Using ATT&CK doesn’t come without challenges. It’s good to keep these in mind when leveraging ATT&CK.
- Example: Data from Network Shared Drive (T1039)
- Key to detection: How is this technique being invoked?
- Example: DLL Search Order Hijacking (T1038)
- Shows up under Persistence, Privilege Escalation, and Defense Evasion tactics
- Some techniques, such as this one, can be used for multiple use cases and are useful in multiple stages of attack
ATT&CK Navigator is a great tool to use for mapping out controls against ATT&CK techniques. Layers can be added that show specifically detective controls, preventive controls, or even observed behaviors. Navigator can be utilized online for quick mockups or scenarios or it can be downloaded and setup internally as a more permanent solution.
Trusted professionals at Malware Archeology provide a number of Windows logging cheat sheets to aid defenders in finding malicious activity in logs. They have one dedicated to finding techniques from MITRE ATT&CK.
Metta is an open source project from Uber that performs adversarial simulation and is aligned with MITRE ATT&CK.
MITRE has a resource called the Cyber Analytics Repository (CAR) which is a reference site to various analytics useful for detecting behaviors in MITRE ATT&CK.
Caldera is an open source, automated adversary simulation tool that is based on MITRE ATT&CK.
Cyb3rPanda has loaded ATT&CK into a public Tableau instance for easy pivoting and filtering.
Atomic Red Team is an open source tool from Red Canary for simulating adversarial behaviors mapped to MITRE ATT&CK. More info available at: https://atomicredteam.io/
Palo Alto’s Unit 42 group has released a free playbook viewer that shows known adversarial behaviors for a handful of threat groups aligned to MITRE ATT&CK.
Red Team Automation is an open-source tool from Endgame that tests malicious behavior modeled on MITRE ATT&CK.
This free weekly report includes key security and threat developments of the week. The report includes relevant IOCs and ATT&CK techniques for each story included in the briefing.