The modern world requires us to think like an attacker, so we must understand how attackers break into our networks. We have developed several vital frameworks to prevent such attacks. We can make better decisions by analyzing a game’s strategies and the essential elements of information security.
Game theory (GT)
The 6 Ds of physical security describe the best response we could make in each situation, and GT studies the optimal game strategies for various players.
Deter
Detect
Delay
Deny
Defend
Deceive
Security professionals leverage these principles when they have the home-field advantage in preventing physical threats. We will adapt these principles to prevent an attacker from reaching our facilities.
Source:
Fighting cyber-attacks With Game Theory | Threatpost
Manipulating attackers
Defenders have many tools at their disposal to manipulate attackers to hinder them. As a result, they are frustrated, unable to perform their duties, and ultimately become ineffective. When an attacker tries many attacks, it is called a waste of time, known as flailing; this will continue to highlight their presence and give insight into their operating methodology. Some simple hardening tricks involve renaming or removing many standard utilities an attacker uses. Suppose an attacker commonly executes commands through the terminal. In that case, we
can inhibit them by changing the name of many of the tools (if we need them for some other reason) or removing them altogether from production systems. On many production or single-use systems, a lot of the system tools required for general computing are simply unnecessary Tools like.
Whoami
Provides the logged-in user’s local system user, group, and privilege information
Ping
Sends Internet Control Message Protocol (ICMP) echo Request packets to the TCP/IP host computer to ensure communication is working correctly at the IP level
Chattr
Enables users to change the attributes of a file in a directory
GCC
GCC converts source code to executable instruction files for computers
If the attacker can alter your environment, consider removing many standard utilities to reduce the general capabilities of any malicious actor that gets access to these systems. The defender may even remove the average package manager.
Infection monkey
The Infection Monkey is an incredibly useful tool for cyber security professionals looking to test their data center or cloud security. It provides a comprehensive approach to Breach and Attack Simulation testing (BAST), which can help identify weak points in your security posture and provide detailed reports with suggested remediation steps. With the increasing prevalence of cyber-attacks on educational institutions, having access to this type of software could prove invaluable in helping protect student data from malicious actors. The open-source nature of the Infection Monkey also makes it accessible for students who may not have access to more expensive commercial BAS tools.
Cyber Deception
Cybersecurity professionals use Honeypots and honeytokens to detect, respond to, and prevent malicious activity. They allow organizations to monitor their networks for suspicious behavior without needing expensive hardware or software solutions. Honeypots act as decoys that can be set up in a network environment to lure attackers away from real systems. Honeytokens are artificial digital data items planted deliberately into a simple system or network environment to detect unauthorized access or malicious activity.
Fake accounts and credentials can also be created with honeypot technology to identify potential threats before they become an issue
honeynets are distributed collections of interconnected computer systems explicitly designed to detect cyber-attacks on large networks quickly and efficiently
Creating fake vulnerable web, mail and active directory servers allows security
personnel to have greater visibility into how hackers may exploit vulnerabilities within their infrastructure, while providing valuable insight into any possible attack vectors being utilized against them
Using cyber-deception technologies such as those mentioned above provide companies with an effective method for identifying malicious actors attempting unauthorized access on their networks without having to invest heavily in costly hardware solutions which could potentially fail due to protection against sophisticated attacks like zero-day exploits. With proper implementation alongside other security measures, businesses will have better chances of protecting themselves from several types of online cyber-attacks.
The MITRE ATT&CK
MITRE ATT&CK® stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior. It reflects the various phases of an adversary’s attack lifecycle and the platforms they are known to target. The tactics and techniques abstraction in the model provides a common taxonomy of individual adversary actions understood by both the offensive and defensive sides of cybersecurity. It also provides an appropriate level of categorization for adversary action and specific ways of defending against it. Is divided ATT&CK into different matrices namely
Enterprise
Mobile
PRE-ATT&CK.
Each of these matrices contains various tactics and techniques associated with its theme.
For example, the Enterprise ATT&CK matrix V12 (learn about all three matrices below) has 14 tactics.
the main tactics used by adversaries, which are as follows
Initial access
Gain initial access to a target system or network
Execution
Run malicious code on a target system
Persistence
Maintain a presence on a target system, even after an initial compromise
Privilege escalation
Gain additional privileges on a target system
Defense evasion
Avoid detection and avoid being discovered by security tools
Credential access
Steal or obtain valid user credentials
Discovery
Gather information about a target system or network
Lateral movement
Move through a network and compromise other systems
Collection
Extract information from a target system or network
Command and control
Maintain communication with a compromised system and receive instructions from an attacker
Source :
MITRE ATT&CK®
Video :
MITRE ATTaCK® Framework
The MITRE D3FEND
For every offensive tactic, we should develop a defensive mitigation strategy. One of them is MITRE D3FEND. Since we mapped all the known attacks in the MITRE ATT&CK, we can use this provided knowledge to create countermeasures to all the available attack methods.
Source:
MITRE D3FEND
Video:
Detect, Deny, and Disrupt with MITRE D3FEND
MITRE Cyber Analytics Repository (CAR)
Is a comprehensive collection of cyber analytics, tools, and information related to cybersecurity. It is maintained by the MITRE Corporation, a not-for-profit organization that operates research and development centers for the U.S. government.
CAR includes a wide range of resources, including data sets, tools, and documentation, all focused on improving the effectiveness of cybersecurity practices. It covers assorted topics, including network security, malware analysis, and incident response.
One of CAR’s key features is its emphasis on direct access and collaboration. Many of the resources in the repository are available to anyone, and users are encouraged to contribute their resources and knowledge to the collection. This collaborative approach helps to ensure that the repository remains up-to-date and relevant to the needs of the cybersecurity community.
Source :
MITRE Cyber Analytics Repository
Video :
MITRE ATT&CK con 2.0: ATT&CK Updates – CAR and Analytics
Common Attack Pattern Enumeration and Classification
Understanding the adversary’s operation is critical for effective cybersecurity. CAPECTM provides a comprehensive dictionary of known attack patterns used by adversaries to exploit known vulnerabilities in cyber-enabled capabilities. Analysts, developers, testers, and educators can use it to advance community understanding and strengthen defenses.
Source:
CAPEC
The Common Vulnerabilities and Exposures (CVE) system
is a standardized method for identifying and cataloging computer systems and software vulnerabilities. It is an essential tool for organizations seeking to protect their systems and data from cyber-attacks.
it allows organizations to stay informed about the latest vulnerabilities that have been discovered. By regularly checking the CVE database, organizations can identify any vulnerabilities that affect their systems and take steps to patch or mitigate them before attackers can exploit them. This proactive approach helps prevent security breaches and protect against damage to an organization’s reputation and bottom line.
The CVE system also serves as a central coordination point for developing patches and updates. When a new vulnerability is discovered, the organization responsible for the affected software or system can use the CVE system to alert other users and coordinate the development and distribution of a patch. It helps to ensure that vulnerabilities are addressed promptly and coordinated, further protecting the organization’s systems and data.
in helping organizations protect their systems and data from cyber-attacks. Providing information about vulnerabilities and facilitating the development and distribution of patches helps organizations stay ahead of potential threats and maintain the security of their systems.
Source:
CVE
Other related mitre projects
CREF Navigator
MITRE Engage
DeTT&CT : Mapping detection to MITRE ATT&CK – NVISO Labs
Comprehensive list of known software and hardware weaknesses that can lead to security vulnerabilities. It is maintained by the MITRE Corporation and is widely used by organizations and individuals in the cybersecurity industry to identify and address potential vulnerabilities in their systems.
Source:
The Exploit Prediction Scoring System provides a standardized and comprehensive list of weakness types, which makes it easier for organizations to assess and prioritize their vulnerabilities. This can be especially useful for large organizations with complex systems, as it allows them to identify and prioritize the weaknesses that pose the greatest risk to their operations.
An exploit prediction scoring system predicts the likelihood of a software vulnerability being exploited in the wild. This is done by analyzing numerous factors, such as the severity of the vulnerability, the ease of exploitation, and the potential impact on the system or network if the vulnerability is exploited.
One common way that exploits prediction scoring systems work is by assigning a numerical score to each vulnerability based on these factors. For example, a vulnerability that is easy to exploit and has a high potential impact might be assigned a high score. In contrast, a vulnerability that is difficult to exploit and has a low potential impact might be assigned a low score. This score can prioritize the patching and remediation of vulnerabilities, with the highest-scoring vulnerabilities being addressed first.
Source:
To give an intrusion analysis to authenticate and track cyber threats. According to this viewpoint, every incident can be represented as a diamond. This methodology highlights the relationships and characteristics of the diamond’s four components: adversary, capability, infrastructure, and victim. These four core elements are linked to delineate their relationship, which can then be analyzed to gain additional insights and knowledge of malicious activities.