Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Podcast Episode 9: Sharpening Your Defenses With MITRE ATT&CK’s New Sub-Techniques
  • Cyber Attacks
  • Data Breach

Podcast Episode 9: Sharpening Your Defenses With MITRE ATT&CK’s New Sub-Techniques

6 years ago Ray Lapena
Podcast Episode 9: Sharpening Your Defenses With MITRE ATT&CK’s New Sub-Techniques

Jen Burns, lead cybersecurity engineer at MITRE, walks us through the MITRE ATT&CK© Framework and discusses some important changes brought by a July 2020 update. She then highlights what the security community can expect to see in a couple of upcoming updates before sharing how individuals can get involved with the MITRE ATT&CKFramework going forward.

Spotify: https://open.spotify.com/episode/2wfxjcCM7Mh3pSLKxO4eBS
Stitcher: https://www.stitcher.com/podcast/the-tripwire-cybersecurity-podcast
RSS: https://tripwire.libsyn.com/rss
YouTube: https://www.youtube.com/playlist?list=PLgTfY3TXF9YKE9pUKp57pGSTaapTLpvC3

 

Tim Erlin: Welcome to the Tripwire Cybersecurity Podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. Today, I am joined by Jen Burns, who is a lead cybersecurity engineer at MITRE and the cloud lead for the MITRE ATT&CK Framework. Welcome, Jen.

Jen Burns: Thank you.

What Is the MITRE ATT&CK Framework?

TE: Before we get started, can you give us a brief reminder of what the ATT&CK Framework is and why MITRE created it?

JB: At its core, ATT&CK is a knowledge base of adversary behavior. It’s a framework that brings together the different things that adversaries do whether it’s before they’ve compromised the network, how they get in or what they do after they’ve gotten in.

One of the most important things about ATT&CK is that it’s based on real world or what we call “in the wild” observation of adversaries. So, it’s not theoretical, and it doesn’t cover like everything that an adversary could do. It covers what adversaries are doing or have done in the real world. It’s also open source and globally accessible. And a lot of its content is community-driven and contributed from people like researchers, intel analysts and other folks outside of MITRE.

ATT&CK was originally developed based on this need to categorize adversary behavior within a research environment at MITRE. That was called FMX. FMX was kind of like a living lab. It allowed MITRE researchers to emulate adversaries in a heavily monitored environment and perform things like threat hunting exercises. Really, it was for those MITRE researchers to be able to answer the question, “How are we doing at detecting adversary behavior?” And they found that categorizing that behavior across relevant, real world adversary groups was useful. ATT&CK in its initial form ended up being created and used by both the adversary simulation team and the defender team within FMX. That team realized this would be useful for the entire security community. So, the first ATT&CK model was publicly released in 2015.

Changes in the ATT&CK Framework

TE: Let’s talk about an update to the framework that’s just been released. How long ago was that update released, and what’s the major change that’s included in it?

JB: The release was on July 8th. We released ATT&CK with sub-techniques. Sub-techniques in a nutshell are basically more specific techniques. So, techniques in ATT&CK represent more of a broad action an adversary may take to achieve a tactical goal. Something like process injection. While a sub-technique is a more specific adversary action. With a process injection example, the technique process injection now has I believe 11 sub-techniques that cover the different variations of how adversaries have injected code into processes via process hollowing or using a DLL injection. We’ve had a lot of folks ask why we didn’t call some techniques “procedures.” The simple answer there is that we already had procedures in ATT&CK. Techniques and sub-techniques have their own separate set of map procedures. They aren’t procedures themselves.

TE: And tell me again what the difference between a technique and a procedure is. It sounded to me the procedure is what’s actually happened in the wild for taking advantage of that technique or sub technique. Is that right?

JB: Yeah, that’s accurate. Basically, it’s an example of that technique being used in the wild.

TE: You gave an example of process injection, which has sub-techniques. Is there an example of a technique that didn’t end up with sub-techniques that just stands by itself?

JB: Yeah. Something that didn’t get sub-techniques is transfer data to a cloud account because that’s a very general yet somehow specific technique. There’s nothing within that would require a sub-technique being broken out.

TE: Interesting. And then the process injection, what were some of the sub-techniques that got included there?

JB: That’s a good question. DLL injection is one. Proc memory, process hollowing, and process doppelgänging. Things that you carry them out in a more specific way.

TE: So, now that this change has taken place and some techniques are out there, how are they specifically useful to the users in the community?

JB: Folks who were already using ATT&CK unfortunately might have to go some through some “remapping purgatory” to remap to sub techniques, but based on feedback we’ve already gotten, we believe sub-techniques are going to be a positive change for the community for a few reasons. We fixed a lot of the abstraction issues that were the initial problem that people pointed out with ATT&CK. It makes it easier to convey things like the complexity of techniques for something like a coverage assessment. Being able to generate a more granular score, so to speak, based on these individual sub-techniques is going make a huge difference.

TE: It seems like sub-techniques make a ton of sense and that the benefit is really there for anybody who’s using the framework to assess coverage. Anything else that’s new with ATT&CK that we should talk about?

JB: Yeah. So, there’s a couple of things have happened in the past. And then I’ll tell you about a few updates that are up and coming.

One of the more recent things is we released results from round two of our ATT&CK evaluations, and those can be found on attackevals.mitre.org. In that evaluation, we emulated APT-29. And this was a really big effort from the ATT&CK team as a lot of the folks that work on ATT&CK proper are also involved with attack evaluations. And if you’re not familiar with ATT&CK evaluations, it’s basically where we evaluate cybersecurity products using an open methodology that we developed that’s based on ATT&CK, and then we make the results publicly available. And then we also announced round three for evaluations, where we’ll be emulating Carbanak and FIN7.

Future updates that are on deck, one is the merger of PRE-ATT&CK into ATT&CK. And if you’re not familiar with PRE-ATT&CK, it was originally derived from the first two stages of the seven-stage cyberattack lifecycle, which are recon and weaponize. So, we decided to scope it down into techniques that are three things: technical, visible to some defenders and have evidence of adversary use. In a future ATT&CK update, we’ll be releasing the results of that merger. And that’s most likely going to be the addition of two tactics to the ATT&CK matrix. Those would be reconnaissance and resource development.

Another thing going on is we’re working on revamping our data sources in ATT&CK with an initial release of source definitions slated to go live to GitHub. And we’re also hoping to release technique coverage for network devices such as routers.

TE: There are these more structural updates to the framework, but there also have to be updates to just the procedures and the evidence from the wild. How do those work?

JB: Yeah, so a lot of it is through open-source intel reports. We have a team that basically analyzes new reports to add new content into ATT&CK. It’s a little different on the cloud side. We don’t really have much open-source intel on that. So that’s a lot of just talking to folks who have visibility in that area and learning what’s actually going on to add new techniques and things of that nature.

How to Get Involved with the MITRE ATT&CK Framework

TE: Interesting. Alright, we mentioned the community involvement which is really core to ATT&CK and a lot of the stuff that MITRE does. If someone wanted to get involved with ATT&CK, how would they do so? What are some of the options?

JB: Yeah, so one way to get involved is just to submit contributions to ATT&CK. We have a Contribute page on our website that outlines how to make a contribution and explains what we’re looking for. We’re looking for examples of in-the-wild behavior of adversaries right now.

We’re also just constantly looking for any feedback you might have. We want to make sure that ATT&CK is, you know, fitting the community’s needs. So, folks can feel free to reach out to us at any point at [email protected] with things like the way you’re using ATT&CK areas, where you could see improvements made, anything of that nature. We’re also looking for your success stories on how you use ATT&CK other than it helping us feel good about ourselves and what we’re doing. It’s pretty important to get that information out there. So other folks can, you know, see how they may be able to successfully apply ATT&CK. If you’re just getting started with ATT&CK, we also have some resources there on our website.

TE: Awesome. It sounds like there are lots of ways to get involved. Do you find that that it’s difficult for practitioners to share real-world evidence of ATT&CK activity based on their organization? Are people restricted from doing that?

JB: We try to make it as easy as possible for folks to make contributions to ATT&CK. So, say a particular APT is doing something within your environment with a customer. We wouldn’t necessarily need the information about the customer. We would just want to know, “Hey, this particular technique is being carried out.” We tried to break down those barriers to an extent, but I think that in some cases, there’s just no getting around it based on what your company has in place. Also, sometimes we’ll be willing to do things like sign NDAs, pretty much anything we can do to make sharing easier.

TE: So, there’s some options there. For any organization, obviously you get more out of ATT&CK the more you share into it. And it’s that sharing of intel that really drives the evidence-based approach.

JB: Yeah, absolutely. Totally agree with that.

TE: That makes sense. Alright. Well, Jen, I want to thank you for spending some time with us. And thanks everyone for spending a little time with us and listening to the Tripwire Cybersecurity Podcast. Please feel free to join us for the next episode as well.

JB: Thank you.

The post ” Podcast Episode 9: Sharpening Your Defenses With MITRE ATT&CK’s New Sub-Techniques” appeared first on TripWire

Source:TripWire – Ray Lapena

Tags: Android, APT, Cloud, Encryption, Google, Medium Severity, TripWire

Continue Reading

Previous Google Updates Ad Policies to Counter Influence Campaigns, Extortion
Next US Government Warns of a New Strain of Chinese ‘Taidoor’ Virus

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

3 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams

10 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

The Importance of Behavioral Analytics in AI-Enabled Cyber Attacks

11 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

11 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

14 hours ago [email protected] (The Hacker News)

Recent Posts

  • Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets
  • Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
  • Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams
  • The Importance of Behavioral Analytics in AI-Enabled Cyber Attacks
  • Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT