book

Adversary Emulation with MITRE ATT&CK

Name: Adversary Emulation with MITRE ATT&CK
Author: Drinor Selmanaj
ISBN: 9781098169473

by Drinor Selmanaj

November 2024

Intermediate to advanced

385 pages

12h 19m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Preface
Who This Book Is ForGoals of the BookHow the Book Is OrganizedHands-on ApproachConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
I. Understanding Adversary Emulation
1. Introduction
Know Your AttackersMaximizing Adversary CostAdversary-Inspired TestingDrawbacks of Traditional Security AssessmentsTypes of Security AssessmentsVulnerability ScanningVulnerability AssessmentPenetration TestingRed TeamBlue and Purple TeamsAdversary Emulation FundamentalsImportance of Adversary EmulationFramework and Evaluations for Adversary EmulationBenefits of Adversary EmulationTransparency and RelevanceEngagement PlanningAdversary Emulation PlanSummary
2. Advanced Persistent Threats
Mechanics of MotivationAccidental ThreatsCoercionDisgruntlementDominanceIdeologyNotorietyOrganizational GainPersonal Financial GainPersonal SatisfactionUnpredictable ThreatsDeceptionDeceptive CommunicationDeceptive AppearanceAPT AttributionAuthorization Process for Cyber OperationsFrom Intellectual Property Theft to IndictmentDefining Key Terms in AttributionData CollectionAnalysisOrigin AttributionAPT DoxingSummary
3. Dissecting Frameworks and Strategies
ATT&CK FrameworkATT&CK MatrixTechnology DomainsNavigating the PlatformTacticsTechniques, Sub-Techniques, and ProceduresSoftware and MitigationsGroups and CampaignsData SourcesObject Model RelationshipsCustomizing and Extending ATT&CKLimitations and BoundariesAccessing ATT&CK in PythonThreat-Informed DefenseThreat Intelligence in Modern DefenseChallengesBest PracticesTools and TechnologiesEnhancing Security Through UnderstandingIntegrating MITRE ATT&CK and the NIST CSFUsing ATT&CK to Protect Against Cyber ThreatsSummary
4. The Adversary’s Modus Operandi
ReconnaissanceActive Scanning (T1595)Gather Victim Identity Information (T1589)Search Closed Sources (T1597)Resource DevelopmentAcquire Infrastructure (T1583)Develop Capabilities (T1587)Establish Accounts (T1585)Initial AccessDrive-by Compromise (T1189)Exploit Public-Facing Application (T1190)Phishing (T1566)Supply Chain Compromise (T1195)ExecutionCommand and Scripting Interpreter (T1059)Exploitation for Client Execution (T1203)Software Deployment Tools (T1072)PersistenceAccount Manipulation (T1098)BITS Jobs (T1098)Compromise Client Software Binary (T1554)Privilege EscalationExploitation for Privilege Escalation (T1068)Domain Policy Modification (T1484)Defense EvasionDeobfuscate/Decode Files or Information (T1140)Masquerading (T1036)Indirect Command Execution (T1202)Credential AccessBrute Force (T1110)Network Sniffing (T1040)OS Credential Dumping (T1003)DiscoveryAccount Discovery (T1087)Browser Information Discovery (T1217)System Network Connections Discovery (T1049)Lateral MovementExploitation of Remote Services (T1210)Replication Through Removable Media (T1091)Use Alternate Authentication Material (T1550)CollectionAutomated Collection (T1119)Archive Collected Data (T1560)Data from Network Shared Drive (T1039)Command and ControlApplication Layer Protocol (T1071)Ingress Tool Transfer (T1105)Proxy (T1090)ExfiltrationExfiltration over Alternative Protocol (T1048)Scheduled Transfer (T1029)Transfer Data to Cloud Account (T1537)ImpactData Encrypted for Impact (T1486)Endpoint Denial of Service (T1499)System Shutdown/Reboot (T1529)Summary
5. In-the-Wild Use of ATT&CK TTPs
Step-by-Step ProceduresExecuting a Spearphishing AttachmentDemystifying Command and Scripting InterpreterModify SSH Authorized KeysDeobfuscate/Decode Files or InformationHow Threat Actors Conceal Their ArtifactsPassword Spray All Domain UsersDelving into Network CommunicationsOS Credential DumpingUncovering Local and Domain UsersHow to Propagate Through Removable MediaAbusing Alternate Authentication ProtocolsHarnessing AutomationSSH for Exfiltration over Alternative ProtocolData Held Hostage Using GPGActive Learning ExperienceArchitecture and ComponentsEnvironment SetupPutting Theory to the TestNetwork and Host ExplorationBrute-Forcing with HydraExecuting Malicious Payload in FroxlorFabricating Logfiles to Inject Malicious CodeExecution via Command and Scripting InterpreterDiscovery Through Command-Line AnalysisJumping Across Remote ServicesHijacking Linux Shared DirectoriesCapability Development for Resource CreationCompromising System Security with PAM BackdoorStealthy Data ArchivingApplication Layer Protocol for Command and ControlAlternative Protocol ExfiltrationRansomware ImpactSummary
6. The Power of Visualization
ATT&CK NavigatorCustomizing Matrix with LayersEditing and Sorting LayersNavigating and Annotating Techniques in the InterfaceSelecting TechniquesCustomizing the NavigatorUnderstanding Dragonfly TacticsAttack FlowOperations TeamsAttack Flow AnalysisCyberattack on a NATO MemberSummary
7. Cyber Threat Intelligence
Data AcquisitionData SourcesEthics of Data AcquisitionProcessing and EnrichmentApache KafkaAdversary MappingUsing Narrative Reports to Map IntelligenceIntelligence Mapping from Raw DataPredictive Threat Intelligence with AIMachine Learning for Predictive AnalysisDeep Learning for Pattern RecognitionNatural Language Processing for Text AnalysisVoice Synthesis and Caller ID SpoofingAI in Fraud DetectionCTI and Digital WarfareGeopolitical ImpactKey PlayersCreating an Effective Threat Intelligence ProgramSummary
II. Adversary Emulation Operations

8. Establishing Goals for Adversary Emulation
Understanding Engagement PurposeEffective CommunicationDiverse Stakeholder ExpectationsInsufficient Understanding of the Threat LandscapeUndefined Security GoalsLimited Awareness of the Organization’s Security PostureResistance from StakeholdersLack of ResourcesAssessing Suitability for Adversary EmulationOrganizational ReadinessEducate People About Adversary EmulationExplore AlternativesPlan for the FutureInterviewing Relevant StakeholdersHarnessing Global PerspectivesBuilding Long-Term RelationshipsFuture DirectionCreating a Culture of Open CommunicationBrainstorming Threat ScenariosThe Anatomy of Potential AttacksThe Gateway to Threat ExploitationA Strategic Approach to Prioritizing Protection EffortsAdaptive Response to Dynamic Cyber ThreatsDocument Engagement ObjectivesSMART Criteria for Effective Engagement ObjectivesExamples of Engagement ObjectivesSummary
9. Researching Adversary Tradecraft
From Surface-Level Tactics to Deep-Dive ProceduresDeveloping Adversary ProfilesWhy Profiling Is ImportantProfiling MethodologiesAggregating Adversary DataSelecting an Adversary for EmulationConsequences of Improper SelectionAnalyzing the Adversary’s Geographies and SectorsDeciphering the Goals Behind the ActionsAssembling the TTP OutlineOverview of the Adversary’s Known TTPsImportance of Maintaining a TTP RepositoryOrganizing and Categorizing TTPsThe Strategic Role of a TTP OutlineBuilding a Comprehensive TTP OutlineReview and AdjustmentSummary
10. Engagement Planning
Understanding the Financial AspectsThe Scope of EngagementSchedule, Duration, and FrequencyRules of EngagementApproving AuthoritiesHuman Resource PlanningEquipment and Software CostCross-Departmental CollaborationCommunication PlanEngagement NotificationsSummary
11. Implementing Adversary Tradecraft
Setting Up the Lab EnvironmentSplunk Attack RangeSetting Up Splunk Attack RangeTTP Development Life CycleAdversary Emulation PlanThreat Actors Intelligence SummaryVisualization of the Emulation JourneyAdversary ArsenalTesting TTPs in the LabMap Detection and MitigationSummary
12. Executing Adversary Tradecraft
Review TTP ImplementationExecute Adversary TTPsPrelude OperatorObserve and Document TTP ResultsReport FindingsMeasuring the EffectivenessSummary
13. Adversary Emulation Resources
Adversary Emulation LibraryIntroduction to CalderaPlug-in LibraryParsersRelationshipsObjectivesOperation ResultsAtomic Red TeamBadBloodSummary
III. Hands-on Adversary Emulation
14. FIN6 Emulation Plan
Mission EssentialsFIN6 Initial AccessFIN6 DiscoveryDomain Account (T1087.002)Remote System Discovery (T1018)Domain Trust Discovery (T1482)System Network Configuration Discovery (T1016)Domain Groups (T1069.002)FIN6 Privilege Escalation and Credential AccessAccess Token Manipulation (T1134)LSASS Memory (T1003.001)NTDS (T1003.003)LSASS Memory—Windows Credential Editor (T1003.001)FIN6 Collection and ExfiltrationArchive via Utility (T1560.001)Exfiltration over Unencrypted Non-C2 Protocol (T1048.003)FIN6 Emulation EpilogueSummary
15. APT3 Emulation Plan
Mission EssentialsAPT3 Initial AccessAPT3 DiscoveryAPT3 Defense EvasionAPT3 Privilege EscalationAPT3 Credential AccessAPT3 PersistenceAPT3 Execution and Lateral MovementSummary
16. APT29 Emulation Plan
Mission EssentialsAPT29 Initial AccessAPT29 Speedy Data Retrieval and Stealth InsertionsPreliminary Data HarvestingClandestine Utility RolloutAPT29 Defense Evasion and DiscoveryPersistenceCredential AccessAPT29 Execution for Lateral MovementSummary
Index
About the Author

Content preview from Adversary Emulation with MITRE ATT&CK

Chapter 14. FIN6 Emulation Plan

The FIN6 group is a cybercrime syndicate known for its nefarious activities primarily revolving around collecting and selling payment card data on underground marketplaces. Notorious for its aggressive targeting and compromising of point of sale (POS) systems, this group’s illicit operations have particularly targeted the hospitality and retail sectors. FIN6’s MO was historically focused on brick-and-mortar venues across the US and Europe, where it harvested POS data. However, with the evolving digital landscape, the group transitioned some of its operations to target ecommerce platforms, thereby showcasing a tactical pivot in line with the burgeoning online retail space.

FIN6’s technical arsenal is significantly robust, manifesting in sophisticated cyberattacks. For instance, a marriage of forces with the TrickBot trojan was observed, where initial infections via TrickBot were later exacerbated by deploying the Anchor backdoor malware. This indicated a nuanced strategy and the capability to orchestrate multistage attacks.¹

This group’s evolution underscores its discerning adaptability—from initially deploying POS malware to later engaging in ransomware campaigns—amplifying the threat it poses to physical and online retail domains. Its operational sophistication and willingness to evolve and adopt new malicious tactics warrant a high degree of vigilance and advanced security measures among potential target sectors.

As you progress into the hands-on ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098143756Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Adversary Emulation with MITRE ATT&CK

by Drinor Selmanaj

Chapter 14. FIN6 Emulation Plan

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.