Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Threat Profile
| Capabilities Capabilities are simply a threat's ability to perform actions given the current funding, technical knowledge and skill, and target knowledge. A common issue observed in many different industries is the underestimation of a threat's capability. It is essential to note that information, tools, scripts, designs, training, etc. available to most information technology and security professionals are also available to the threat. TTPs TTPs are the "how" in threat operations. TTPs are dependent upon the threat's intent and capabilities. Understanding threat TTPs are extremely useful to both the Red and the Blue Team as the use and understanding of TTP's is one of the most effective ways to classify and characterize threats by actions. Consider these questions when planning threat TTP’s (Don’t forget to consider the red team’s ability to implement these) What is the threat’s preferred method of gaining initial access Web misconfigurations? Known vulnerabilities Phishing? Are there trends in the Indicators of Compromise (IOCs)? Things such as file locations, filenames, system calls, anomalous traffic, etc. How does the threat perform operations and maintenance against a target Memory resident Binaries Python WMI? PowerShell? VBS? How does the Command and Control (C) operate Using what protocols? Is persistence established What are the threat’s preferred methods? Does the threat have a standard or common motive and intent? A Red Team’s analysis of a threat’s intent, capabilities, and TTPs provides the information required to create the threat profile. This profile enables the threat characterization used for targeted reviews, assessments, training, and exercises. Threat Profile Planning is vital to emulate a threat or their TTPs. Without a plan, modeling a sophisticated actor can become extremely difficult, time-consuming, and costly. Too often, Red Teams attempt to emulate a highly advanced actor, such as "APT group Xor "nation state" with little to no time or budget. Sophisticated actors have time, money, and resources to build and develop custom tools, exploits, or techniques. This understanding may seem obvious, but it is important to remember that a Red Team charged with emulating a specific actor is not that actor. The team may not have the time or budget needed to emulate a threat perfectly. However, a threat can be emulated just enough to stay within a reasonable budget, as well as the amount of time, and effort needed to model a threat's core components. The Red Team should be helping personnel understand how a specific threat impacts their organization. To facilitate this practice, a threat profile is used to establish the rules as to how a Red Team will act and operate. These rules serve as a roadmap fora Red Team by guiding how and what type of actions should be performed. Even during an in-depth Red Team engagement, a threat profile should be created to describe the threat and their TTPs. We've discussed TTPs, but until this point, we haven't provided a means to use them to support an engagement. Let's start by explaining TTP's through the MITRE ATT&CK framework. MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber threat behavior, reflecting the various phases of a threat's lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known threat behavior, for planning security improvements, and verifying defenses work as expected. ATT&CK is split into Tactics, Techniques, and Procedures. Tactics are the tactical goals a threat may use during an operation. Techniques describe the actions threats take to achieve their objectives. Procedures are the technical steps required to perform an action. This framework provides a classification of all threat actions regardless of the underlying vulnerabilities. Red teams can emulate realistic TTPs through research and experience, but much of this information has been compiled in ATT&CK. ATT&CK can bethought of like a menu of TTPs. Red teams can use this to ensure they have a valid threat profile with a comprehensive set of threat TTPs, and blue teams can use this to build a scorecard of how well they can defend against the various TTPs. |