I find cyber threat intelligence fascinating and I wanted to find a way to use it to enhance our security operations. Previous efforts to use threat feeds had been frustrating as there were a lot of false positives and very little context. Last year at DerbyCon I learned about the MITRE ATT&CK framework and I’ve been searching for ways to leverage it in our environment. MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base can be utilized as a foundation for the development of specific threat models and methodologies to detect and defend against cyber adversaries.
Tactics are what attackers are trying to achieve (such as maintaining persistence and undetected presence in your environment). A technique is a specific behavior to achieve a goal and is often a single step in a string of activities employed to complete the attacker’s overall mission. The ATT&CK website provides many details about each technique including a description, examples, references, and suggestions for mitigation and detection.
I created a heat map based on the following groups which have been known to target defense, manufacturing and aviation industries:
- APT17
- APT19
- APT33
- Deep Panda
- Gallmaker
- Leviathan
- menuPass
- Threat Group-3390
- Turla
The MITRE ATT&CK Navigator tool can be found at https://github.com/mitre-attack/attack-navigator.
Scores were assigned to each technique and the score would increase if it was used by more than one adversary. I was advised by other threat analysts that a single color with a gradient would be more effective than utilizing a multicolor scheme like a traffic light protocol.
My initial thought was that this color-coded heat map would make a good visual and it could be used to better communicate our defense priorities. In this particular iteration, we found that process monitoring and file monitoring were two of our top priorities to defend against this set of adversaries.
Now that I had this representation I went through each technique and made a list of the log sources that could be analyzed to see instances of the technique in our enterprise. My team worked together to determine if we had gaps in our visibility of these techniques. Our goal was not to block any of these techniques because a number of them are legitimate processes that can be used maliciously. Our primary focus was on tactics that were to the left of persistence so that potentially malicious behavior could be targeted pre-persistence.
With this foundation, we used MISP to search for tags that matched APT groups and techniques based on what we saw in the heat map. These feeds could then be enriched by Cortex analyzers and fed into our SIEM to enrich our correlations with more context.
Previously we had fed entire threat feeds directly into our SIEM; by using this more targeted approach we were able to greatly reduce the number of false positives.
The original article was published on Linkedin.com at https://www.linkedin.com/pulse/how-use-mitre-attck-heat-maps-enrich-your-security-keith-chapman
However, casinos and internet cafes require certain licences for operation, as specified underneath 5.1 Premises Licensing. Under the Tourism Promotion 점보카지노 Act, licensed casinos aren't allowed to allow the entrance of Korean nationals, excluding a facility in Gangwon Province. The Korean Criminal Code and the Speculative Acts Regulation Act also apply to games with speculative components. The Game Industry Promotion Act (the “Game Industry Act”) was enacted in 2006. In December 2020, a comprehensive modification bill (the “Amendment Bill”) that features new and stricter laws was launched to guard game customers and forestall speculative activities. However, Choi stressed that the main source of revenue will be the on line casino business.
ReplyDelete