MITRE ATT&CK is the most prominent framework and taxonomy for attacker tactics and techniques, but when turned to the benefit of Blue Team training it can be a powerful tool. MITRE ATT&CK training can give SOC and Incident Response teams an edge facing cyber attacks and in our new video series, we demonstrate MITRE ATT&CK tactics using Cyberbit Range.
One of the driving factors of many attacks is the temptation or need for data that cannot be accessed without penetrating a network. Adversaries deploy a variety of techniques to collect various types of data from different locations on a network. In the first installment of our MITRE ATT&CK Enterprise Framework Collection, we dive into three different techniques to show you TA009 Collection from the defender’s point of view.
1. T1056.001: Input Capture – Keylogging:
Many times, adversaries are attempting to find passwords or other sensitive information to locked or restricted areas of a network. During normal system usage, users will provide unique and sensitive credentials to various different locations including login pages, portals, or system dialog boxes. Input capture techniques may seem invisible to the user or rely on the user providing input to what they believe is a genuine service. In the case of this technique, we see our adversary deploy a program to intercept keystrokes as the user is typing them, capturing all sensitive and non-sensitive data entered via keyboard into the system.
2. T1114.001: Email Collection – Remote Email Collection:
Emails are a treasure trove of information for malicious threat actors. Emails contain proprietary information, future corporate plans, and other extremely sensitive data. Adversaries may target user emails on an email server to collect sensitive data across multiple different users, using specific users login credentials. In the case of email collection, we will show you how the attacker used the TAR command to easily collect the entire contents of multiple users’ emails, zipping the contents to make extraction a breeze later on.
3. T1119: Automated Collection:
Once established inside a network, your adversary may deploy automated techniques to collect the data they wish to steal. Generally, we see attackers deploying various scripts and command interpreters to search for and copy the information they require, specific to a certain set of criteria outlined inside the script. Adversaries could be searching for specific file types, files within a certain location, or files created at specific time intervals. In the case of the technique displayed in our video, the attacker is searching for programming language files, mapping the file path and network path, ensuring a smooth extraction that all happens at once, decreasing the chance of detection.
Training According to MITRE ATT&CK Enterprise
Cyberbit Range is the only Cyber Range platform where you can experience MITRE ATT&CK Tactics and Techniques across the Cyber Attack Lifecycle. In this series, we dive into individual techniques to show you how to identify attacker behaviors.
SOC and IR teams interested to experience training according to MITRE ATT&CK Enterprise framework and register for a free training session here