I’m ready to put up MITREE 🎄 – but is my business ready with MITRE ATT&CK?

We’re just out of the proverbial woods after a very spooky hauntober and a frighteningly long list of new CVEs in November. 🙅‍♀️ I’m ready to be merry and make some memories around my tree. Are you?

As you look to spirited times ahead, you need to think about how to protect your business in areas where your cyber skills may be weak, and how you can address the increased risks around the holiday season.

Immersive Labs and the MITRE ATT&CK® framework can help!

If you’re not familiar with MITRE, we’ll get acquainted quickly here. When you think about an incident, did the attacker go down the chimney or through the front door? Did they skulk under rugs and furniture to evade your surveillance while stealing secrets along the way? When the thief absconded, did they take the stocking, the gifts, the tree?

The MITRE ATT&CK framework can be used to pin down what the grinch malicious actor did at a high level – this is a tactic. You can also drill deeper into the details of how – this is a technique. MITRE ATT&CK brings structure to the understanding of adversarial behavior, helps you identify attack types, and supports risk definition.

Okay great! So what next? How can you use MITRE ATT&CK to tangibly protect your business when you look at training needs for the upcoming holiday season? How can you demonstrate that you’re addressing the increased risk this time of year from an upskilling and readiness perspective?

Review your skills coverage

The MITRE ATT&CK dashboard in the Immersive Labs platform provides a visual heat map of how every person's knowledge and skills stack up against the MITRE ATT&CK framework. Labs are mapped to appropriate tactics and techniques. The darker the blue, the more people who have completed labs associated with that technique and tactic combination.

 

If you see large gaps around key risk areas, such as initial access or phishing techniques, you might want to focus on building knowledge and skills in these areas – especially before the holidays.  

Prioritize tactics and techniques

Now that you’ve oriented your organization's knowledge and skills distribution against the framework, you’ll want to prioritize your upskilling efforts.

First, review key risk areas and tactics, techniques, and procedures (TTPs) for your business based on industry, the latest CVEs, and active threat actors.

At present, CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) are top of mind for many in the technology sector. They map to technique T1068, Exploitation for Privilege Escalation.

There’s also been noise around the threat actor Peach Sandstorm, which has a number of relevant TTPs. Think about which of these might be the most relevant or highest risk to your organization and how urgently you should address training needs for them.

• • T1566.001: Spearphishing Attachment
  • T1566.002: Spearphishing Link
  • T1598: Phishing for Information
  • T1598.003: Spearphishing Link

Next, think about the fact that 48% of US shoppers report being targeted by some type of scam while holiday shopping online. And that's just users reporting what they think to be true. If an employee is finishing up tasks and makes a quick stop on social media, they could be one of the 37% of Americans who make a purchase through a social media advert. That could expose your corporate networks to phishing attacks and malware infections… definitely not nice.

Given the nature of the season and the statistics already mentioned, it’s worth considering the key tactic of initial access, which involves techniques like phishing that can be prevalent with holiday-themed scams.

• T1190: Exploit Public Facing Application: Phishing emails with malicious links disguised as holiday greetings or shopping deals. 
• T1566: Phishing: Spear phishing emails targeting specific employees with personalized holiday-themed content.

Additionally, you should also prioritize techniques related to execution and credential access to prevent unauthorized access and detect any evasive actions by attackers.

• T1204: User Execution: Malicious attachments in holiday-themed emails that automatically execute when opened.
• T1189: Drive-by-Compromise: Visiting malicious websites embedded in holiday greeting cards or promotional links.
• T1110: Brute Force: Automated attempts to guess employee passwords using common holiday-related phrases.

Persistence tactics are also crucial, as attackers might try and maintain access to systems during the holiday season when IT staff could be less vigilant. Attackers can create scheduled tasks to run malicious code during holiday downtime or capitalize on the increased network activity and user complacency during holidays to maintain a foothold on a system.

• T1053: Scheduled Task/Job: Creating a scheduled task to execute malware on a holiday-specific date or time.
• T1118: Boot or Logon Autostart Execution: Configuring system settings to automatically run malicious code when a user logs in during a holiday period.

Use the MITRE ATT&CK dashboard to identify resource dependencies 

Within any technique in the MITRE Dashboard, you can see both the user progress against mapped labs and the labs themselves. You can use this to infer resource dependencies or single points of failure around specific tactic and technique combinations.

For example, say user Smith had completed 18 of the 32 labs mapped to Initial Access: T1566 Phishing assigned to each team member. User West has completed 14, Jones has completed 9, and Lee has completed 8. The MITRE Dashboard has identified this technique as lower coverage across your team.

 

 

In this case, Smith and West are potential resource dependencies or single points of failure. If these two users were off work over the holidays, the covering team members might not have the same knowledge or skills to help with an investigation to do with this technique.

To mitigate this, you could increase the breadth of coverage by having all other team members complete the same labs that Smith has completed. This could help to reduce the risk of single points of failure.  

It also might be worthwhile increasing the depth of knowledge across the team to get to medium or high coverage for the phishing tactic, thereby reducing resource dependencies further.

Take action to protect your business!

Assign content to cover:

1. Skills coverage – gaps you identified with the MITRE ATT&CK Organization Dashboard 
2. Priority TTPs
3. Resource dependency remediation

Create a custom collection using the MITRE ATT&CK interface:  

As always, start by building out the collection details, including a title, description, and cover image.

 

Then, select your labs by MITRE ATT&CK.. It’s the same interactive Organization View you’ve seen before…

 

...except you can add labs from the technique directly to your new collection!

Consider teaching your team more about MITRE itself, or diving into specific high-risk holiday tactics this blog touches on!

We have a MITRE ATT&CK collection that’s designed to be foundational. It includes labs focusing on each tactic, teaching learners how to recognize and protect against related attacks. The labs use the ATT&CK Navigator, an open-source tool, to map and understand these tactics and techniques. This approach helps users learn to identify and mitigate potential threats using a structured and widely recognized framework. 

For Initial Access, we have an Events & Breaches collection that includes labs on identifying spoofed domains in phishing emails and analyzing web traffic to identify threats. Additionally, the Threat Research collection contains labs on phishing techniques, providing practical exercises to enhance skills in recognizing and mitigating phishing attacks.

We have a dedicated collection on Credential Access, with labs that provide practical experience in attacking password encryption methods, cracking hashed passwords, conducting brute force attacks, stealing user credentials, and more! This collection aims to enhance learners' understanding of credential access vulnerabilities and techniques used by hackers.

Last, but certainly not least, we have a dedicated Persistence collection. These labs teach learners how to recognize and protect against malicious persistence attempts, covering techniques like COM hijacking, IFEO registry key injection, and other Linux persistence methods. The labs provide comprehensive training on detecting and mitigating persistence techniques used by attackers.

Now, you’ve helped bolster your cyber resilience, and have better positioned yourself to protect the business!

Share your thoughts

Do you have any holiday cyber memes that the world must see? Did you learn a bit about MITRE ATT&CK and how to protect holiday cheer your business around the upcoming holidays? Comment below!

🔔 Don’t let your cyber resilience slip with the dropping temperatures. Make sure you're following the Human Connection Blog to get updates to your inbox!