HOW to use MITRE ATT&CK Navigator in SOC Operations with Phishing Use Case Explained
Summary
TLDRThis AV Cyber video explores the MITRE ATT&CK Navigator, a tool for analyzing cyber threats. It demonstrates how to use the Navigator to compare attack techniques, create layers, and visualize common threats like phishing attacks. The video also provides a step-by-step guide on mapping attack tactics and techniques to the MITRE ATT&CK framework.
Takeaways
- 🌐 The video from AV Cyber introduces the MITRE ATT&CK Navigator, a tool for analyzing cyber threats and understanding attack techniques.
- 🔍 The MITRE ATT&CK Navigator allows for the selection and annotation of tactics and techniques used by adversaries in cyber attacks.
- 📱 The tool is accessible via mitre-attack.github.io and is also available in a mobile version for on-the-go analysis.
- 📑 The Navigator uses 'layers' to capture different information about attack techniques, which can be named and described for context.
- 🔄 Techniques can be selected or deselected across different tactics, and multi-technique selection allows for focus on specific attack vectors.
- 🔎 The Navigator includes a search function to find techniques related to certain terms, such as 'registry', and supports multi-select.
- 📈 Analysts can download layers as JSON or export them to Excel for further analysis or presentation in different formats like SVG.
- 🖼️ The tool offers customization options, including changing the background color of tactics, adding scores and comments to techniques.
- 📊 The Navigator can be used to compare threat intelligence from different groups, such as APT3 and APT29, by creating and combining layers.
- 📝 The video provides a step-by-step guide on how to use the Navigator to analyze a phishing attack, from the initial email to credential capture.
- 🛡️ Understanding the tactics and techniques used by attackers in the MITRE ATT&CK framework helps in preparing and defending against cyber threats.
Q & A
What is the main focus of the video?
-The video focuses on exploring the MITRE ATT&CK Navigator and its use in analyzing and understanding common cyber threats, specifically phishing attacks.
What is the MITRE ATT&CK Navigator?
-The MITRE ATT&CK Navigator is a tool released by MITRE that helps in basic navigation and annotation of attack techniques, providing a visual representation of cyber threat tactics and techniques.
Why is the MITRE ATT&CK Navigator useful for cybersecurity?
-The MITRE ATT&CK Navigator is useful for cybersecurity as it allows analysts to visualize, compare, and understand the tactics and techniques used by adversaries, thereby helping to prepare and defend against cyber threats more effectively.
What is the purpose of the attack matrix in the MITRE ATT&CK Navigator?
-The attack matrix in the MITRE ATT&CK Navigator displays the tactics across the top and the techniques under each tactic, showing how adversaries achieve their goals.
How can the MITRE ATT&CK Navigator be used to compare different threat groups?
-The MITRE ATT&CK Navigator allows users to create layers to capture different information about techniques, which can be used to compare the tactics and techniques used by different threat groups.
What is a 'layer' in the context of the MITRE ATT&CK Navigator?
-In the context of the MITRE ATT&CK Navigator, a 'layer' is a way to capture different information about attack techniques, allowing for the creation of custom views and comparisons.
How can the MITRE ATT&CK Navigator help in threat intelligence analysis?
-The MITRE ATT&CK Navigator can help in threat intelligence analysis by enabling the comparison of techniques used by different threat groups, highlighting commonalities and differences, and providing a visual aid for understanding complex attack patterns.
What is the significance of scoring techniques in the MITRE ATT&CK Navigator?
-Scoring techniques in the MITRE ATT&CK Navigator helps in prioritizing and focusing on specific techniques that are of high importance or are commonly used by threat groups, aiding in targeted defense strategies.
How can the MITRE ATT&CK Navigator be used to visualize a phishing attack?
-The MITRE ATT&CK Navigator can be used to visualize a phishing attack by mapping out the tactics and techniques used in the attack, such as initial access via phishing and credential access, providing a clear understanding of the attack lifecycle.
What are some of the features of the MITRE ATT&CK Navigator that aid in presentation and reporting?
-Some features of the MITRE ATT&CK Navigator that aid in presentation and reporting include the ability to export layers as JSON, export to Excel, render layers to SVG for inclusion in presentations, and customize the visual appearance of the attack matrix.
Outlines
😀 Introduction to MITRE ATT&CK Navigator
This paragraph introduces the MITRE ATT&CK Navigator, a tool by MITRE that aids in the analysis and understanding of cyber threats. It is used to navigate and annotate attack techniques, particularly focusing on phishing attacks. The speaker encourages viewers to subscribe for more content on cybersecurity and technology. The MITRE ATT&CK Navigator is described as an updated version that facilitates basic navigation and annotation of attack techniques, which many people previously did using Excel. The speaker provides a link to the MITRE ATT&CK Navigator and explains its default view, which shows the Enterprise attack matrix, detailing tactics and techniques used by adversaries.
🔍 Exploring MITRE ATT&CK Navigator Features
This paragraph delves into the features of the MITRE ATT&CK Navigator, explaining how it operates in layers to capture different information about attack techniques. The speaker guides viewers through the various controls available in the Navigator, such as multi-tactic technique selection, search functionality, and the ability to select groups of software using attack techniques. The paragraph also covers how to create layers, download them as JSON or Excel, and render them as SVG images. Additionally, viewers are shown how to filter techniques by operating systems, sort them in various ways, and customize the view by toggling the display of full technique names or just the first letters.
📊 Analyzing Techniques and Creating Layers
In this paragraph, the speaker demonstrates how to analyze techniques and create layers in the MITRE ATT&CK Navigator. Techniques can be disabled, scored, and annotated with comments. The speaker explains how to use the Navigator to compare two threat intelligence groups by creating and naming layers, selecting techniques, and applying scores and colors. The process of creating a new layer from existing layers and scoring them based on their commonalities is also discussed. This allows for a visual comparison of techniques used by different groups, highlighting those that are common and thus potentially more critical to focus on.
🎣 Applying MITRE ATT&CK Navigator to Phishing Attacks
The final paragraph focuses on applying the MITRE ATT&CK Navigator to a phishing attack scenario. The speaker describes a typical phishing email that tricks victims into clicking on a link, leading them to a fake website where they are asked to enter their credentials. The attack is mapped onto the MITRE ATT&CK Matrix, showing how the attacker uses minimal techniques to achieve their goal. The speaker emphasizes that understanding the tactics and techniques used by attackers can help in better preparing and defending against such cyber threats. The paragraph concludes with a call to action for viewers to like, subscribe, and stay vigilant against cyber threats.
Mindmap
Keywords
💡Cyber Security
💡MITRE ATT&CK
💡Phishing Attack
💡MITRE ATT&CK Navigator
💡Tactics
💡Techniques
💡Layers
💡Threat Intelligence
💡Annotations
💡Pre-Attack Techniques
💡Enterprise Attack
Highlights
Introduction to the MITRE ATT&CK Navigator and its utility in analyzing cyber threats.
Explanation of the MITRE ATT&CK framework and its components like tactics and techniques.
Demonstration of how to navigate and annotate attack techniques using the MITRE ATT&CK Navigator.
Discussion on the multi-technique selection feature in the Navigator.
How to search and select techniques related to specific tactics or software.
Introduction to the concept of layers in the MITRE ATT&CK Navigator.
Explanation of how to create and manage layers for different analysis contexts.
How to export layers to JSON or Excel for further analysis or reporting.
Demonstration of how to render layers to SVG for presentation purposes.
How to filter techniques based on operating systems or pre-attack techniques.
Explanation of how to sort techniques alphabetically or by scores.
How to toggle view modes to show full technique names or just the first letters.
Demonstration of how to disable certain techniques from the view.
How to set background colors and scores for techniques to indicate priority or coverage.
Explanation of how to add comments to techniques for team communication.
How to clear annotations for selected techniques.
Introduction to creating layers for threat intelligence analysis.
Demonstration of comparing two threat intelligence groups using layers.
How to score and color techniques based on their presence in different threat groups.
Explanation of how to visualize common techniques used by multiple threat groups.
Introduction to a use case involving the MITRE ATT&CK framework and phishing attacks.
Analysis of a typical phishing email and its components.
Mapping of the phishing attack process to the MITRE ATT&CK Matrix.
Conclusion and call to action for subscribing and engaging with the channel.
Transcripts
hello everyone welcome back to AV cyber
active in this video we'll dive into the
fascinating world of cyber security and
take a closer look at the mitro attack
Navigator and then we'll explore how it
can be utilized in a use case to analyze
and understand a common cyber threat
that is fishing attack but before we
begin if you haven't already don't
forget to subscribe to our Channel and
for more insightful content onto cyber
security and Technology this is the
second video for miter and if you are
new to to my channel I'll say you watch
my first video on mitro attack framework
where I explain the basics and the
different tactics and techniques for
this framework so mro attack Navigator
is tool by mop released the updated
version last year that helps you do a
basic navigation and annotation of
attack techniques I saw a lot of people
doing this kind of layer comparison with
matrices in Excel which is great but
microp has a free purpose Built tool for
this purpose
now we head down to miter attack.
github.io I'll leave the direct link for
your convenience down below so this is
what the attack Navigator looks like by
default they also have a version for
mobile attack as
well after you load this page it'll
automatically show Enterprise attack
which if you recall is the kind of how
the adversaries get in and what they do
after they've gotten in so you'll be
pretty familiar with this view now now
it's the attack Matrix that across the
top that we have these tactics these are
the adversaries technical goals and
under each of these are these tactics we
have
techniques now how those adversaries
achieve the goals in a navigator we have
this object called a layer and that's
right it's just a way that we can
capture different information about
these techniques so I'm going to go and
walk you through with these different
buttons we have across the top and then
I'm going to take you into a use case
for navigator based on a threat
intelligence so let's dive in first
control we see that is locking multi-
tactic technique selection so what's a
multi technique you'll see in attack
some techniques like for example access
token manipulation falls under multiple
tactics because it's a multiac technique
and by default Navigator will select
both of these techniques across the
tactics but you might say well I only
want to select one of them cool
Navigator gives you that option say I
just care about access token
manipulation under privilege escalation
or defens evation easy enough we can
have that search menu here for example
if you want to see all techniques
mentioned registry so you can do a quick
search for registry and those will pop
up here you can also do multi- select so
this allow you to select either groups
of software which if you recall from my
first video we have pages in our tag
site where mitro cor goes through
opening Source reporting and gets
examples of different groups and
softwares using the attack techniques
really important to note here is that
this is not at all comprehensive right
miter can't possibly map everything
these groups have ever done or we don't
have that visibility
but they can take a sampling based on a
limited open sourcing reporting and map
it in the Navigator we can select
different techniques that the group or
software Pages we have in attack so we
can go ahead and select for example copy
these and deselect those next up the
deselect right if I have techniques
selected I want them not to be selected
anymore pretty
self-explanatory next up we have the
layer controls Navigator Works in layers
for information so a good analyst will
always give context about what they're
doing to help keep a track I'll add a
name for this and I'm going to name it
say call APD 3-29 comparison and I'm
going to give it some cool description
about what I'm doing so that other
analysts who look at this will know what
I'm doing or what I mean you can also
download layers behind the scenes this
is being built on Json so let's say you
want to take your layer and Export it to
another structure format or another tool
great you can download the layer as Json
you can also export your layer to
everyone's favorite tool Excel and I get
a lot of requests for people who say hey
I just love Matrix in Excel and this is
a great way to do that we all have
PowerPoint presentations where we have
to make those presentations maybe one
image of the navigator to include in
your presentations as well next you can
also render your layer to SVG an image
type and then you can also include it in
your presentation to make yourself look
cool and organized we can also filter
here maybe you want to select only Linux
techniques or Mac techniques that's also
possible this is also very if you want
to focus on a pre-attack technique if
you recall pre-attack is left of what
exploit what do the adversaries do
before they' have gotten in you you can
select prepare and then act is
Enterprise attack which is what we are
we have up right now next you can change
how you sort the techniques and may want
to alphabetically or reverse
alphabetically or in terms of these uh
scores ascending or descending it's
totally up to you you can toggle that
here you can also set up colors here now
for example maybe you I want to change
this tactic Rob background to a
different color because green is my
favorite color so you can do that here
moving along we have this toggle View
mode you know by default you will see a
full technique names full tactic names
or maybe just I want just want to see
the first letters of those I just want
to see these rectangles so if I want to
visualize something you know it is
simpler way so you can toggle that
here going into the technique controls
we have maybe I want to disable certain
techniques
you know I don't want these to be in my
view at the moment I can go ahead and
click toggle State and it'll gray it out
and it won't be a part of my view at
that moment and then there is a separate
button to show and hide or maybe even
disable I don't want it to be gray so I
just want it out of my view I click the
show or hide disabled and it'll pop back
up depending on what you want next is
the background color let's say access
token manipulation you know your team
knows that this is a Technique we have
covered and have no coverage for this in
the uh defensive asion so we can go
ahead and make that as red you can also
give it a score you know so let's say
this is of a high priority one so we
give it a score of zero or one or two
whatever you've decided for your
team you can also put a comment so you
know maybe you want everyone to know we
need to focus on this so you can add a
comment and when you do that in the
Navigator this yellow underline is going
to pop up on your Technique so that's
how you know that there's a comment in
there and then there is clear
annotations so you need uh your selected
techniques and say okay access to
manipulation we want to clear that one
easy one here now let's see how to
create layers using navig Ator
specifically for thread
intelligence now say for example you
want to compare two thread intelligent
groups so I'll create a new
layer click on the new layer it'll bring
up the
menu I am looking to compare between say
abd3 so I'll select all of those
everything gets selected I'll name it
ABD okay
three okay and then and uh create
another
layer new layer and uh call
it
AP
29 all right
easy and go ahead and select AP 29 so
let's see over
here now what you can also do uh for ap3
let's say for example I want to give
them a scoring so all ap3 should get a
score of uh
one so everything gets highlighted in
one depending on the color scheme that
you have selected over
here and APD 29 let's say I'll
select again APD
29 and give it a
color
say
yellow now I want to compare now both of
these so I'll create layers from layers
so if I click over here you will see a b
and c gets
highlighted and uh coloring we can
choose those uh these are all over here
so we want to just uh compare between B
and C so score
expression I'll go back here check and
see I think uh scoring over here let's
give it a score of
three or two depending on your
need okay now I'll give a score
expression as a sorry that'll be B plus
C and create a layer now you'll see
something interesting has happened um
this one is a combination so AP
D3 plus a
pt29 got highlighted over
here now you'll see both of them are
highlighted over here um we don't know
what is what but you will see
interesting enough there is score one if
you remember score one was for apd3 and
we gave a score two for ab29 but if you
see some of them have a score of three
that is because this is common between
both of them now we not interested in
seeing ones and twos we just interested
in seeing what's common between apd3 and
APD 29 so what you we're going to do
here is uh choose a color setup so say
for example for the lower if it has a
score of one we just going to select
green for
that uh yellow for if it's somewhere in
the
middle and I'll go with the color
red now you see something interesting
has happened here the green are the ones
which have score one yellow are the ones
which are only exclusively to APD 29 and
green are the ones exclusively for ab3
but the red ones are for
ab29 this is really interesting say
these course of three which are the
techniques both have used in Red so
that's a great place for you to start
you know you would want to pass these to
your Defenders or your analyst say hey
guys these are the two groups we care
about and here are the techniques
they're going to do and it's very simple
tool to help you visualize the attack
and use the attack so I hope this was
helpful to you as a starting place to
get you started with the attack uh
Navigator so that's an overview of the
Navigator controls so now I want us to
dive into a use case specifically for
threat intelligence we'll take a simple
one and that's the most requested mitro
attack framework today that is fishing
now let's have a look at a typical email
spam mail mail content here is asking
you to click on uh like a FaceTime
verification from an unknown domain and
it's delivered to your email address or
asking you to go to a different website
let's see what's exactly is happening
here here an attacker has identified the
list of victims they will harvest their
email addresses and then set it up for
fishing website and now needs to lure
the victims to the fishing website to
achieve this attacker carefully crafts a
fishing email then the attacker sends
out this email to the preh harvested
email addresses and then points them to
the attacker and waits for the victims
to click and take the bait and sign on
to the fishing website once they attempt
to sign in the attacker has the
credentials to log in this is very
dangerous you know now let's plot this
attack on mitro attack Matrix and let's
see how this looks so the malicious
gathers victim's information in this
case email address and sets it up for
fishing service then creates a link to
that service sends it an in email
fishing containing the link to all the
accounts attacker Targets this by
obtaining access to these Cloud accounts
so once the user goes and logs into the
cloud accounts the attacker will display
some simple looking message like
verification failed or something like
that and now the bad actor has access to
the credential that they were trying to
capture on in that login session so in
this example if you notice that it is
not necessary for an attacker to use
every technique in The Matrix in fact to
get their job done they will try to use
the minimum number of techniques
required so that there could be
iterations between those techniques as
well so when mapping an attack to a mro
framework you would something you would
do something like this this is important
here you know the attacker first uses
technique to identify the Target and
uses a sub technique to craft fishing
email hence Recon tactic was performed
here same goes for resource development
technique to harvest email accounts get
the initial access by fishing technique
and by delivering malicious link sub
technique I hope that was clear and
thank you for joining us today and we
have explored today the mitro attack
Navigator in the context of fishing use
Case by understanding the tactics and
techniques used be attackers we can
better prepare and defend against cyber
threats if you found this video helpful
don't forget to like give it a thumbs up
and subscribe and also hit the
notification Bell for more content stay
vigilant stay secure and I'll see you in
the next video bye
[Music]
now
5.0 / 5 (0 votes)