Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
4 likes5,156 views
The document outlines various tactics and techniques involved in cyber threats, categorized using the MITRE ATT&CK framework. It emphasizes methods of initial access, credential access, privilege escalation, and data exfiltration, along with preventive measures such as application whitelisting, multi-factor authentication, and user training. Additionally, it highlights the importance of monitoring tools like EDR and SIEM in detecting threats and malicious behavior within systems.
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
- 1. 3. Persistence 7. Discovery 9. Collection Mitre ATT&CK Stage Tactic GRU 1. Initial Access 6. Credential Access 5. Defense Evasion 4. Privilege Escalation ! 2. Execution 8. Lateral Movement 10. Exfiltration 11. Command & Control Spearphishing attachment Application whitelisting Drive-by Compromise Spearphishing link Exploit Public-Facing Application User Execution Valid Accounts Exploitation for Client Execution Trusted Relationship Spearphishing via Service Bootkit Valid Accounts Login Item Launch Agent Application Shimming Modify Existing Service Web Shell Obfuscated Files or Information Clear Command History Masquerading Exploitation for Defense Evasion Input Capture Exploitation for Credential Access Remote Services Credentials in Files Network Service Scanning Private Keys Remote System Discovery Hooking Windows Admin Shares Data from Local System / Network Shared Drive Data Staged Input Capture Email Collection Screen Capture Data Encrypted Data Compressed Automated Col- lection Custom Cryptographic Protocol Commonly Used Port Data Encoding Custom Command and Control Protocol Remote File Copy Multi-hop Proxy ASD Essential 8 and Mitre ATT&CK Exploitation for Privilege Escalation Data from Information Re- positories FIN7 FSB Hidden COBRA ASD Essential 8 Digital Shadows Advice Patch applications, Patch operating systems Multi-factor authentication Restrict administrative priv- ileges Patch applications User application hardening, Configure Microsoft Office macro settings Restrict administrative privileges, Patch Operating Systems Restrict administrative privileges Patch Operating Systems Multi-factor authentication Patch Operating Systems Patch User Applications Patch User Applications Application Whitelisting Application Whitelisting Multi-factor authentication Restrict administrative privileges Restrict administrative privileges Restrict administrative privileges Monitoring for the creation of phishing domains Monitoring for persistence mechanisms via KnockKnock or for launch file creation via other file monitoring solutions such as EDR Example: Monitoring for PowerShell scripts via the Anti Malware Script Interface (AMSI) in Windows 10 reveals the deobfuscated commands Monitoring for user authentications, via SSH for example, which do not correspond to changes in a user’s command history may indicate attempts to evade detection EDR systems may be able to detect attempts to install hook procedures Procedural controls such as training, awareness and regular reviews can be used to educate users to the dangers of leaving valid credentials in files EDR and/or SIEM solutions can detect port scanning activities EDR and/or SIEM solutions can detect remote system discovery activities Malicious behavior can be cross-correlated with the accessing of remote services to track an adversary through an environment EDR and/or SIEM solutions can be used to detect data being gather from local and remote systems EDR and/or SIEM solutions can be used to detect data being automatically collected especially when scripts or command line tools are used User Behavior Analytics (UBA) may detect anomalous collection patterns. Logs of activity for information repository access should be kept EDR and/or SIEM solutions can be used to detect email being collected especially when scripts or command line tools are used against APIs EDR and/or SIEM solutions can be used to detect data being staged especially when scripts or command line tools are used Network monitoring can be used to detect the usage of protocols typically not present in an environment, such as FTP, as well as anomalous file transfers via other mediums Network monitoring can detect the usage of, for example, base64 encoding in network traffic Network monitoring for encrypted communications which do not follow standards such as TLS/SSL may detect the usage of custom cryptographic protocols Network logs can be used to detect anom- alous network traffic using protocols such as DNS in previously unseen ways Network logs can be used to detect anom- alous network traffic, e.g., from previously unseen applications Monitoring for the creation of phishing domains Monitoring for the creation of phishing domains