Using the MITRE ATT&CK Navigator for Intelligence Gathering Pre-purple Teaming

Using the MITRE ATT&CK navigator for intelligence gathering pre-purple teaming

by Eliza May Austin


Purple teaming should always be intelligence-lead adversary emulation. If it isn’t then quite frankly you aren’t doing it right. It’s hard to defend against something you have never seen, and it’s pointless spending resources defending against something you likely will never see.

Intelligence lead purple teaming simply means you are acting on knowledge you have acquired about threat actors, which therefore better equips you in a purple teaming exercise. The reason for this is to avoid a wide scoped, vague or non-targeted purple team exercise.

Adversary emulation is the act of attacking by using the same methodology and approach as your most likely attackers would. We do this not only to test the resiliency of our environment but also to better equip ourselves to harden our environment against the malicious methods we are most likely to face.

Not all teams are fortunate enough to have a budget that covers threat intelligence (TI), so here is a little something you can do to gather your own pre-purple TI data.

The tool I am using was created by MITRE ATT&CK, you can find it here.

A simple way to find which attacking groups may be targeting you, and which methodologies that are applicable to you is to search from the main page welcome bar for keywords, such as your industry. Below I searched telecommunications as an example.

No alt text provided for this image

When you arrive on the home page of attack-navigator you will be presented with a pretty exhaustive list of Tactics, Techniques and Procedures (TTP’s) grouped in to a series of categories based on attack types.

In this example we are acting as a telecommunications company, we are presented with intelligence to inform us that deep panda and APT 28 were particularly active at the moment, and we want to asses our likelihood for facing attacks with specific TTP’s from these two threat actors.

No alt text provided for this image

Using the multi tool (I have added a red dot for visibility) scroll down and select Deep Panda. You will notice all TTP’s known to be used by Deep panda will be made more prominent with a box surround.

No alt text provided for this image

Lets make that even more prominent and give it a threat score, with aligning colours. In the search bar go to the paint pallet.

I know it’s quite common to class a number 1 as high, but my brain just does not work that way. For me number 1 is a low value so I represent that in my colour palate. Feel free to fiddle about with the colour settings to meet whatever need you may have.

Be sure to high light the ‘show’ box so that the settings are reflected in your work.

No alt text provided for this image

Move on to the graph icon, here we are assigning a score to the TTP’s based on the prevalence of the threat actor and how applicable they are to us.

No alt text provided for this image

The layer named Deep Panda now visually shows us that it’s TTP’s are of high priority to us. Very useful for presentations, reports and subsequent emulation plans for purple team exercises.

No alt text provided for this image

We assign Deep Panda a high score because we are aware that Deep Panda target telco’s and we want to make ourselves aware of how they do that. We go ahead and give them a score of 3/3.

After a quick search on MITRE ATT&CK framework and google we discover that APT 28, although notorious and prolific aren’t likely to find us an appealing target, we’er not US based and aren’t a government body.

We want to avoid giving APT 28 the same level of prioritisation as Deep Panda, but we still want to remain savvy to the TTP’S because this hypothetical telco company provides services to several 3rd parties of government that just so happen to be based in the US.

Compromising our telco is a step in the right direction for attackers that want to gain access to critical national infrastructure (CNI) through a supply chain attack. Let’s go ahead and give it a low score of 1. We want to defend ourselves against APT 28, but not before we defend ourselves against Deep Panda.

Create a different work space for APT 28, this is referred to as a layer and new layers can be created by clicking the + button on the top left.

No alt text provided for this image

Now all of the APT 28 TTP’s are green, this is an indication of the priority status to us, but you can change the colour to suit your own needs.

Lets combined the 2 layers now so that they are presented in the same layer for easy viewing.

Add a new tab/layer and select ‘create layer from layers’.

No alt text provided for this image

You will notice that our two layers are assigned labels ‘a’ and ‘b’.

No alt text provided for this image

You have the ability now to add the two layers together. Both groups may use the same TTP’s and because I don’t want the priority of the TTP’s to visually change I need to add my layers together to reflect this.

I want the TTP to remain critical (red) to show that the infrastructure needs hardening against the TTP, so I will add b to a, rather than a to b. This prioritises Deep Panda’s coloured threat settings and presents any TTP used by APT 28 AND Deep Panda as red and not green.

No alt text provided for this image

We are presented with the below layer that shows the differences in methodologies between the two groups.

No alt text provided for this image

If you want to export this data set you can do so in a number of formats, here I downloaded the information in to excel format.

No alt text provided for this image

I’ll remove all non-coloured fields so that I am left with only the TTP’s I want to go in to my adversary emulation plan.

No alt text provided for this image

Thanks to the community work done by @MITRE ATTACK we all have a wealth of easily digestible information about known threat actors at our finger tips. Enjoy exploring!


Eliza May Austin is the CEO & Co-Founder at th4ts3cur1ty.company. Eliza is also the Founder and Director of Ladies of London Hacking Society.


The article has been originally published at: https://www.linkedin.com/feed/update/urn:li:activity:6566757399049314304/

August 16, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013