Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
|1| Frameworks and Why We Use Them Katie Nickels SANS CTI Summit – CTI 101 January 20, 2019 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
|2|
Why Do We Use Frameworks for CTI?
▪ Miller’s law: the number of objects an average person can hold
in working memory is seven (https://en.m.wikipedia.org/wiki/Miller's_law)
▪ What is a framework?
– Structure that we can use to organize CTI
▪ Frameworks can help us make better assessments and
produce better intelligence by helping us:
– Hedge against bias
– Identify gaps
– Compare incidents and adversaries
– Find patterns and trends
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
|3|
Common CTI Frameworks
▪ Diamond Model
▪ Lockheed Martin Cyber Kill Chain®
▪ MITRE ATT&CK™
▪ VERIS
Which one is “best?”
It depends on your requirements!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
|4| Remember the Limitations https://www.lacan.upc.edu/admoreWeb/2019/05/all-models-are-wrong-but-some- are-useful-george-e-p-box/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
|5|
Diamond Model
▪ When is it useful?
– To compare and group different
intrusions
– To examine similarities between
seemingly disparate activity
▪ Limitations
– High-level
– Flexible – need to decide among
your team how you “bin”
information
http://www.activeresponse.org/wp-
content/uploads/2013/07/diamond.pdf
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
|6|
Lockheed Martin Cyber Kill Chain
▪ When is it useful?
– To “bin” the phases of an adversary’s intrusion
– To examine what you might be missing
▪ Limitations
– High-level
– Flexible – need to decide among your team
how you “bin” information
▪ Also examine Courses of Action:
– Detect, Deny, Disrupt, Degrade, Deceive,
Destroy
https://www.lockheedmartin.com/content/dam/lockheed-
martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-
Defense.pdf https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.|7|
Other Lifecycle Frameworks
MITRE Cyber Attack Lifecycle
Recon Deliver Control Maintain
Weaponize Exploit Execute
https://www.mitre.org/capabilities/cybersecurity/threat-based-defense
FireEye Attack Lifecycle
https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds18-technical-s05-att&cking-fin7.pd f
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.|8|
MITRE ATT&CK
Techniques: how the goals are
Tactics: the adversary’s technical goals
Initial Privilege Defense Credential Lateral Command
Execution Persistence Discovery Collection Exfiltration
Access Escalation Evasion Access Movement & Control
Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Exploitation of Remote Data from Information Exfiltration Over Remote Access Tools
Trusted Relationship LSASS Driver Extra Window Memory Injection Discovery Services Repositories Physical Medium Port Knocking
Exploitation for
Local Job Scheduling Access Token Manipulation Credential Access Video Capture Multi-hop Proxy
Network Share Distributed Component Exfiltration Over
Supply Chain Compromise
Trap Bypass User Account Control Forced Authentication Discovery Object Model Audio Capture Command and Domain Fronting
Control Channel
Launchctl Process Injection Hooking Peripheral Device Remote File Copy Automated Collection Data Encoding
Spearphishing Attachment
Image File Execution Options Injection Password Filter DLL Discovery Pass the Ticket Clipboard Data Data Encrypted Remote File Copy
Signed Binary
Proxy Execution Plist Modification Email Collection Automated Exfiltration Multi-Stage Channels
Exploit Public-Facing LLMNR/NBT-NS File and Directory Replication Through
Application User Execution Valid Accounts Poisoning Discovery Removable Media Screen Capture Web Service
Exfiltration Over Other
DLL Search Order Hijacking Private Keys Windows Admin Shares Data Staged Network Medium
Replication Through Exploitation for Permission Groups Standard
Removable Media Client Execution AppCert DLLs Keychain Discovery Pass the Hash Input Capture Non-Application
Signed Script Exfiltration Over
Proxy Execution Alternative Protocol Layer Protocol
Spearphishing via CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network
Service Dynamic Data Exchange Startup Items DCShadow Bash History Shared Webroot Shared Drive Connection Proxy
System Network Data Transfer
Spearphishing Link Mshta Launch Daemon Port Knocking Connections Discovery Logon Scripts Data from Local System Size Limits Multilayer Encryption
Two-Factor
Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Authentication System Owner/User Windows Remote Man in the Browser Data Compressed Standard Application
Execution Interception Discovery Management Layer Protocol
Valid Accounts Source Application Shimming Data from Removable Scheduled Transfer
Space after Filename AppInit DLLs BITS Jobs Media Commonly Used Port
Replication Through System Network Application
Web Shell Control Panel Items Removable Media Configuration Discovery Deployment Software
Execution through Standard Cryptographic
Module Load SSH Hijacking Protocol
Service Registry Permissions Weakness CMSTP Input Capture Application Window
Procedures – Specific technique implementation
achieved
Discovery AppleScript
Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing Custom Cryptographic
Protocol
InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Taint Shared Content
Regsvr32 Path Interception Kerberoasting Discovery Data Obfuscation
Hidden Files Remote Desktop
Execution through API Accessibility Features and Directories Securityd Memory System Time Discovery Protocol
Custom Command
PowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services and Control Protocol
Rundll32 Kernel Modules Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Communication
Third-party Software and Extensions SID-History Injection HISTCONTROL Credentials in Files Discovery Through
Removable Media
Scripting Port Knocking Sudo Hidden Users Security Software
Graphical User Interface Setuid and Setgid Clear Command History Discovery
SIP and Trust Multiband
Provider Hijacking Gatekeeper Bypass Communication
Command-Line Exploitation for Network Service
Interface Screensaver Privilege Escalation Hidden Window Scanning Fallback Channels
©2019 The MITRE Corporation. ALL
ServiceRIGHTS
Execution RESERVED
BrowserApproved
Extensions for public release. Distribution Deobfuscate/Decode
unlimited 18-1528-33. Remote System Uncommonly Used Port
Re-opened Applications Files or Information Discovery
Windows Remote|9|
MITRE ATT&CK
▪ When is it useful?
– To track adversary behavior at a detailed level
– To communicate with defenders and with other organizations about specific
behaviors in a common language
▪ Limitations
– Doesn’t cover all aspects of CTI or all techniques
– Tactical focus
– Complex – can have a steep learning curve
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.| 10 |
APT28 Techniques*
Initial Privilege Defense Credential Lateral Command
Execution Persistence Escalation Evasion Access
Discovery
Movement
Collection Exfiltration
and Control
Access
Initial Access E ecution ersistence rivilege Escalation efense Evasion Credential Access iscovery ateral Movement Collection E filtration Command And Control
Drive by Compromise pple cript bash profile and bashrc ccess To en anipulation ccess To en anipulation ccount anipulation ccount Discovery pple cript udio Capture utomated filtration Commonly sed ort
ploit ublic acin C T ccessibility eatures ccessibility eatures inary addin ash istory pplication indow pplication Deployment utomated Collection Data Compressed Communication Throu h
pplication Discovery oftware emovable edia
ardware dditions Command ine Interface ppCert D s ppCert D s IT obs rute orce rowser oo mar DiscoveryDistributed
b ect odel
Component Clipboard Data Data ncrypted Connection ro y
eplication Throu h Control anel Items ppInit D s ppInit D s ypass ser ccount ControlCredential Dumpin ile and Directory Discovery ploitation of emote Data from Information Data Transfer i e imits Custom Command and
emovable edia ervices epositories Control rotocol
pearphishin ttachment Dynamic Data chan e pplication himmin pplication himmin Clear Command istory Credentials in iles etwor ervice cannin o on cripts Data from ocal ystem filtration ver lternative Custom Crypto raphic
rotocol rotocol
pearphishin in ecution throu h I uthentication ac a e ypass ser ccount ControlC T Credentials in e istry etwor hare Discovery ass the ash Data from etwor hared filtration ver Command Data ncodin
Drive and Control Channel
pearphishin via ervice ecution throu h odule IT obs D earch rder i ac in Code i nin ploitation for Credential assword olicy Discovery ass the Tic et Data from emovable edia etworfiltration ver ther Data bfuscation
oad ccess edium
upply Chain Compromise ploitation for Client oot it Dylib i ac in Component irmware orced uthentication eripheral Device Discovery emote Des top rotocol Data ta ed filtration ver hysical Domain rontin
ecution edium
Trusted elationship raphical ser Interface rowser tensions ploitation for rivile e Component b ect odel oo in ermission roups Discovery emote ile Copy mail Collection cheduled Transfer allbac Channels
scalation i ac in
alid ccounts Install til Chan e Default ile tra indow emory Control anel Items Input Capture rocess Discovery emote ervices Input Capture ulti hop ro y
ssociation In ection
aunchctl Component irmware ile ystem ermissions DC hadow Input rompt uery e istry eplication Throu h an in the rowser ulti ta e Channels
ea ness emovable edia
ocal ob chedulin Component b ect odel oo in Deobfuscate Decode iles or erberoastin emote ystem Discovery hared ebroot creen Capture ultiband Communication
i ac in Information
Driver Create ccount Ima e ile ecution ptionsDisablin ecurity Tools eychain ecurity oftware Discovery i ac in ideo Capture ultilayer ncryption
In ection
shta D earch rder i ac in aunch Daemon D earch rder i ac in T oisonin ystem Information DiscoveryTaint hared Content ort noc in
ower hell Dylib i ac in ew ervice D ide oadin etwor niffin ystem etwor Third party oftware emote ccess Tools
Confi uration Discovery
e svcs e asm ternal emote ervices ath Interception ploitation for Defense assword ilter D ystem etwor Connections indows dmin hares emote ile Copy
vasion Discovery
e svr ile ystem ermissions list odification tra indow emory rivate eys ystem wner ser indows emote tandard pplication ayer
ea ness In ection Discovery ana ement rotocol
undll idden iles and Directories ort onitors ile Deletion eplication Throu h ystem ervice Discovery tandard Crypto raphic
emovable edia rotocol
cheduled Tas oo in rocess In ection ile ystem o ical ffsets ecurityd emory ystem Time Discovery tandard on pplication
ayer rotocol
criptin ypervisor cheduled Tas ate eeper ypass Two actor uthentication ncommonly sed ort
Interception
ervice ecution Ima e ile ecution ptions ervice e istry ermissions idden iles and Directories eb ervice
In ection ea ness
i ned inary ro y ernel odules and etuid and et id idden sers
ecution tensions
i ned cript ro y aunch ent ID istory In ection idden indow
ecution
ource aunch Daemon tartup Items I TC T
pace after ilename aunchctl udo Ima e ile ecution ptions
In ection
Third party oftware C D D I ddition udo Cachin Indicator loc in
Trap ocal ob chedulin alid ccounts Indicator emoval from Tools
Trusted Developer tilities o in Item eb hell Indicator emoval on ost
ser ecution o on cripts Indirect Command ecution
indows ana ement
*from open source
Instrumentation Driver Install oot Certificate
indows emote odify istin ervice Install til
ana ement
etsh elper D aunchctl
ew ervice C I i ac in
reporting we’ve mapped
ffice pplication tartup asqueradin
ath Interception odify e istry
list odification shta
ort noc in etwor hare Connection
emoval
ort onitors T ile ttributes
c common bfuscated iles or
Information
e opened pplications list odification
edundant ccess ort noc in
e istry un eys tart rocess Doppel n in
older
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution
cheduled Tas unlimited 18-1528-33.
rocess ollowin
creensaver rocess In ection| 11 |
APT29 Techniques
Initial Privilege Defense Credential Lateral Command
Execution Persistence Escalation Evasion Access
Discovery
Movement
Collection Exfiltration
and Control
Access
Initial Access E ecution ersistence rivilege Escalation efense Evasion Credential Access iscovery ateral Movement Collection E filtration Command And Control
Drive by Compromise pple cript bash profile and bashrc ccess To en anipulation ccess To en anipulation ccount anipulation ccount Discovery pple cript udio Capture utomated filtration Commonly sed ort
ploit ublic acin C T ccessibility eatures ccessibility eatures inary addin ash istory pplication indow pplication Deployment utomated Collection Data Compressed Communication Throu h
pplication Discovery oftware emovable edia
ardware dditions Command ine Interface ppCert D s ppCert D s IT obs rute orce rowser oo mar DiscoveryDistributed
b ect odel
Component Clipboard Data Data ncrypted Connection ro y
eplication Throu h Control anel Items ppInit D s ppInit D s ypass ser ccount ControlCredential Dumpin ile and Directory Discovery ploitation of emote Data from Information Data Transfer i e imits Custom Command and
emovable edia ervices epositories Control rotocol
pearphishin ttachment Dynamic Data chan e pplication himmin pplication himmin Clear Command istory Credentials in iles etwor ervice cannin o on cripts Data from ocal ystem filtration ver lternative Custom Crypto raphic
rotocol rotocol
pearphishin in ecution throu h I uthentication ac a e ypass ser ccount ControlC T Credentials in e istry etwor hare Discovery ass the ash Data from etwor hared filtration ver Command Data ncodin
Drive and Control Channel
pearphishin via ervice ecution throu h odule IT obs D earch rder i ac in Code i nin ploitation for Credential assword olicy Discovery ass the Tic et Data from emovable edia etworfiltration ver ther Data bfuscation
oad ccess edium
upply Chain Compromise ploitation for Client oot it Dylib i ac in Component irmware orced uthentication eripheral Device Discovery emote Des top rotocol Data ta ed filtration ver hysical Domain rontin
ecution edium
Trusted elationship raphical ser Interface rowser tensions ploitation for rivile e Component b ect odel oo in ermission roups Discovery emote ile Copy mail Collection cheduled Transfer allbac Channels
scalation i ac in
alid ccounts Install til Chan e Default ile tra indow emory Control anel Items Input Capture rocess Discovery emote ervices Input Capture ulti hop ro y
ssociation In ection
aunchctl Component irmware ile ystem ermissions DC hadow Input rompt uery e istry eplication Throu h an in the rowser ulti ta e Channels
ea ness emovable edia
ocal ob chedulin Component b ect odel oo in Deobfuscate Decode iles or erberoastin emote ystem Discovery hared ebroot creen Capture ultiband Communication
i ac in Information
Driver Create ccount Ima e ile ecution ptionsDisablin ecurity Tools eychain ecurity oftware Discovery i ac in ideo Capture ultilayer ncryption
In ection
shta D earch rder i ac in aunch Daemon D earch rder i ac in T oisonin ystem Information DiscoveryTaint hared Content ort noc in
ower hell Dylib i ac in ew ervice D ide oadin etwor niffin ystem etwor Third party oftware emote ccess Tools
Confi uration Discovery
e svcs e asm ternal emote ervices ath Interception ploitation for Defense assword ilter D ystem etwor Connections indows dmin hares emote ile Copy
vasion Discovery
e svr ile ystem ermissions list odification tra indow emory rivate eys ystem wner ser indows emote tandard pplication ayer
ea ness In ection Discovery ana ement rotocol
undll idden iles and Directories ort onitors ile Deletion eplication Throu h ystem ervice Discovery tandard Crypto raphic
emovable edia rotocol
cheduled Tas oo in rocess In ection ile ystem o ical ffsets ecurityd emory ystem Time Discovery tandard on pplication
ayer rotocol
criptin ypervisor cheduled Tas ate eeper ypass Two actor uthentication ncommonly sed ort
Interception
ervice ecution Ima e ile ecution ptions ervice e istry ermissions idden iles and Directories eb ervice
In ection ea ness
i ned inary ro y ernel odules and etuid and et id idden sers
ecution tensions
i ned cript ro y aunch ent ID istory In ection idden indow
ecution
ource aunch Daemon tartup Items I TC T
pace after ilename aunchctl udo Ima e ile ecution ptions
In ection
Third party oftware C D D I ddition udo Cachin Indicator loc in
Trap ocal ob chedulin alid ccounts Indicator emoval from Tools
Trusted Developer tilities o in Item eb hell Indicator emoval on ost
ser ecution o on cripts Indirect Command ecution
indows ana ement Driver Install oot Certificate
Instrumentation
indows emote odify istin ervice Install til
ana ement
etsh elper D aunchctl
ew ervice C I i ac in
ffice pplication tartup asqueradin
ath Interception odify e istry
list odification shta
ort noc in etwor hare Connection
emoval
ort onitors T ile ttributes
c common bfuscated iles or
Information
e opened pplications list odification
edundant ccess ort noc in
e istry un eys tart rocess Doppel n in
older
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution
cheduled Tas unlimited 18-1528-33.
rocess ollowin
creensaver rocess In ection| 12 |
Comparing APT28 and APT29
Initial Privilege Defense Credential Lateral Command
Execution Persistence Escalation Evasion Access
Discovery
Movement
Collection Exfiltration
and Control
Access
Initial Access E ecution ersistence rivilege Escalation efense Evasion Credential Access iscovery ateral Movement Collection E filtration Command And Control
Drive by Compromise pple cript bash profile and bashrc ccess To en anipulation ccess To en anipulation ccount anipulation ccount Discovery pple cript udio Capture utomated filtration Commonly sed ort
ploit ublic acin C T ccessibility eatures ccessibility eatures inary addin ash istory pplication indow pplication Deployment utomated Collection Data Compressed Communication Throu h
pplication Discovery oftware emovable edia
ardware dditions Command ine Interface ppCert D s ppCert D s IT obs rute orce rowser oo mar DiscoveryDistributed
b ect odel
Component Clipboard Data Data ncrypted Connection ro y
eplication Throu h Control anel Items ppInit D s ppInit D s ypass ser ccount ControlCredential Dumpin ile and Directory Discovery ploitation of emote Data from Information Data Transfer i e imits Custom Command and
emovable edia ervices epositories Control rotocol
pearphishin ttachment Dynamic Data chan e pplication himmin pplication himmin Clear Command istory Credentials in iles etwor ervice cannin o on cripts Data from ocal ystem filtration ver lternative Custom Crypto raphic
rotocol rotocol
pearphishin in ecution throu h I uthentication ac a e ypass ser ccount ControlC T Credentials in e istry etwor hare Discovery ass the ash Data from etwor hared filtration ver Command Data ncodin
Drive and Control Channel
pearphishin via ervice ecution throu h odule IT obs D earch rder i ac in Code i nin ploitation for Credential assword olicy Discovery ass the Tic et Data from emovable edia etworfiltration ver ther Data bfuscation
oad ccess edium
upply Chain Compromise ploitation for Client oot it Dylib i ac in Component irmware orced uthentication eripheral Device Discovery emote Des top rotocol Data ta ed filtration ver hysical Domain rontin
ecution edium
Trusted elationship raphical ser Interface rowser tensions ploitation for rivile e Component b ect odel oo in ermission roups Discovery emote ile Copy mail Collection cheduled Transfer allbac Channels
scalation i ac in
alid ccounts Install til Chan e Default ile tra indow emory Control anel Items Input Capture rocess Discovery emote ervices Input Capture ulti hop ro y
ssociation In ection
aunchctl Component irmware ile ystem ermissions DC hadow Input rompt uery e istry eplication Throu h an in the rowser ulti ta e Channels
ea ness emovable edia
ocal ob chedulin Component b ect odel oo in Deobfuscate Decode iles or erberoastin emote ystem Discovery hared ebroot creen Capture ultiband Communication
i ac in Information
Driver Create ccount Ima e ile ecution ptionsDisablin ecurity Tools eychain ecurity oftware Discovery i ac in ideo Capture ultilayer ncryption
In ection
shta D earch rder i ac in aunch Daemon D earch rder i ac in T oisonin ystem Information DiscoveryTaint hared Content ort noc in
ower hell Dylib i ac in ew ervice D ide oadin etwor niffin ystem etwor Third party oftware emote ccess Tools
Confi uration Discovery
e svcs e asm ternal emote ervices ath Interception ploitation for Defense assword ilter D ystem etwor Connections indows dmin hares emote ile Copy
vasion Discovery
e svr ile ystem ermissions list odification tra indow emory rivate eys ystem wner ser indows emote tandard pplication ayer
ea ness In ection Discovery ana ement rotocol
undll idden iles and Directories ort onitors ile Deletion eplication Throu h ystem ervice Discovery tandard Crypto raphic
emovable edia rotocol
cheduled Tas oo in rocess In ection ile ystem o ical ffsets ecurityd emory ystem Time Discovery tandard on pplication
ayer rotocol
criptin ypervisor cheduled Tas ate eeper ypass Two actor uthentication ncommonly sed ort
Interception
ervice ecution Ima e ile ecution ptions ervice e istry ermissions idden iles and Directories eb ervice
In ection ea ness
i ned inary ro y ernel odules and etuid and et id idden sers
ecution tensions
Overlay known gaps
i ned cript ro y aunch ent ID istory In ection idden indow
ecution
ource aunch Daemon tartup Items I TC T
pace after ilename aunchctl udo Ima e ile ecution ptions
In ection
Third party oftware C D D I ddition udo Cachin Indicator loc in
Trap ocal ob chedulin alid ccounts Indicator emoval from Tools
Trusted Developer tilities o in Item eb hell Indicator emoval on ost
ser ecution
indows ana ement
Instrumentation
indows emote
ana ement
o on
odify
cripts
Driver
istin ervice
Indirect Command
Install
Install til
oot Certificate
ecution
APT28
etsh elper D aunchctl
ew ervice C I i ac in
ffice pplication
ath Interception
list odification
tartup asqueradin
odify
shta
e istry APT29
ort noc in etwor hare Connection
emoval
ort
c common
e opened
onitors
pplications
T ile ttributes
bfuscated iles or
Information
list odification
Both groups
edundant ccess ort noc in
e istry un eys tart rocess Doppel n in
older
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution
cheduled Tas unlimited 18-1528-33.
rocess ollowin
creensaver rocess In ection| 13 |
VERIS
▪ Vocabulary for Event Recording and Incident Sharing (VERIS)
– Actors: Whose actions affected the asset?
– Actions: What actions affected the asset?
– Assets: Which assets were affected?
– Attributes: How the asset was affected?
▪ When is it useful?
– Organizing incident data - example: Verizon Data Breach Investigations
Reports (DBIR) (https://enterprise.verizon.com/resources/reports/DBIR_2019_Report.pdf)
– To track trends and patterns in incidents
▪ Limitations
– Flexible – need to decide amon your team how you “bin” information
http://veriscommunity.net/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.| 14 |
Combining Frameworks: Diamond Model + Kill Chain
http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.| 15 |
Combining Frameworks: Kill Chain + ATT&CK
https://pan-unit42.github.io/playbook_viewer/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.| 16 |
Other Structured Tools: Processes
▪ Processes
– Intelligence Cycle
▪ https://en.wikipedia.org/wiki/Intelligence_cycle
– F3EAD - Find, Fix, Finish, Exploit, Analyze
▪ https://medium.com/@sroberts/intelligence-concepts-f3ead-964a0653be13
– SANS Incident Response Cycle
▪ https://medium.com/@sroberts/intelligence-concepts-the-sans-incident-response-
process-45e3fa451777
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.| 17 |
Other Structured Tools: Standards and Models
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
avid Bianco’s
Pyramid of Pain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.| 18 |
likethecoins@gmail.com
@likethecoins
Slides available at
https://goo.gl/KNumpw
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.You can also read
