MITRE Frame Work
As a security professional in the cyber world, consistent language while communicating is important and makes it easy.
Various alerts or alarms, after analysis, can be placed into different buckets to track the series of incidents that lead to the breach or an attack.
What could be the possible buckets you can place the alerts, this is where MITRE is useful.
Here below is the Diagram given by MITRE
A hypothetical scenario for an attack performed by an attacker is given below with the corresponding bucket the attack details fall into.
Initial Access: Hacker successfully logged into the machine remotely or physically.
Execution: Planted malware onto the machine which is hidden from users’ view and possibly evaded the endpoint security defenses.
Persistence: Malware stayed dormant by performing some activities on the machine for activation at a later stage by the remote controller or a specific trigger like the user logged in next time.
Privilege Escalation: The planted malware doing some reconnaissance activities and doing activities on the system which normally an administrator does.
Defense evasion: Disabling existing security tools installed on the device, also trying to clear device logs and other activities which help in avoiding detection in the future.
Credential Access: Capturing keyboard strokes, looking into the windows registry, and dumping the collected credentials into files to be sent to the remote controller.
Discovery: Trying to discover other accounts which had admin privileges, discovering various components in the system like processes, processes, security software, and others.
Lateral Movement: placing logon scripts, using methods like pass the hash, pass the ticket, and trying to replicate itself onto other machines in the network, this is usually the behavior of viruses and worms in the olden days.
Collection: Trying to collect more data like audio, camera , email, and others.
Exfiltration: The planted malware sends data from the machine to remote controllers.
Command and Control: The malware is controlled by the remote controller with bi-directional communication or only uni-directional communication to avoid detection.