TryHackMe — MITRE Walkthrough

The MITRE room on TryHackMe is a medium-level walkthrough that introduces you to one of cybersecurity’s most influential organizations. While MITRE Corporation might be unfamiliar to newcomers, it’s the organization behind the essential CVE (Common Vulnerabilities and Exposures) list that security professionals regularly consult.

Here is a link to the room we will be covering: https://tryhackme.com/room/mitre

However, MITRE’s impact extends far beyond just maintaining vulnerability databases. As a US-based non-profit organization, they conduct critical research across multiple domains including artificial intelligence, health informatics, and space security — all with the mission of enhancing “the safety, stability, and well-being of our nation.”

This room focuses specifically on MITRE’s cybersecurity frameworks and resources that have become foundational to modern security operations:

1. ATT&CK® Framework (Adversarial Tactics, Techniques, and Common Knowledge)
2. CAR Knowledge Base (Cyber Analytics Repository)
3. ENGAGE
4. D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense)
5. AEP (ATT&CK Emulation Plans)

The MITRE room by TryHackMe was last updated on 1 July, 2022 according to THM.

Task 1 requires no answer.

APT (Advanced Persistent Threat)

An APT refers to a team or group (also known as a threat group), or even a nation-state group, that engages in long-term attacks against organizations or countries. The term “advanced” can be somewhat misleading, as it might suggest that every APT group has some kind of super-weapon, such as a zero-day exploit, at their disposal. However, that is not usually the case. As we will see later on, the techniques used by APT groups are often quite common and can be detected with the right measures in place. For more information, you can view FireEye’s current list of APT groups.

TTP (Tactics, Techniques, and Procedures)

Now, let’s break down what each of these terms means:

• Tactic: The adversary’s goal or objective.
• Technique: The method by which the adversary achieves their goal or objective.
• Procedure: The specific way in which the technique is executed.

Don’t worry if this seems unclear at first. As you progress through each section, the concept of TTPs will become clearer.

Task 2 requires no answer.

What is the ATT&CK® Framework?

The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. In 2013, MITRE initiated an internal project known as FMX (Fort Meade Experiment) to address the need for recording and documenting common TTPs (Tactics, Techniques, and Procedures) used by APT (Advanced Persistent Threat) groups against enterprise Windows networks. Selected security professionals emulated adversarial TTPs against a network, and the data collected from these attacks laid the foundation for what we now know as the ATT&CK® framework.

Over the years, the ATT&CK® framework has grown and expanded beyond its initial focus on the Windows platform to include other platforms such as macOS and Linux. Contributions from security researchers and threat intelligence reports have enriched the framework, making it valuable for both blue teamers and red teamers.

To explore the ATT&CK® framework, visit the ATT&CK® website. At the bottom of the page, you’ll find the ATT&CK® Matrix for Enterprise, which includes 14 categories. Each category lists techniques an adversary might use to perform a tactic, covering the seven-stage Cyber Attack Lifecycle (credit to Lockheed Martin for the Cyber Kill Chain).

Under the “Initial Access” category, there are 9 techniques, some of which have sub-techniques, such as Phishing. By clicking on the gray bar to the right, a new layer with sub-techniques will appear.

For a deeper understanding of a technique and its associated sub-techniques, click on Phishing. This will direct you to a page dedicated to the technique, providing a brief description, Procedure Examples, and Mitigations. Alternatively, you can use the Search feature to retrieve information about a specific technique, sub-technique, or group.

The same data is also accessible via the MITRE ATT&CK® Navigator. The ATT&CK® Navigator is designed for basic navigation and annotation of ATT&CK® matrices, allowing users to visualize defensive coverage, red/blue team planning, and the frequency of detected techniques. You can access the Navigator view when visiting a group or tool page by selecting the ATT&CK® Navigator Layers button in the sub-menu.

To familiarize yourself with this tool, click here to view the ATT&CK® Navigator for Carbanak. At the top left, there are 3 sets of controls: selection controls, layer controls, and technique controls. Inspect each option under these controls to get familiar with them. The question mark at the far right provides additional information about the Navigator.

In summary, the ATT&CK® Matrix can be used to map a threat group to their tactics and techniques. There are various ways to initiate a search. The following questions will help you become more familiar with the ATT&CK® framework. It is recommended to start answering the questions from the Phishing page. Note that this link is for version 8 of the ATT&CK Matrix.

Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purple Teamers, SOC Managers?) — Red Teamers

What is the ID for this technique? — T1566

Based on this technique, what mitigation covers identifying social engineering techniques? — User Training

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas) — Application Log,File,Network Traffic

Which are the first two groups to have used spear-phishing in their campaigns? (format: group1,group2) — Axiom,Gold SOUTHFIELD

Based on the information for the first group, what are their associated groups? — Group 72

What software is associated with this group that lists phishing as a technique? — Hikit

What is the description for this software? — Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.

This group overlaps (slightly) with which other group? — Winnti Group

How many techniques are attributed to this group? — 15

Cyber Analytics Repository

The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK® adversary model. CAR defines a data model used in its pseudocode representations and includes implementations targeted at specific tools (e.g., Splunk, EQL). CAR focuses on providing a set of validated and well-explained analytics, particularly regarding their operating theory and rationale.

Instead of further explaining what CAR is, let’s dive in. With the knowledge we’ve gained from the previous section, we should feel comfortable understanding the information CAR provides.

Let’s begin by reviewing CAR-2020–09–001: Scheduled Task — File Access. Upon visiting the page, you’ll find a brief description of the analytics and references to ATT&CK (technique, sub-technique, and tactic).

Additionally, there are Pseudocode and a query for searching this specific analytic within Splunk. Pseudocode is a plain, human-readable way to describe a set of instructions or algorithms that a program or system will perform.

If you’re unfamiliar with Sysmon, which is referenced in CAR, you may want to check out the Sysmon room.

To fully utilize CAR, you can view the Full Analytic List or the CAR ATT&CK® Navigator layer to see all the analytics.

In the Full Analytic List view, you can quickly see the available implementations for any given analytic and the OS platform it applies to. The CAR ATT&CK® Navigator highlights the techniques currently in CAR, shown in purple.

Let’s examine another analytic: CAR-2014–11–004: Remote PowerShell Sessions. Here, you’ll find a pseudocode and an EQL version of the pseudocode. EQL (Event Query Language) can be used to query, parse, and organize Sysmon event data. You can learn more about EQL here.

To summarize, CAR is a valuable resource for finding analytics that delve deeper than the Mitigation and Detection summaries in the ATT&CK® framework. It is an added resource rather than a replacement for ATT&CK®.

What tactic has an ID of TA0003? — Persistence

What is the name of the library that is a collection of Zeek (BRO) scripts? — BZAR

What is the name of the technique for running executables with the same hash and different names? — Masquerading

Examine CAR-2013–05–004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique? — Unit Tests

MITRE ENGAGE

According to the website, “MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.”

MITRE Engage is considered an Adversary Engagement Approach, which is achieved through Cyber Denial and Cyber Deception.

• Cyber Denial: Prevents the adversary’s ability to conduct their operations.
• Cyber Deception: Intentionally plants artifacts to mislead the adversary.

The Engage website offers a starter kit to help you get started with the Adversary Engagement Approach. The starter kit includes a collection of whitepapers and PDFs that explain various checklists, methodologies, and processes.

Like MITRE ATT&CK, Engage has its own matrix, which can be quickly explained based on the information from the Engage website:

• Prepare: The set of operational actions that will lead to your desired outcome (input).
• Expose: Detect adversaries when they trigger your deployed deception activities.
• Affect: Perform actions that negatively impact adversaries’ operations.
• Elicit: Observe the adversary to learn more about their tactics, techniques, and procedures (TTPs).
• Understand: Comprehend the outcomes of the operational actions (output).

For more details, refer to the Engage Handbook.

You can interact with the Engage Matrix Explorer and filter by information from MITRE ATT&CK. By default, the matrix focuses on the Operate phase, which includes Expose, Affect, and Elicit. You can also choose to focus on Prepare or Understand if you prefer.

This overview should give you a good starting point. Now, explore the resources provided on the Engage website to deepen your understanding.

Before moving on, let’s practice using this resource by answering the questions below.

Under Prepare, what is ID SAC0002? — Persona Creation

What is the name of the resource to aid you with the engagement activity from the previous question? — Persona Profile Worksheet

Which engagement activity baits a specific response from the adversary? — Lures

What is the definition of Threat Model? — A risk assessment that models organizational strengths and weaknesses

D3FEND

The MITRE D3FEND resource is described as “a knowledge graph of cybersecurity countermeasures.” Currently in beta and funded by the Cybersecurity Directorate of the NSA, D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense.

As of now, the D3FEND matrix includes 408 artifacts. Let’s take a quick look at one of these artifacts, such as Decoy File. Each artifact provides information on the technique, including its definition, how it works, considerations for implementation, and examples of utilization.

Similar to other MITRE resources, you can filter the information based on the ATT&CK matrix.

Since D3FEND is still in beta and expected to undergo significant changes in future releases, we won’t delve too deeply into it. The goal of this task is to make you aware of this valuable MITRE resource and encourage you to keep an eye on its development as it matures.

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown? — Data Obfuscation

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce? — Outbound Internet Network Traffic

MITRE ENGENUITY

If the tools provided by MITRE are not enough, MITRE ENGENUITY offers additional resources such as CTID, the Adversary Emulation Library, and ATT&CK® Emulation Plans.

CTID

MITRE formed the Center of Threat-Informed Defense (CTID), an organization composed of various companies and vendors from around the world. The objective of CTID is to conduct research on cyber threats and their TTPs (Tactics, Techniques, and Procedures) and share this research to enhance cyber defense for everyone.

Some of the participating companies and vendors include:

• AttackIQ (founder)
• Verizon
• Microsoft (founder)
• Red Canary (founder)
• Splunk

According to the website, “Together with Participant organizations, we cultivate solutions for a safer world and advance threat-informed defense with open-source software, methodologies, and frameworks. By expanding upon the MITRE ATT&CK knowledge base, our work expands the global understanding of cyber adversaries and their tradecraft with the public release of data sets critical to better understanding adversarial behavior and their movements.”

Adversary Emulation Library & ATT&CK® Emulation Plans

The Adversary Emulation Library is a public resource that offers free adversary emulation plans for blue/red teamers. The library and the emulations are contributions from CTID. Several ATT&CK® Emulation Plans are currently available, including APT3, APT29, and FIN6. These emulation plans provide step-by-step guides on how to mimic specific threat groups. For instance, if any of the C-Suite were to ask, “How would we fare if APT29 hits us?” this can be easily answered by referring to the results of the execution of the emulation plan.

In Phase 1 for the APT3 Emulation Plan, what is listed first? — C2 Setup

Under Persistence, what binary was replaced with cmd.exe? — sethc.exe

Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2) — Pupy,Metasploit Framework

What C2 framework is listed in Scenario 2 Infrastructure? — PoshC2

Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id) — P.A.S.,S0589

Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) refers to the information or TTPs (Tactics, Techniques, and Procedures) attributed to adversaries. By utilizing threat intelligence, defenders can make more informed decisions regarding their defensive strategies. Large corporations may have dedicated in-house teams tasked with gathering threat intelligence for other teams within the organization, in addition to using readily available threat intel. This threat intel can be sourced from open access or through subscriptions with vendors like CrowdStrike.

In contrast, many defenders in smaller organizations may have multiple roles and need to allocate time from their other tasks to focus on threat intelligence. To address this, we will work on a scenario that uses the ATT&CK® Matrix for threat intelligence. The primary goal of threat intelligence is to make the information actionable.

Scenario: You are a security analyst working in the aviation sector, and your organization is transitioning its infrastructure to the cloud. Your objective is to use the ATT&CK® Matrix to gather threat intelligence on APT groups that might target your sector and employ techniques relevant to your areas of concern. You will also check for any gaps in coverage. After selecting a group, review the group’s information, including their tactics, techniques, and other relevant details.

What is a group that targets your sector who has been in operation since at least 2013? — APT33

As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it? — Cloud Accounts

What tool is associated with the technique from the previous question? — Ruler

Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation? — Multi-factor Authentication

What platforms does the technique from question #2 affect? — IaaS, Identity Provider, Office Suite, SaaS

In this room, we explored the various tools and resources provided by MITRE to the security community. The goal was to familiarize you with these resources and provide a foundational understanding of their applications. Many vendors of security products and security teams worldwide consider MITRE’s contributions invaluable in their daily efforts to combat cyber threats. The more information we have as defenders, the better equipped we are to fight back. For those looking to transition into roles such as SOC analyst, detection engineer, or cyber threat analyst, these tools and resources are essential knowledge.

As previously mentioned, these resources are not only beneficial for defenders but also for red teamers. The objective for red teamers is to emulate the adversary and attempt to bypass the controls in place within the environment. With these resources, red teamers can effectively mimic a true adversary and communicate their findings in a common language that both defenders and attackers can understand. This collaborative approach is known as purple teaming.

Task 9 requires no answer.

Thank you for reading my article! If this helped you, please feel free to share it with others and clap if you made it the whole way through. You can clap up to 50 times per article.