Miter, it's definitely welcome! Mainly variations of an existing one or even relevant information about a technique.
Of course, many of them require research, understanding how the techniques work, and demonstrating how an attacker would use this technique to compromise an environment, moving away from the CTF concept and going more into the real world. Bringing proof of concepts that can be useful to add to Miter and that help other organizations, after all we use Miter a lot as a reference in our research, mainly to implement or test security controls and mitigate some risks.
How can I carry out my research?
Are you aware of a new technique? Has your business been attacked and cybercriminals have used something you've never seen before? Do you have a case in a PenTest performed that could be of great value to Miter? So it's a good thing for you to start submitting, of course they will analyze and look for scenarios that fit real life, so the details and how to describe each step by step is critical. Also, if you are going to add something to a technique, check if it is necessary to use another tactic or technique for the technique you are sending to take effect, after all if your technique only affects servers that run a certain service, this has to be very explicit and it is often something that can be re-evaluated.
All contributions are welcome, but be realistic, so consider the following questions before submitting your research:
- Is it a technique that already exists inside Miter?
- What degree of impact does this technique have on the respective environment?
- For this technique to be successful, does it need another tactic or sub-technique?
- Do you have an example scenario about this technique?
- What would the criminal need to perform this technique?
- Has it ever been used by an APT group?
- How is the mitigation process?
- What references did you use to support your research?
- Are attack vectors accessible?
*APT groups are organized groups that carry out targeted or large scale attacks using advanced persistent threats which basically are threats that have a high degree of impact and can do great damage.
Anyway, in summary that's it, I intend to record a video in detail about Miter Att&ck
But here's an example from the site of a contribution:
New Technique Example
COM, ROM, & BE GONE
Sub-techniques: This is a sub-technique of T1XXX, or this would have T1XXX as a sub-technique
Data Sources: Windows API, Process monitoring, or other sources that can be used to detect this activity
Description: Component Object Model (COM) servers associated with Graphics Interchange Format (JIF) image viewers can be abused to corrupt arbitrary memory banks. Adversaries may leverage this opportunity to modify, mux, and maliciously annoy (MMA) read-only memory (ROM) regularly accessed during normal system operations.
Detection: Monitor the JIF viewers for muxing and malicious annoyance. Use event ID 423420 and 234222 to detect changes.
Mitigation: Set the Registry key HKLM\SYSTEM\ControlSet\001\Control\WindowsJIFControl\ to 0 to disable MMA access if not needed within the environment.
Adversary Use: Here is a publicly-available reference about FUZZYSNUGGLYDUCK using this technique: (www[.]awesomeThreatReports[.]org/FUZZYSNUGGLYDUCK_NOMS _ON_ROM_VIA_COM). Additionally, our red team uses this in our operations.
Additional References: Here is a reference from the researcher who discovered this technique: (www[.]crazySmartResearcher[.]net/POC_DETECTIONS_&_MITIGATIONS_4_WHEN_COM_RAMS_ROM)
Group & Software Example
Group Name: FUZZYSNUGGLYDUCK (www[.]sourceX[.]com)
Associated Groups: APT1337 (www[.]sourceY[.]com)
Description: FUZZYSNUGGLYDUCK is a Great Lakes-based threat group that has been active since at least May 2018. The group focuses on targeting the aviation sector. (www[.]sourceY[.]com)
- Phishing: Spearphishing Attachment (T1566.001) – FUZZYSNUGGLYDUCK has used spearphishing email attachments containing images of stale bread to deliver malware. (www[.]sourceX[.]com)
- File and Directory Discovery (T1083) – FUZZYSNUGGLYDUCK has searched files and directories for the string *quack*. (www[.]sourceY[.]com)
Software Name: FLYINGV (www[.]sourceX[.]com) (wwwVsourceZ[.]com)
Group Association: FLYINGV has been used by FUZZYSNUGGLYDUCK. (www[.]sourceZ[.]com)
Description: FLYINGV is custom malware used by FUZZYSNUGGLYDUCK as a second-stage RAT. (www[.]sourceZ[.]com)
- Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) – FLYINGV has added the Registry Run key “HueyDeweyLouie” to establish persistence. (www[.]sourceX[.]com)
- File and Directory Discovery (T1083) – FLYINGV has used rundll32.exe to load its malicious dll file, istoz.dll. (www[.]sourceX[.]com)
Was this article helpful?
To maintain a quality standard for you, we have invested in a great hosting plan, Paid CDN, Website Optimization Plugins, etc ...
Help us to keep the project active!