Mapping Data to ATT&CK Framework

Oct 27, 2024

Module Two: Mapping to ATT&CK from a Finished Report

Overview

  • Objective: Understanding how to map data to ATT&CK from finished reports.
  • Modules Overview:
    • Module 1: Understanding ATT&CK.
    • Module 2: Mapping from finished reporting.
    • Module 3: Mapping from raw data.
    • Future Modules: Storing and analyzing data, making defensive recommendations.

Challenges in Mapping to ATT&CK

  • Requires a shift from looking at atomic indicators (e.g., IPs) to behaviors (tactics, techniques, procedures).
  • The volume of ATT&CK techniques can be overwhelming.
  • Analysts may be unfamiliar with technical details in ATT&CK techniques.

Benefits of Mapping to ATT&CK

  • Facilitates a deeper understanding of adversaries.
  • Encourages learning new adversary techniques.

Recommended Mapping Process

  1. Understand ATT&CK:
    • Familiarize with ATT&CK tactics, techniques, and structure.
    • Use resources like presentations, blogs, and papers.
  2. Find the Behavior:
    • Identify what the adversary or malware does.
    • Focus on enterprise ATT&CK details like initial and post-compromise actions.
  3. Research the Behavior:
    • Use resources like Google, Wikipedia, and team discussions to understand unfamiliar concepts.
  4. Translate Behavior to Tactic:
    • Determine the adversary's goals based on behaviors.
    • Choose from 12 tactics in enterprise ATT&CK.
  5. Identify the Technique:
    • Use the ATT&CK website to search for techniques.
    • Narrow down techniques by tactic.
  6. Compare with Other Analysts:
    • Discuss findings with peers to mitigate biases.

Sources for Data

  • Finished reporting.
  • Raw data (discussed in Module 3).

Example Walkthrough

  • Example Report: APT3 report by FireEye.
  • Behavior Identification:
    • Successful exploitation, command issuance, creating persistence.
  • Tactic Identification:
    • Establishing a connection aligns with Command and Control.
  • Technique Identification:
    • SOCKS5 connection mapped to Standard Non-Application Layer Protocol.
    • Port 1913 mapped to Uncommonly Used Port.

Exercise Overview

  • Practice mapping techniques using a Cyberreason report on Cobalt Kitty.
  • Optional exercises available for further practice.

Challenges and Tips

  • Overwhelm from the volume of techniques.
  • Importance of ongoing learning and team discussions.
  • Search strategies and familiarization with tactics and techniques.

Conclusion

  • Mapping to ATT&CK is complex but valuable.
  • Encourages a detailed understanding of adversary behaviors and technical learning.

Full transcript