Application of the MITRE ATT&CK Framework
Offered By: Cybrary
Course Description
Overview
In this course we will move through the 14 areas of the MITRE Attack Framework and discuss how security professionals should use the matrix to assist them in overlaying solutions or controls to address current threats.
The MITRE Attack Framework is a globally accessible knowledge base of tactics and techniques provided from real-world observations. Using the attack framework, a security consultant or blue team member can formulate a strategy for reducing risk in both the public and private sectors.
Since the methods of attack change regularly, this course is going to focus on examples for several of the attack types in each section and applicable mitigation tactics. These principles can then be applied across the entire framework whether you are looking at adding a security solution to your current stack or are doing research on known attack vectors for academic purposes.
Prerequisites
- Basic cyber defense technical terminology understanding
- Basic terminology in association with controls
- Basic terminology in association with risk reduction
Course Goals
By the end of the course, students should be able to understand how to defend against the adversarial tactics of:
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
What is the MITRE ATT&CK Framework?
MITRE ATT&CK was created as a model used to document and track a variety of different techniques that attackers use during the phases of a cyberattack to break into an organization’s network and obtain sensitive data.
ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. Essentially, the framework is a matrix of those techniques sorted by different tactics. It includes different matrices for Windows, Mac, LINUX, and mobile systems. The framework is used by various IT professionals including red teamers, threat hunters, and defenders to help classify attacks and assess a company’s risk.
MITRE ATT&CK was launched in 2013 and has since become one of the most respected and used resources in cybersecurity. It’s an essential tool for professionals in the IT industry to be familiar with ATT&CK.
What is Involved in the MITRE ATT&CK Training?
In this application of the MITRE ATTACK Training Course, students will learn how to use the framework to reduce security risks to their organizations. The course will focus on breaking down several types of attacks and learning methods and tactics to mitigate those threats. The current framework of ATT&CK includes 12 tactics, each of which has numerous techniques.
When completed with this course, students will have the skills to understand primary access ATT&CK vectors, including:
- Spear Phishing Link
- Drive-by Compromise
- Supply Chain Compromise
- Trusted Relationship
Students who enroll in this MITRE ATTACK training should have an understanding of basic technical terminology, basic terminology in association with controls, and basic terminology in association with risk reduction. There are no other requirements for this beginner level course.
In this course, students will earn 10 CEU/CPE and will receive a Mitre Att&ck Certificate of Completion when finished with the class.
How is the MITRE ATT&CK Framework Used?
The MITRE ATT&CK framework, a staple of the security community, works by organizing the steps that cyber attackers take to infiltrate networks, compromise hosts, escalate privileges, move without detection, and ultimately, obtain important data. Cybersecurity teams can better test, develop, and prioritize their current means of detection and response to be relevant to their organizations’ business, industry, and intellectual property.
Why Is Understanding the MITRE ATT&CK Framework Important in IT?
MITRE ATT&CK is a framework that has been around for a number of years, but it’s fairly recently that it’s become a universal tool. It’s important in the IT industry because it’s very effective at helping organizations, government agencies, and end users share cyberthreat intelligence. Of course, there are other means through which intelligence like this is shared, what sets ATT&CK apart is that it uses a common language that is standardized and accessible worldwide.
Another benefit of using the ATT&CK framework is that it allows defenders and analysts to work together with information to compare and contrast different threat groups. Analysts are able to structure intelligence based on behavior ad defenders can structure information based on behavior. Together they are able to detect and mitigate threats.
Additionally, users are able to understand adversaries and how they operate on a deeper level – the steps that they will use to infiltrate networks and obtain the data they are after. This means that defenders don’t necessarily have to focus only on defensive tactics, but also have to have a good understanding of how the offense is working. That will allow cybersecurity professionals to better defend their networks and systems.
What Is the Best Way to Learn about MITRE ATT&CK Framework?
The MITRE ATT&CK framework is an important and widely used tool for cybersecurity professionals. It’s a means for sharing intelligence with the goal of reducing the risk of cyberattacks for organizations. Learning about the ATT&CK framework is essential for IT and cybersecurity professionals to stay up to date in their industry and ahead of the bad guys.
It’s best to learn about MITRE ATTACK from experts who use it, like Cybrary’s excellent instructors. All of the courses in our extensive library are self-paced, making them convenient for all students. If you’re interested in learning more about the MITRE ATT&CK framework, enrolling in our Application of the MITRE ATTACK Framework training is a great place to start. Enrolling is easy, just click the Register button at the top right of this screen to get started.
Syllabus
- Course Introduction
- Course Overview
- What is the MITRE ATT&CK Framework?
- Where is the MITRE ATT&CK Framework Being Used?
- Navigation and Review
- Initial Access
- What is Initial Access?
- External Remote Services
- Spearphishing Link
- Supply Chain Compromise Part 1
- Supply Chain Compromise Part 2
- Trusted Relationship
- Valid Accounts Part 1
- Valid Accounts Part 2
- Initial Access Case Study
- Module 2 Summary
- Execution
- What is Execution?
- Command Line Interface
- Execution Through API
- Control Panel Items
- Powershell
- Scripting
- User Execution
- Execution Case Study
- Module 3 Summary
- Persistence
- What is Persistence?
- Accessibility Features
- Bootkit
- Browser Extension
- Component Firmware
- Create Account
- Hooking
- New Service
- Persistence Case Study
- Module 4 Summary
- Privilege Escalation
- What is Privilege Escalation?
- Access Token Manipulation
- Elevation Escalation with Prompt
- Exploitation for Privilege Escalation
- File System Permission Weakness
- Scheduled Task
- Sudo
- Web Shell
- Privilege Escalation Case Study
- Module 5 Summary
- Defense Evasion
- What is Defense Evasion?
- Clear Command History
- Compile After Delivery
- Disabling Security Tools
- Hidden Files and Directories
- Hidden Users
- Process Hollowing
- Software Packing
- Defense Evasion Case Study
- Module 6 Summary
- Credential Access
- What is Credential Access?
- Bash History
- Brute Forces
- Credential Dumping
- Steal Web Session Cookie
- Credential Access Case Study
- Module 7 Summary
- Discovery
- What is Discovery?
- Account Discovery
- Browser Bookmark Discovery
- System Owner/User Discovery
- Discovery Case Study
- Module 8 Summary
- Lateral Movement
- What is Lateral Movement?
- Application Deployment Software
- Exploitation of Remote Services
- SSH Hijacking
- Lateral Movement Case Study
- Module 9 Summary
- Collection
- What is Collection?
- Audio Capture
- Clipboard Data
- Data from Local System
- Collection Case Study
- Module 10 Summary
- Command and Control
- What is Command Control?
- Commonly Used Port
- Custom Command and Control Protocol
- Uncommonly Used Ports
- Command and Control Case Study
- Module 11 Summary
- Exfiltration
- What is Exfiltration?
- Automated Exfiltration
- Data Compressed
- Data Transfer Size/Limits
- Exfiltration Case Study
- Module 12 Summary
- Impact
- What is Impact?
- Account Access Removal
- Defacement
- Impact Case Study
- Module 13 Summary
- Conclusion
- Course Summary
Taught by
Robert Smith
Related Courses
Security Principles(ISC)² via Coursera A Strategic Approach to Cybersecurity
University of Maryland, College Park via Coursera FinTech for Finance and Business Leaders
ACCA via edX Access Control Concepts
(ISC)² via Coursera Access Controls
(ISC)² via Coursera