The Cybersecurity & Infrastructure Security Agency (CISA) has released a set of best practices for mapping threat actor moves based on the MITRE ATT&CK framework. The objective is to encourage a common language in threat actor analysis, showing system administrators how to map adversary behavior through instructions and examples.
CISA created the guide in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS-owned R&D center operated by MITRE.
The 20-page analysis contains a set of mappings to develop adversary profiles, analyze trends and detect, respond to and mitigate threats.
“An increase in the number of organizations integrating the ATT&CK framework in their analysis will have a positive impact on the efficiency and efficacy of information sharing within the community,” CISA notes.
Acting as a lens for IT reps to identify and analyze adversary behavior, ATT&CK provides details on over 100 known threat actor groups and the techniques and malware they use to conduct their campaigns. The framework can be used to “identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls,” CISA explains.
The document outlines various attack levels, referred to in the infosec industry as TTPs (Tactics, Techniques and Procedures), and encourages analysts to use the interactive ATT&CK Navigator tool to highlight specific tactics and techniques and gain a visual perspective of the adversary’s moves.
Using the resource, analysts can even map raw data that may contain artifacts of adversarial behaviors, including shell commands, malware analysis results, artifacts retrieved from forensic disk images, packet captures, and Windows event logs.
A generous portion of the write-up is dedicated to Trickbot, the infamous Trojan-turned-Swiss-army-knife malware that threat actors use to conduct a myriad of illicit cyber activities.
Finally, the document includes a hefty list of mitigations that network defenders can use to strengthen the security posture of their organizations’ systems.
CISA’s alert on Technical Approaches to Uncovering and Remediating Malicious Activity offers extra information on addressing potential incidents and applying best practice incident response procedures.