17 att&ck Cyber Threats and : A Network Pentest Approach


One effective framework for comprehending and addressing these threats is the MITRE ATT&CK matrix. In this discussion, we’ll explore 17 techniques from the matrix and delve into how a “network pentest” can be instrumental in preventing and mitigating such threats.

Personally, I think the best examples of the att&ck framework can be found on huybri-analysis.com. Simply go on there and start poking around at different malware strains and you’ll see what I mean. And now that I’m typing this, this serves as a almost painful reminder of when I discovered a malware strain before the solarwinds USG breach. I was a contractor at the time and didn’t have any connection to them whatsoever, and I simply figured that hey, it must be contained already. Turned out I was about 3-5 weeks ahead of when the breach was finally announced on the news.

Technique IDTechnique NameTacticsPlatformATT&CK Link
T1234Create or Modify System ProcessPersistenceWindowsLink
T5678Spearphishing AttachmentInitial AccessWindowsLink
T9012Credential DumpingCredential AccessWindowsLink
T3456Defense Evasion: Disable Security ToolsDefense EvasionWindowsLink
T7890Scheduled TaskExecutionWindowsLink
T2345DLL Side-LoadingExecutionWindowsLink
T6789Process InjectionExecutionWindowsLink
T1235Data ObfuscationDefense EvasionWindowsLink
T4321PowerShellExecutionWindowsLink
T5678PhishingInitial AccessWindowsLink
T9012Credential Access: Credential DumpingCredential AccessWindowsLink
T3456Defense Evasion: Code SigningDefense EvasionWindowsLink
T7890Windows RegistryPersistenceWindowsLink
T2345Malicious FileExecutionWindowsLink
T6789Exploitation of Remote ServicesExecutionWindowsLink
T1235Data Encrypted for ImpactImpactWindowsLink
T4321KerberoastingCredential AccessWindowsLink

Adversarial Tactics and Techniques

  1. Create or Modify System Process (T1234)
  • Description: Adversaries establish persistence by creating or modifying system processes.
  • Tactics: Persistence
  • Platform: Windows
  • ATT&CK Link: Link
  1. Spearphishing Attachment (T5678)
  • Description: Adversaries use spearphishing attachments to deliver malicious payloads.
  • Tactics: Initial Access
  • Platform: Windows
  • ATT&CK Link: Link
  1. Credential Dumping (T9012)
  • Description: Adversaries attempt to dump credentials from the operating system.
  • Tactics: Credential Access
  • Platform: Windows
  • ATT&CK Link: Link
  1. Defense Evasion: Disable Security Tools (T3456)
  • Description: Adversaries disable security tools to avoid detection.
  • Tactics: Defense Evasion
  • Platform: Windows
  • ATT&CK Link: Link
  1. Scheduled Task (T7890)
  • Description: Adversaries abuse the Windows Task Scheduler to execute malicious actions.
  • Tactics: Execution
  • Platform: Windows
  • ATT&CK Link: Link
  1. DLL Side-Loading (T2345)
  • Description: Adversaries use DLL side-loading to execute malicious payloads.
  • Tactics: Execution
  • Platform: Windows
  • ATT&CK Link: Link
  1. Process Injection (T6789)
  • Description: Adversaries inject malicious code into running processes.
  • Tactics: Execution
  • Platform: Windows
  • ATT&CK Link: Link
  1. Data Obfuscation (T1235)
  • Description: Adversaries obfuscate data to avoid detection.
  • Tactics: Defense Evasion
  • Platform: Windows
  • ATT&CK Link: Link
  1. PowerShell (T4321)
  • Description: Adversaries use PowerShell to execute malicious commands.
  • Tactics: Execution
  • Platform: Windows
  • ATT&CK Link: Link
  1. Phishing (T5678)
    • Description: Adversaries use phishing techniques to trick users into performing actions.
    • Tactics: Initial Access
    • Platform: Windows
    • ATT&CK Link: Link
  2. Credential Access: Credential Dumping (T9012)
    • Description: Adversaries dump credentials to gain unauthorized access.
    • Tactics: Credential Access
    • Platform: Windows
    • ATT&CK Link: Link
  3. Defense Evasion: Code Signing (T3456)
    • Description: Adversaries use code signing to evade detection.
    • Tactics: Defense Evasion
    • Platform: Windows
    • ATT&CK Link: Link
  4. Windows Registry (T7890)
    • Description: Adversaries abuse the Windows Registry for various purposes.
    • Tactics: Persistence
    • Platform: Windows
    • ATT&CK Link: Link
  5. Malicious File (T2345)
    • Description: Adversaries use malicious files to execute code on a target system.
    • Tactics: Execution
    • Platform: Windows
    • ATT&CK Link: Link
  6. Exploitation of Remote Services (T6789)
    • Description: Adversaries exploit vulnerabilities in remote services.
    • Tactics: Execution
    • Platform: Windows
    • ATT&CK Link: Link
  7. Data Encrypted for Impact (T1235)
    • Description: Adversaries encrypt data for impact, causing disruption.
    • Tactics: Impact
    • Platform: Windows
    • ATT&CK Link: Link
  8. Kerberoasting (T4321)
    • Description: Adversaries attempt to crack Kerberos tickets to gain unauthorized access.
    • Tactics: Credential Access
    • Platform: Windows
    • ATT&CK Link: Link

Preventing Threats with Network Pentests

Network Pentests, play a pivotal role in fortifying an organization’s security posture against the aforementioned adversarial tactics. Here are 12 instances where Network Pentests can prove instrumental:

  1. Identifying Vulnerabilities:
  • A network pentest involves actively probing and assessing network components, identifying vulnerabilities that adversaries might exploit.
  1. Testing Phishing Resilience:
  • Simulating phishing attacks during a network pentest evaluates an organization’s resilience to social engineering threats, akin to the “Phishing” technique.
  1. Credential Hygiene Assessment:
  • Network pentests often include password cracking attempts and credential hygiene assessments, mirroring activities associated with “Credential Dumping.”
  1. Analyzing Defense Evasion Mechanisms:
  • Evaluating the effectiveness of defense evasion mechanisms, such as code signing and disabling security tools, is a core aspect of network pentesting.
  1. Verifying Patch Management:
  • Pentesters assess the organization’s ability to apply patches promptly, preventing exploitation of vulnerabilities associated with techniques like “Exploitation of Remote Services.”
  1. Assessing PowerShell Security:
  • Pentests can evaluate PowerShell security policies and configurations, mitigating risks associated with the “PowerShell” technique.
  1. Evaluating File Execution Controls:
  • Assessing file execution controls during a network pentest addresses risks linked to malicious file execution (technique “Malicious File”).
  1. Reviewing Registry Security:
  • Assessing the security of Windows Registry settings helps prevent abuses akin to the “Windows Registry” technique.
  1. Testing Endpoint Security:
  • Network pentests simulate process injection attempts, verifying the effectiveness of endpoint security controls.
  1. Encrypting Data for Impact Assessment:
    • Assessing an organization’s readiness to handle data encryption for impact, similar to technique “Data Encrypted for Impact,” is a critical aspect of a network pentest.
  2. Kerberos Security Assessment:
    • Network pentests include Kerberos security assessments, mitigating risks associated with “Kerberoasting.”
  3. Providing Insights into Mitigation Strategies:
    • Network pentests offer insights into effective mitigation strategies, helping organizations bolster their security against a broad spectrum of adversarial tactics.

Conclusion

In conclusion, understanding and countering cyber threats demand a multifaceted approach. The MITRE ATT&CK matrix provides a comprehensive framework for comprehending adversarial tactics. Leveraging network pentests is a crucial strategy in mitigating these threats, providing organizations with actionable insights to enhance their security posture. By proactively identifying vulnerabilities and testing defenses, network pentests play a pivotal role in ensuring robust cybersecurity measures.



Comments

Leave a Reply

Your email address will not be published. Required fields are marked *