01. 11. 2024 Massimo Giaimo Threat Intelligence

Our Contribution to Mitre Att@ck

Many of you have probably already heard about the MITRE ATT&CK framework.

This framework is an important point of reference at the international level and is used within thousands of projects, detection rules, platforms.

The Adversarial Tactics, Techniques, and Common Knowledge is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013.

Rather than looking at the results of an attack (aka an indicator of compromise (IoC)), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.

The framework consists of 14 tactics categories consisting of an adversary’s “technical objectives”. These categories are then broken down further into specific techniques and sub-techniques.

The framework is an alternative to the cyber kill chain developed by Lockheed Martin.

Recently I had the opportunity, thanks to the Threat Intelligence and Threat Hunting activities carried out within my team, to contribute to the project and in particular to the Reconnaissance tactic.

The Reconnaissance tactic in the MITRE ATT&CK framework refers to adversaries’ pre-attack activities to gather information about a target system, network, or environment. This tactic includes a range of actions that attackers use to identify potential entry points, valuable assets, and weak spots in defenses before they execute more overt activities like initial access or exploitation. Reconnaissance is often undertaken passively to avoid detection, leveraging publicly accessible data sources (open-source intelligence, or OSINT) or scanning network resources from a distance.

Some key techniques within the Reconnaissance tactic include:

  1. Active Scanning – Searching for and probing network services, ports, or vulnerabilities.
  2. Search for Publicly Available Information – Using websites, social media, or open-source databases to collect information on the target organization, its employees, or third-party dependencies.
  3. Gather Victim Host Information – Learning about the hardware, operating systems, and software applications used by the target.
  4. Gather Victim Identity Information – Identifying user accounts, email addresses, and other identifying details associated with the target.
  5. Gather Victim Network Information – Mapping IP ranges, domain names, and infrastructure details that could assist in future attacks.

The information gathered in this stage enables attackers to plan and prioritize their efforts, often making later stages more effective by customizing the attack approach based on the target’s unique environment.

Our team has very broad experience with this tactic, thanks to the development that has been carried out over the years within our Threat Intelligence Platform SATAYO.

We have daily experience with the different elements that a Threat Actor identifies in order to organize their attack. We have always considered the reconnaissance phase a fundamental step in the attack process, the phase in which the attacker invests a lot in terms of time, because the quality of this phase will be what will determine the success or failure of the attack.

The contribution concerns the technique “Gather Victim Identity Information: Credentials“, which focuses on the possibility, by the Threat Actor, of identifying credentials, within different sources and using different tools, to be used as initial access.

The technique is strongly related, in this historical moment, to the actions that can be realized through the use of infostealer malware, and to my research activities that allowed me to contribute to the project have an important focus on this theme.

Thanks go to Würth Phoenix and the Würth Group, who through the structure of the Cyber ​​Defense Center give us the opportunity to carry out research activities that can then be shared with the entire community, with the common goal of increasing our resilience towards TTPs used by Threat Actors.

Massimo Giaimo

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix and Threat Intelligence Team Leader at Würth Group

Author

Massimo Giaimo

Team Leader Cyber Security at Würth Phoenix and Threat Intelligence Team Leader at Würth Group

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive