10 Class 13: Learning Journal - VascoLucas01/cybersecurity-reading-notes GitHub Wiki

Introduction

[Date: 2023/05/15]

In this Class 13: Learning Journal, I am going to talk about the main ideas/concepts covered in the threat taxonomy~lecture.

After that, I am going to make a refletion based on the question referred at the end of this page.

Today I Learned

Threat Taxonomy

To establish standards and norms in communicating and documenting threats, the security community has established taxonomic databases.

Tactics, techniques, and procedures (TTPs) are "patterns of activities or methods associated with a specific threat actor or group of threat actors".

The global repository of known TTPs is maintained by MITER and is known at the MITRE ATT&CK matrix.

MITRE ATT&CK is a "globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

  • Used for developing threat models and methodologies"

  • A knowledge base of adversary behavior: based on real-world observations; free and open, globally accessible; a common language; community-driven

ATT&CK defines the following tactics used in a cyberattack:

  • TA0001: Initial Access
  • TA0002: Execution
  • TA0003: Persistence
  • TA0004: Privilege Escalation
  • TA0005: Defense Evasion (avoid anti-virus, IDS, IPS, ... detection)
  • TA0006: Credential Access
  • TA0007: Discovery (LOTL)
  • TA0008: Lateral Movement (after a system being compromised)
  • TA0009: Collection (gathering information)
  • TA0010: Exfiltration
  • TA0011: Command and Control (C2)

Tactics (Objectives?) are high level categories that contain techniques (which ways?). Techniques can contain sub-techniques.

Let's breakdown one of the tactics, TA0001, into techniques and sub-techniques.

  • TA0001: Initial Access (The adversary is trying to get into your network)

T1566: Phising (Adversaries may send phising messages to gain access to victim systems);

Sub-technique .001: Spear Attachment (Adversaries may send spearphising emails with a malicious attachment in an attempt to gain access to victim systems.)

MITRE D3FEND is a complementary framework to the MITRE ATT&CK matrix.

The D3FEND matrix helps cybersecurity professionals better defend and protect networks and information technology assets.

Provides defensive techniques that can be applied to counter the activities of threat actors detailed within the MITRE ATT&CK matrix

Reflection