Mitre ATT&CK website.
Each case study should have a minimum of 900 words double-spaced, Times New Roman font type and 12pt font size. (With that in mind, 900 typed words is about three pages, not including the title and reference pages). Case studies must be formatted according to APA guidelines using a MS Word document and include at least three (3) references that support your work.
For this case study, you will use the Mitre ATT&CK website. This is a global knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Cyber threat intelligence is all about knowing what your adversaries do and using that information to improve decision-making. For an organization with just a couple of analysts that wants to start using ATT&CK for threat intelligence, one way you can start is by taking a single group you care about and looking at their behaviors as structured in ATT&CK.
Mitre ATT&CK -https://attack.mitre.org/
You should complete the following steps:
Understand ATT&CK — Familiarize yourself with the overall structure of ATT&CK tactics (the adversary’s technical goals), techniques (how those goals are achieved), and procedures (specific implementations of techniques). Take a look at the Getting Started page and Philosophy Paper.
Find the behavior — Think about the adversary’s action in a broader way than just the atomic indicator (like an IP address) they used. For example, the malware in the above report “establishes a SOCKS5 connection.” The act of establishing a connection is a behavior the adversary took.
Research the behavior — If you’re not familiar with the behavior, you may need to do more research. In our example, a little research would show that SOCKS5 is a Layer 5 (session layer) protocol.
Translate the behavior into a tactic — Consider the adversary’s technical goal for that behavior and choose a tactic that fits. The good news: there are only 12 tactics to choose from in Enterprise ATT&CK. For the SOCKS5 connection example, establishing a connection to later communicate would fall under the Command and Control tactic.
Figure out what technique applies to the behavior — This can be a little tricky, but with your analysis skills and the ATT&CK website examples, it’s doable. If you search the website for SOCKS, the technique Standard Non-Application Layer Protocol (T1095) pops up. Looking at the technique description, you’ll find this could be where our behavior fits.
Write a report of your findings following the case study guidelines above.
Make sure to include at least four (4) refrences that support your work.