1.8 - Tactics of the MITRE ATT&CK framework Flashcards
The MITRE ATT&CK™ framework is?
The MITRE ATT&CK™ framework is a comprehensive matrix of tactics and techniques designed for threat hunters, defenders, and red teams to help classify attacks, identify attack attribution and objectives, and assess an organization’s risk. Organizations can use the framework to identify security gaps and prioritize mitigations based on risk.
MITRE detection?
For proof of detection in each category, MITRE requires that the proof be
provided to it, but it may not include all detection details in public results,
particularly when those details are sensitive.
To determine the appropriate category for a detection, MITRE reviews the screenshot(s) provided, notes taken during the evaluation, results of follow-up questions to the vendor, and vendor feedback on draft results.
MITRE also independently tests procedures in a separate lab environment as well as reviews
open-source tool detections and forensic artifacts. This testing informs what is considered a detectionfor each technique. After performing detection categorizations, MITRE calibrates the categories across
all vendors to look for discrepancies and ensure categories are applied consistently.
An indicator of compromise (IoC)
An indicator of compromise (IoC) is a network or operating system (OS) artifact that provides a high level of confidence that a computer security incident has occurred.
In many cases these are brittle and easy for adversaries to bypass by modifying malware or
infrastructure. Indicators like file hashes, IP addresses, and domain names have become the focal point for many network defenders, yet each of these are trivial for an adversary to change in order to avoid detection. In addition, the defending organization needs to have access to relevant and up-to-date indicators through a threat indicator sharing program or commercial data feed, all of which may still not ensure that defenders are able to keep pace with adversary changes.
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a system for referencing publicly known vulnerabilities by identifiers. The goal of the system is to make it easier to share vulnerability data across stakeholders, including software vendors, tool vendors, security practitioners, and end users.
How would you evaluate the extent and severity of each CVE?
To evaluate the extent and severity of each CVE across your endpoints, you can drill down into each CVE in Cortex XDR and view all the endpoints and applications in your environment impacted by the CVE. Cortex XDR retrieves the latest information from the NIST public database. From Add-ons > Host Insights > Vulnerability Assessment, select CVEs on the upper-right bar.
For each vulnerability, Cortex XDR displays the following default and optional values:
Affected endpoints
Applications
CVE
Excluded
Platforms
Severity
Severity score
CVE excluded
Indicates whether this CVE is excluded from all endpoint and
application views and filters, and from all Host Insights
widgets.
The CVE severity score
The CVE severity score is based on the NIST Common
Vulnerability Scoring System (CVSS). Click the score to see the
full CVSS description.
You can perform the following actions from Cortex XDR as you analyze the existing vulnerabilities:
You can perform the following actions from Cortex XDR as you analyze the existing vulnerabilities:
● View CVE details—Left-click the CVE to view in-depth details about it on a panel that
appears on the right. Use the in-panel links as needed.
● View a complete list of all endpoints in your network impacted by a CVE—Right-click the
CVE and then select View affected endpoints.
● Learn more about the applications in your network that are impacted by a
CVE—Right-click the CVE and then select View applications.
● Exclude irrelevant CVEs from your endpoints and applications analysis—Right-click the
CVE and then select Exclude. You can add a comment if needed, as well as Report CVE as
incorrect for further analysis and investigation by Palo Alto Networks. The CVE is grayed out,
labeled Excluded, and no longer appears on the Endpoints and Applications views in
Vulnerability Assessment or in the Host Insights widgets. To restore the CVE, right-click the
CVE and Undo exclusion at any time.
The Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) offers a method for enumerating a vulnerability’s key characteristics and generating a numerical score that reflects the vulnerability’s severity. To assist organizations in correctly evaluating and prioritizing their vulnerability management processes, the numerical score can then be converted into a qualitative representation (such as low, medium, high, and critical).