Adversary Emulation with MITRE ATT&CK - Helion
ISBN: 9781098143725
stron: 385, Format: ebook
Data wydania: 2024-04-25
Księgarnia: Helion
Cena książki: 211,65 zł (poprzednio: 246,10 zł)
Oszczędzasz: 14% (-34,45 zł)
By incorporating cyber threat intelligence, adversary emulation provides a form of cybersecurity assessment that mimics advanced persistent threat (APT) tactics, techniques, and procedures (TTPs). This comprehensive guide introduces an empirical approach with strategies and processes collected over a decade of experience in the cybersecurity field. You'll learn to assess resilience against coordinated and stealthy threat actors capable of harming an organization.
Author Drinor Selmanaj demonstrates adversary emulation for offensive operators and defenders using practical examples and exercises that actively model adversary behavior. Each emulation plan includes different hands-on scenarios, such as smash-and-grab or slow-and-deliberate. This book uses the MITRE ATT&CK knowledge base as a foundation to describe and categorize TTPs based on real-world observations, and provides a common language that's standardized and accessible to everyone.
- You'll learn how to:
- Map Cyber Threat Intelligence to ATT&CK
- Define Adversary Emulation goals and objectives
- Research Adversary Emulation TTPs using ATT&CK knowledge base
- Plan Adversary Emulation activity
- Implement Adversary tradecraft
- Conduct Adversary Emulation
- Communicate Adversary Emulation findings
- Automate Adversary Emulation to support repeatable testing
- Execute FIN6, APT3, and APT29 emulation plans
Osoby które kupowały "Adversary Emulation with MITRE ATT&CK", wybierały także:
- Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
- Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
- Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
- Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)
- Od hierarchii do turkusu, czyli jak zarządzać w XXI wieku 58,64 zł, (12,90 zł -78%)
Spis treści
Adversary Emulation with MITRE ATT&CK eBook -- spis treści
- Preface
- Who This Book Is For
- Goals of the Book
- How the Book Is Organized
- Hands-on Approach
- Conventions Used in This Book
- Using Code Examples
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
- I. Understanding Adversary Emulation
- 1. Introduction
- Know Your Attackers
- Maximizing Adversary Cost
- Adversary-Inspired Testing
- Drawbacks of Traditional Security Assessments
- Types of Security Assessments
- Vulnerability Scanning
- Vulnerability Assessment
- Penetration Testing
- Red Team
- Blue and Purple Teams
- Adversary Emulation Fundamentals
- Importance of Adversary Emulation
- Framework and Evaluations for Adversary Emulation
- Adversary emulation paradigms
- Benefits of Adversary Emulation
- Transparency and Relevance
- Engagement Planning
- Adversary Emulation Plan
- Summary
- 2. Advanced Persistent Threats
- Mechanics of Motivation
- Accidental Threats
- Coercion
- Disgruntlement
- Dominance
- Ideology
- Notoriety
- Organizational Gain
- Personal Financial Gain
- Personal Satisfaction
- Unpredictable Threats
- Deception
- Deceptive Communication
- Deceptive Appearance
- Mimicry
- Fabrication
- Distraction
- Camouflage
- Disguise
- APT Attribution
- Authorization Process for Cyber Operations
- From Intellectual Property Theft to Indictment
- Defining Key Terms in Attribution
- Data Collection
- Analysis
- Origin Attribution
- APT Doxing
- Summary
- Mechanics of Motivation
- 3. Dissecting Frameworks and Strategies
- ATT&CK Framework
- ATT&CK Matrix
- Technology Domains
- Enterprise Matrix
- Mobile Matrix
- Industrial Control Systems Matrix
- Navigating the Platform
- Tactics
- Techniques, Sub-Techniques, and Procedures
- Software and Mitigations
- Groups and Campaigns
- Data Sources
- Object Model Relationships
- Customizing and Extending ATT&CK
- Limitations and Boundaries
- Accessing ATT&CK in Python
- Threat-Informed Defense
- Threat Intelligence in Modern Defense
- Challenges
- Best Practices
- Tools and Technologies
- Threat intelligence platform
- Security information and event management
- Endpoint protection platform
- Data loss prevention
- Identity and access management
- Enhancing Security Through Understanding
- Integrating MITRE ATT&CK and the NIST CSF
- Using ATT&CK to Protect Against Cyber Threats
- Summary
- ATT&CK Framework
- 4. The Adversarys Modus Operandi
- Reconnaissance
- Active Scanning (T1595)
- Gather Victim Identity Information (T1589)
- Search Closed Sources (T1597)
- Resource Development
- Acquire Infrastructure (T1583)
- Develop Capabilities (T1587)
- Establish Accounts (T1585)
- Initial Access
- Drive-by Compromise (T1189)
- Exploit Public-Facing Application (T1190)
- Phishing (T1566)
- Supply Chain Compromise (T1195)
- Execution
- Command and Scripting Interpreter (T1059)
- Exploitation for Client Execution (T1203)
- Software Deployment Tools (T1072)
- Persistence
- Account Manipulation (T1098)
- BITS Jobs (T1098)
- Compromise Client Software Binary (T1554)
- Privilege Escalation
- Exploitation for Privilege Escalation (T1068)
- Domain Policy Modification (T1484)
- Defense Evasion
- Deobfuscate/Decode Files or Information (T1140)
- Masquerading (T1036)
- Indirect Command Execution (T1202)
- Credential Access
- Brute Force (T1110)
- Network Sniffing (T1040)
- OS Credential Dumping (T1003)
- Discovery
- Account Discovery (T1087)
- Browser Information Discovery (T1217)
- System Network Connections Discovery (T1049)
- Lateral Movement
- Exploitation of Remote Services (T1210)
- Replication Through Removable Media (T1091)
- Use Alternate Authentication Material (T1550)
- Collection
- Automated Collection (T1119)
- Archive Collected Data (T1560)
- Data from Network Shared Drive (T1039)
- Command and Control
- Application Layer Protocol (T1071)
- Ingress Tool Transfer (T1105)
- Proxy (T1090)
- Exfiltration
- Exfiltration over Alternative Protocol (T1048)
- Scheduled Transfer (T1029)
- Transfer Data to Cloud Account (T1537)
- Impact
- Data Encrypted for Impact (T1486)
- Endpoint Denial of Service (T1499)
- System Shutdown/Reboot (T1529)
- Summary
- Reconnaissance
- 5. In-the-Wild Use of ATT&CK TTPs
- Step-by-Step Procedures
- Executing a Spearphishing Attachment
- Demystifying Command and Scripting Interpreter
- PowerShell
- AppleScript
- Windows Command shell
- Bash
- Python
- Modify SSH Authorized Keys
- Deobfuscate/Decode Files or Information
- How Threat Actors Conceal Their Artifacts
- Space after filename
- Right-to-left override
- Password Spray All Domain Users
- Delving into Network Communications
- Packet capture: Windows
- Packet capture: Linux
- OS Credential Dumping
- Dump RDP credentials
- LSASS memory
- LSA secrets
- Create Volume Shadow Copy with PowerShell
- DCSync attack
- Uncovering Local and Domain Users
- How to Propagate Through Removable Media
- Abusing Alternate Authentication Protocols
- Pass the Hash
- Pass the Ticket
- Harnessing Automation
- SSH for Exfiltration over Alternative Protocol
- Data Held Hostage Using GPG
- Active Learning Experience
- Architecture and Components
- Environment Setup
- Putting Theory to the Test
- Network and Host Exploration
- Brute-Forcing with Hydra
- Executing Malicious Payload in Froxlor
- Fabricating Logfiles to Inject Malicious Code
- Execution via Command and Scripting Interpreter
- Discovery Through Command-Line Analysis
- Jumping Across Remote Services
- Hijacking Linux Shared Directories
- Capability Development for Resource Creation
- Compromising System Security with PAM Backdoor
- Stealthy Data Archiving
- Application Layer Protocol for Command and Control
- Alternative Protocol Exfiltration
- Ransomware Impact
- Summary
- Step-by-Step Procedures
- 6. The Power of Visualization
- ATT&CK Navigator
- Customizing Matrix with Layers
- Editing and Sorting Layers
- Navigating and Annotating Techniques in the Interface
- Selecting Techniques
- Customizing the Navigator
- Understanding Dragonfly Tactics
- Attack Flow
- Operations Teams
- Attack Flow Analysis
- Cyberattack on a NATO Member
- Summary
- ATT&CK Navigator
- 7. Cyber Threat Intelligence
- Data Acquisition
- Data Sources
- Application logs
- System logs
- Intrusion detection/prevention systems
- Ethics of Data Acquisition
- Data Sources
- Processing and Enrichment
- Apache Kafka
- Adversary Mapping
- Using Narrative Reports to Map Intelligence
- Intelligence Mapping from Raw Data
- Predictive Threat Intelligence with AI
- Machine Learning for Predictive Analysis
- Deep Learning for Pattern Recognition
- Natural Language Processing for Text Analysis
- Voice Synthesis and Caller ID Spoofing
- AI in Fraud Detection
- CTI and Digital Warfare
- Geopolitical Impact
- Key Players
- Creating an Effective Threat Intelligence Program
- Summary
- Data Acquisition
- II. Adversary Emulation Operations
- 8. Establishing Goals for Adversary Emulation
- Understanding Engagement Purpose
- Effective Communication
- Diverse Stakeholder Expectations
- Insufficient Understanding of the Threat Landscape
- Undefined Security Goals
- Limited Awareness of the Organizations Security Posture
- Resistance from Stakeholders
- Lack of Resources
- Assessing Suitability for Adversary Emulation
- Organizational Readiness
- Educate People About Adversary Emulation
- Explore Alternatives
- Plan for the Future
- Interviewing Relevant Stakeholders
- Harnessing Global Perspectives
- Building Long-Term Relationships
- Future Direction
- Creating a Culture of Open Communication
- Brainstorming Threat Scenarios
- The Anatomy of Potential Attacks
- The Gateway to Threat Exploitation
- A Strategic Approach to Prioritizing Protection Efforts
- Adaptive Response to Dynamic Cyber Threats
- Document Engagement Objectives
- SMART Criteria for Effective Engagement Objectives
- Examples of Engagement Objectives
- Summary
- Understanding Engagement Purpose
- 9. Researching Adversary Tradecraft
- From Surface-Level Tactics to Deep-Dive Procedures
- Developing Adversary Profiles
- Why Profiling Is Important
- Profiling Methodologies
- Aggregating Adversary Data
- Selecting an Adversary for Emulation
- Consequences of Improper Selection
- Analyzing the Adversarys Geographies and Sectors
- Deciphering the Goals Behind the Actions
- Assembling the TTP Outline
- Overview of the Adversarys Known TTPs
- Importance of Maintaining a TTP Repository
- Organizing and Categorizing TTPs
- The Strategic Role of a TTP Outline
- Building a Comprehensive TTP Outline
- Review and Adjustment
- Summary
- 10. Engagement Planning
- Understanding the Financial Aspects
- The Scope of Engagement
- Schedule, Duration, and Frequency
- Rules of Engagement
- Approving Authorities
- Human Resource Planning
- Equipment and Software Cost
- Cross-Departmental Collaboration
- Communication Plan
- Engagement Notifications
- Summary
- 11. Implementing Adversary Tradecraft
- Setting Up the Lab Environment
- Splunk Attack Range
- Setting Up Splunk Attack Range
- TTP Development Life Cycle
- Adversary Emulation Plan
- Threat Actors Intelligence Summary
- Visualization of the Emulation Journey
- Adversary Arsenal
- Testing TTPs in the Lab
- Map Detection and Mitigation
- Summary
- 12. Executing Adversary Tradecraft
- Review TTP Implementation
- Execute Adversary TTPs
- Prelude Operator
- Observe and Document TTP Results
- Report Findings
- Measuring the Effectiveness
- Summary
- 13. Adversary Emulation Resources
- Adversary Emulation Library
- Introduction to Caldera
- Plug-in Library
- Parsers
- Relationships
- Objectives
- Operation Results
- Atomic Red Team
- BadBlood
- Summary
- III. Hands-on Adversary Emulation
- 14. FIN6 Emulation Plan
- Mission Essentials
- FIN6 Initial Access
- FIN6 Discovery
- Domain Account (T1087.002)
- Remote System Discovery (T1018)
- Domain Trust Discovery (T1482)
- System Network Configuration Discovery (T1016)
- Domain Groups (T1069.002)
- FIN6 Privilege Escalation and Credential Access
- Access Token Manipulation (T1134)
- LSASS Memory (T1003.001)
- NTDS (T1003.003)
- LSASS MemoryWindows Credential Editor (T1003.001)
- FIN6 Collection and Exfiltration
- Archive via Utility (T1560.001)
- Exfiltration over Unencrypted Non-C2 Protocol (T1048.003)
- FIN6 Emulation Epilogue
- Summary
- 15. APT3 Emulation Plan
- Mission Essentials
- APT3 Initial Access
- APT3 Discovery
- APT3 Defense Evasion
- APT3 Privilege Escalation
- APT3 Credential Access
- APT3 Persistence
- APT3 Execution and Lateral Movement
- Summary
- 16. APT29 Emulation Plan
- Mission Essentials
- APT29 Initial Access
- APT29 Speedy Data Retrieval and Stealth Insertions
- Preliminary Data Harvesting
- Clandestine Utility Rollout
- APT29 Defense Evasion and Discovery
- Persistence
- Credential Access
- APT29 Execution for Lateral Movement
- Summary