HOW to use MITRE ATT&CK Navigator in SOC Operations with Phishing Use Case Explained

00:00

hello everyone welcome back to AV cyber

00:02

active in this video we'll dive into the

00:05

fascinating world of cyber security and

00:07

take a closer look at the mitro attack

00:09

Navigator and then we'll explore how it

00:12

can be utilized in a use case to analyze

00:14

and understand a common cyber threat

00:17

that is fishing attack but before we

00:19

begin if you haven't already don't

00:21

forget to subscribe to our Channel and

00:23

for more insightful content onto cyber

00:25

security and Technology this is the

00:27

second video for miter and if you are

00:29

new to to my channel I'll say you watch

00:31

my first video on mitro attack framework

00:34

where I explain the basics and the

00:36

different tactics and techniques for

00:38

this framework so mro attack Navigator

00:40

is tool by mop released the updated

00:43

version last year that helps you do a

00:45

basic navigation and annotation of

00:48

attack techniques I saw a lot of people

00:50

doing this kind of layer comparison with

00:52

matrices in Excel which is great but

00:55

microp has a free purpose Built tool for

00:58

this purpose

01:00

now we head down to miter attack.

01:02

github.io I'll leave the direct link for

01:05

your convenience down below so this is

01:08

what the attack Navigator looks like by

01:10

default they also have a version for

01:13

mobile attack as

01:15

well after you load this page it'll

01:17

automatically show Enterprise attack

01:20

which if you recall is the kind of how

01:22

the adversaries get in and what they do

01:25

after they've gotten in so you'll be

01:27

pretty familiar with this view now now

01:30

it's the attack Matrix that across the

01:33

top that we have these tactics these are

01:36

the adversaries technical goals and

01:39

under each of these are these tactics we

01:43

have

01:44

techniques now how those adversaries

01:47

achieve the goals in a navigator we have

01:49

this object called a layer and that's

01:52

right it's just a way that we can

01:54

capture different information about

01:56

these techniques so I'm going to go and

01:58

walk you through with these different

02:00

buttons we have across the top and then

02:02

I'm going to take you into a use case

02:04

for navigator based on a threat

02:06

intelligence so let's dive in first

02:08

control we see that is locking multi-

02:11

tactic technique selection so what's a

02:13

multi technique you'll see in attack

02:16

some techniques like for example access

02:19

token manipulation falls under multiple

02:22

tactics because it's a multiac technique

02:26

and by default Navigator will select

02:28

both of these techniques across the

02:30

tactics but you might say well I only

02:34

want to select one of them cool

02:37

Navigator gives you that option say I

02:39

just care about access token

02:41

manipulation under privilege escalation

02:44

or defens evation easy enough we can

02:48

have that search menu here for example

02:51

if you want to see all techniques

02:53

mentioned registry so you can do a quick

02:56

search for registry and those will pop

02:58

up here you can also do multi- select so

03:01

this allow you to select either groups

03:03

of software which if you recall from my

03:05

first video we have pages in our tag

03:08

site where mitro cor goes through

03:10

opening Source reporting and gets

03:13

examples of different groups and

03:15

softwares using the attack techniques

03:18

really important to note here is that

03:20

this is not at all comprehensive right

03:23

miter can't possibly map everything

03:26

these groups have ever done or we don't

03:28

have that visibility

03:30

but they can take a sampling based on a

03:32

limited open sourcing reporting and map

03:35

it in the Navigator we can select

03:38

different techniques that the group or

03:40

software Pages we have in attack so we

03:42

can go ahead and select for example copy

03:44

these and deselect those next up the

03:48

deselect right if I have techniques

03:51

selected I want them not to be selected

03:53

anymore pretty

03:55

self-explanatory next up we have the

03:57

layer controls Navigator Works in layers

03:59

for information so a good analyst will

04:02

always give context about what they're

04:03

doing to help keep a track I'll add a

04:07

name for this and I'm going to name it

04:09

say call APD 3-29 comparison and I'm

04:14

going to give it some cool description

04:15

about what I'm doing so that other

04:18

analysts who look at this will know what

04:21

I'm doing or what I mean you can also

04:23

download layers behind the scenes this

04:27

is being built on Json so let's say you

04:29

want to take your layer and Export it to

04:31

another structure format or another tool

04:34

great you can download the layer as Json

04:37

you can also export your layer to

04:39

everyone's favorite tool Excel and I get

04:42

a lot of requests for people who say hey

04:45

I just love Matrix in Excel and this is

04:48

a great way to do that we all have

04:51

PowerPoint presentations where we have

04:53

to make those presentations maybe one

04:55

image of the navigator to include in

04:57

your presentations as well next you can

05:00

also render your layer to SVG an image

05:03

type and then you can also include it in

05:05

your presentation to make yourself look

05:07

cool and organized we can also filter

05:10

here maybe you want to select only Linux

05:13

techniques or Mac techniques that's also

05:15

possible this is also very if you want

05:18

to focus on a pre-attack technique if

05:21

you recall pre-attack is left of what

05:25

exploit what do the adversaries do

05:27

before they' have gotten in you you can

05:29

select prepare and then act is

05:33

Enterprise attack which is what we are

05:36

we have up right now next you can change

05:39

how you sort the techniques and may want

05:42

to alphabetically or reverse

05:44

alphabetically or in terms of these uh

05:46

scores ascending or descending it's

05:48

totally up to you you can toggle that

05:51

here you can also set up colors here now

05:54

for example maybe you I want to change

05:56

this tactic Rob background to a

05:58

different color because green is my

06:00

favorite color so you can do that here

06:03

moving along we have this toggle View

06:06

mode you know by default you will see a

06:09

full technique names full tactic names

06:12

or maybe just I want just want to see

06:14

the first letters of those I just want

06:16

to see these rectangles so if I want to

06:19

visualize something you know it is

06:21

simpler way so you can toggle that

06:24

here going into the technique controls

06:27

we have maybe I want to disable certain

06:29

techniques

06:29

you know I don't want these to be in my

06:32

view at the moment I can go ahead and

06:35

click toggle State and it'll gray it out

06:38

and it won't be a part of my view at

06:41

that moment and then there is a separate

06:44

button to show and hide or maybe even

06:47

disable I don't want it to be gray so I

06:51

just want it out of my view I click the

06:54

show or hide disabled and it'll pop back

06:57

up depending on what you want next is

07:00

the background color let's say access

07:02

token manipulation you know your team

07:05

knows that this is a Technique we have

07:07

covered and have no coverage for this in

07:11

the uh defensive asion so we can go

07:13

ahead and make that as red you can also

07:16

give it a score you know so let's say

07:19

this is of a high priority one so we

07:20

give it a score of zero or one or two

07:24

whatever you've decided for your

07:26

team you can also put a comment so you

07:29

know maybe you want everyone to know we

07:32

need to focus on this so you can add a

07:36

comment and when you do that in the

07:38

Navigator this yellow underline is going

07:40

to pop up on your Technique so that's

07:43

how you know that there's a comment in

07:44

there and then there is clear

07:47

annotations so you need uh your selected

07:49

techniques and say okay access to

07:52

manipulation we want to clear that one

07:54

easy one here now let's see how to

07:57

create layers using navig Ator

07:59

specifically for thread

08:02

intelligence now say for example you

08:04

want to compare two thread intelligent

08:06

groups so I'll create a new

08:09

layer click on the new layer it'll bring

08:12

up the

08:13

menu I am looking to compare between say

08:17

abd3 so I'll select all of those

08:19

everything gets selected I'll name it

08:23

ABD okay

08:26

three okay and then and uh create

08:30

another

08:31

layer new layer and uh call

08:35

it

08:37

AP

08:40

29 all right

08:43

easy and go ahead and select AP 29 so

08:47

let's see over

08:49

here now what you can also do uh for ap3

08:53

let's say for example I want to give

08:55

them a scoring so all ap3 should get a

08:58

score of uh

08:59

one so everything gets highlighted in

09:01

one depending on the color scheme that

09:04

you have selected over

09:06

here and APD 29 let's say I'll

09:11

select again APD

09:16

29 and give it a

09:28

color

09:29

say

09:31

yellow now I want to compare now both of

09:34

these so I'll create layers from layers

09:40

so if I click over here you will see a b

09:42

and c gets

09:44

highlighted and uh coloring we can

09:46

choose those uh these are all over here

09:49

so we want to just uh compare between B

09:52

and C so score

09:54

expression I'll go back here check and

09:57

see I think uh scoring over here let's

10:00

give it a score of

10:03

three or two depending on your

10:07

need okay now I'll give a score

10:10

expression as a sorry that'll be B plus

10:16

C and create a layer now you'll see

10:20

something interesting has happened um

10:23

this one is a combination so AP

10:26

D3 plus a

10:30

pt29 got highlighted over

10:32

here now you'll see both of them are

10:34

highlighted over here um we don't know

10:36

what is what but you will see

10:37

interesting enough there is score one if

10:40

you remember score one was for apd3 and

10:42

we gave a score two for ab29 but if you

10:45

see some of them have a score of three

10:48

that is because this is common between

10:50

both of them now we not interested in

10:53

seeing ones and twos we just interested

10:55

in seeing what's common between apd3 and

10:57

APD 29 so what you we're going to do

11:00

here is uh choose a color setup so say

11:04

for example for the lower if it has a

11:07

score of one we just going to select

11:09

green for

11:10

that uh yellow for if it's somewhere in

11:14

the

11:14

middle and I'll go with the color

11:19

red now you see something interesting

11:21

has happened here the green are the ones

11:23

which have score one yellow are the ones

11:27

which are only exclusively to APD 29 and

11:30

green are the ones exclusively for ab3

11:32

but the red ones are for

11:36

ab29 this is really interesting say

11:38

these course of three which are the

11:42

techniques both have used in Red so

11:44

that's a great place for you to start

11:46

you know you would want to pass these to

11:48

your Defenders or your analyst say hey

11:51

guys these are the two groups we care

11:53

about and here are the techniques

11:55

they're going to do and it's very simple

11:59

tool to help you visualize the attack

12:02

and use the attack so I hope this was

12:05

helpful to you as a starting place to

12:07

get you started with the attack uh

12:09

Navigator so that's an overview of the

12:12

Navigator controls so now I want us to

12:15

dive into a use case specifically for

12:17

threat intelligence we'll take a simple

12:19

one and that's the most requested mitro

12:22

attack framework today that is fishing

12:25

now let's have a look at a typical email

12:27

spam mail mail content here is asking

12:31

you to click on uh like a FaceTime

12:34

verification from an unknown domain and

12:37

it's delivered to your email address or

12:39

asking you to go to a different website

12:42

let's see what's exactly is happening

12:43

here here an attacker has identified the

12:46

list of victims they will harvest their

12:49

email addresses and then set it up for

12:51

fishing website and now needs to lure

12:54

the victims to the fishing website to

12:57

achieve this attacker carefully crafts a

13:00

fishing email then the attacker sends

13:03

out this email to the preh harvested

13:05

email addresses and then points them to

13:07

the attacker and waits for the victims

13:10

to click and take the bait and sign on

13:13

to the fishing website once they attempt

13:16

to sign in the attacker has the

13:18

credentials to log in this is very

13:20

dangerous you know now let's plot this

13:23

attack on mitro attack Matrix and let's

13:25

see how this looks so the malicious

13:29

gathers victim's information in this

13:31

case email address and sets it up for

13:34

fishing service then creates a link to

13:37

that service sends it an in email

13:39

fishing containing the link to all the

13:42

accounts attacker Targets this by

13:45

obtaining access to these Cloud accounts

13:47

so once the user goes and logs into the

13:50

cloud accounts the attacker will display

13:53

some simple looking message like

13:54

verification failed or something like

13:56

that and now the bad actor has access to

13:58

the credential that they were trying to

14:02

capture on in that login session so in

14:05

this example if you notice that it is

14:06

not necessary for an attacker to use

14:09

every technique in The Matrix in fact to

14:11

get their job done they will try to use

14:14

the minimum number of techniques

14:16

required so that there could be

14:17

iterations between those techniques as

14:20

well so when mapping an attack to a mro

14:23

framework you would something you would

14:25

do something like this this is important

14:27

here you know the attacker first uses

14:30

technique to identify the Target and

14:32

uses a sub technique to craft fishing

14:34

email hence Recon tactic was performed

14:37

here same goes for resource development

14:40

technique to harvest email accounts get

14:43

the initial access by fishing technique

14:46

and by delivering malicious link sub

14:49

technique I hope that was clear and

14:52

thank you for joining us today and we

14:54

have explored today the mitro attack

14:56

Navigator in the context of fishing use

14:58

Case by understanding the tactics and

15:01

techniques used be attackers we can

15:03

better prepare and defend against cyber

15:05

threats if you found this video helpful

15:07

don't forget to like give it a thumbs up

15:09

and subscribe and also hit the

15:10

notification Bell for more content stay

15:13

vigilant stay secure and I'll see you in

15:15

the next video bye

15:24

[Music]

15:26

now