Hacking Book | Free Online Hacking Learning


the science of att & ck attack art

Posted by herskovits at 2020-03-10

Mitter att & CK (advanced tactics, techniques, and common knowledge) is a global knowledge base of adversary tactics and techniques based on real world observations. Att & CK knowledge base is used as the basis for developing specific threat models and methods in enterprise, government and network security products and service communities. Mitre was funded by the government to develop a shooting range Fort Mead experimental research environment (FMX) in 2010. The real environment was simulated in the shooting range, and the red blue confrontation was carried out regularly. The apt was observed by the way of "hypothetical capture leakage", so as to detect faster. Att & CK is used by both the enemy simulation team (for attack scenario development) and the defense team (for analysis and measurement process), which is actually the adversary science.

People have different opinions on att & CK. They agree that att & CK began to scientize the art of attack. If they disagree, ATT & CK dictionary can't operate at all. It's true that att & CK is not perfect at present, but when we look at att & CK, we should look at it from the perspective of science, military and attack and defense.

Att & CK is essentially an enumeration dictionary. URI / Iri is the main body of the semantic web. Generally speaking, it is very difficult for people from all over the world to communicate with each other in spoken Chinese, let alone the huge gap between classical Chinese and spoken Chinese. However, the inheritance of Chinese culture lies in "book with text": it allows people to map dialects to the words in Xinhua dictionary without understanding them In Putonghua, if you can't write it down any more, you can check the meaning of new words, so that people can understand each other's meaning. In China's unification, many people think it's due to Qin Shihuang's "the same train, the same book and the same text". Although China is broad and has different pronunciation in ten li, we can write, or take a Xinhua Dictionary and speak Mandarin for communication.

Many people attribute the rapid development of the Internet to the promotion of HTML language. From HTML to Web 2.0, the research of Semantic Web promotes the rapid development of Internet knowledge. Content makers don't need to think too much about it. They just need to write an article in HTML format. Whether it's ie, chrome, or mobile, the final display style is the same.

Mitre was founded in 1958, formerly known as Lincoln Laboratory of MIT. Its customers mainly include the U.S. Department of defense, the Federal Aviation Administration, the U.S. internal revenue service, the U.S. National Space Agency and the Department of homeland security. In addition, mitre also manages the federal R & D center on behalf of the U.S. government, as well as the authoritative consulting organization of the U.S. government in the field of science and technology frontier. In 1950, he began to lead the development of semi automated ground environment (SAGE) air defense system and carry out early warning research based on radar. Sage was put into operation in 1963. It has produced many innovations in computing, software, information display, communication, program management and system engineering. In 1972, mitre became the third group of users of ARPANET (the predecessor of Internet). Mitre is mainly engaged in the data fusion of radar system situation awareness, and has produced many achievements. In 1992, it proposed the concept of Software Defined Radio (SDR), which promoted the development of C4I.

After 9 / 11, mitre began to study the intelligence meta language. After 9 / 11, the FBI, CIA, NSA, etc. all came out to say that I have intelligence. The irony of the U.S. government is "wise after the fact". The government found that the intelligence agencies of tens of thousands of people can't communicate every year. Hundreds of thousands of intelligence reports are scattered in various angles and can't reach a conclusion. So the United States began to do "intelligence governance" (apply the popular word "data governance"). The United States has promulgated the famous intelligence reform law, and established the DHS Homeland Security Agency (integrating frontier inspection, FBI, etc.). In view of the wrangles between NSA and CIA, the office of the federal intelligence director of ODNI has been established. Its mission is to integrate the intelligence community and output knowledgeable intelligence. This is not the first time to integrate. Roosevelt established the US Strategic Intelligence Agency in World War II. During the war, it was good. After the war, the departments were wrathful. Truman could only dismantle them. The FBI (the Ministry of Justice) was provided at home. The CIA and the military NSA were newly established for foreign intelligence. This time, ODNI was established to manage CIA, DHS, NSA and other intelligence agencies (such as spy satellites). ODNI tried to promote information sharing later. Mitre is good at system engineering. This system engineering is a big concept, mainly considering the whole from the perspective of system and ecology. Participate in NIEM national language model, national checklist, NVD national vulnerability database, national configuration database, and of course, Stix model, etc. its focus is cross domain language exchange. It is a practical path of knowledge engineering, such as NVD national vulnerability database, 160000 vulnerabilities each with CVE generic vulnerability enumeration number, CWE generic vulnerability enumeration, CVss score, CPE generic platform enumeration. The knowledge of different organizations can be integrated in a standardized way, and different types of information can form structured and unstructured knowledge.

From the development history of information security, before the CVE system of mitre, many companies said that they were very strong and could find 0day, but these knowledge was only put in each company and could not be exchanged. The NVD of the national vulnerability database is different after it appears. There is a strict review process for CVE application. After the review by the review committee, either the company finds out that 0day is 0day, or serious is serious. The risk value of the vulnerability is calculated by the process and standards. If the final risk value is 5, then the vulnerability is medium risk. You can't see a company in China saying that I have submitted XXX loopholes, but most of them are temporary CVE numbers. Mitre has worked hard to accumulate loopholes and built a huge knowledge project. It has greatly promoted the sharing of knowledge and threat prevention experience among various organizations and companies. For example, the scanners of various companies have their own format and scan out a loophole. Your family is called "eternal blue", while others are called "eternal green". After the CVE system is established, all organizations use CVE ID as ontology to mark vulnerabilities. In this way, the report is sent. Although the scanner manufacturers are different, the results can be understood by superior units.

Now, when the government mentions data governance again, it is also necessary to solve the problem of ten miles of different voices. Before we did something, we had to run more than ten departments with extremely low efficiency. Now we need to improve the efficiency. I want to open a company, run a comprehensive certificate hall, and finish the business, taxation and so on. This requires us to manage data, share data and improve the level of social governance. Now data governance basically depends on the rule of man, and programmers negotiate with each other. How to solve the problem of data governance in the United States depends on language. It's the famous NIEM national language model, which can quickly understand each other by defining the core vocabulary and domain vocabulary. If you don't understand, you can directly download the vocabulary on the NIEM website, check the syntax, and see the explanation, so that the data governance between departments can quickly get through. In addition, the interoperability problem is solved. In 2018, the best practice is that the Navy's camera arrived at the army No use. It turned out to be solved with this. China has also developed CIEM China information exchange models, which is defined as the structured and standardized description of various things in the physical world in the information world. These things include real objects, abstract concepts, and their relationships. CIEM is a machine-readable knowledge dictionary, which is similar in concept to ontology, knowledge map, knowledge framework or knowledge system of semantic web. CIEM can be used in data governance, data resource organization, information sharing and exchange, knowledge map and other fields.

At present, the U.S. is building national situation awareness NCPs and CDM projects. In the field of vulnerability management, scanners of many companies are used at the same time. All output reports are in accordance with CVE language, ultimately promoting the benign competition of scanner manufacturers. This is the SCAP security automation project. When a unified language is defined, FISMA 2.0 can achieve near real-time risk management. One of the four capabilities of Caesar's model of situation awareness in the United States is ad-hoc capability, and the risk status and situation awareness of lower level can be quickly transferred to higher level. As a result, CISA (network security and Infrastructure Security Agency) can see the risk status of each unit and make horizontal evaluation. What does all this depend on? Rely on the network security "the same article"! At the level of threat management, currently it mainly relies on Stix and taxii, mainly known IOC (IP, domain name, mailbox, file MD5) defense. From att & CK's perspective, it hopes to defend more unknown apt based on behavior.

After all, the core of C4ISR system in the battlefield is also language. The situation awareness of the team must be quickly uploaded and released by the superior situation awareness platform of ad-hoc.

As defined in JP 1-02, DOD Dictionary of military and related terms:

Tactics: coordinate the use and orderly deployment of troops.

Technology: an unspecified means or method used to perform combat operations, duties, or tasks.

Process: criteria and specific steps that define how to perform a specific task.

In att & CK:

Tactics: it refers to the short-term tactical opponent target (each column) in the attack process;

Technology: describe the means (each unit) of the opponent to achieve the tactical objectives;

Process: record technology and other metadata used by the enemy (link to technology).

The concept of TTP is military. One of the five missions of the U.S. military shooting range is TTP development, and the network shooting range is also developed around TTP. Cygraph uses hierarchical graph structure, including four levels of graph data: network infrastructure, security post, network threats, and mission dependencies. As you know, hierarchical graph is also a difficulty. In this way, we can see the map of battlefield map, the map of enemy and ourselves situation, the map of tactical dependence, and the map of network threat.

In the study of situation awareness, situation reasoning is needed, but it is very difficult to establish reasoning route. After reading the materials of mitre company, I found that people test and verify in the network shooting range (Fort Mead FMX), first study the attack, then the defense. Even the open-source red Canary atomic red team of mitre (an open-source small, highly portable test collection, mapped to the corresponding technologies in the att & CK framework). These tests can be used to verify detection and response techniques and processes.)

Imagine that on the VR system, based on the battlefield map (network topology) and security status (knowing that a node has loopholes), the commander selects the appropriate tactical TTP (attacking a, B, C successively), then selects the corresponding weapons (technology, such as 0day and Trojan horse assembly, or various POC weapons) and processes from the task dependency, and then informs each of them with one click Team attack. The commander then evaluates the effect based on battlefield situation awareness to see if there is no need for secondary bombing. This set of things, to be displayed in the VR helmet, need to language knowledge, atlas.

ODNI's Cyber Both framework and att & CK try to do NLP work. Through the dictionary that has been built, how to actively search for knowledge in massive heterogeneous data, and then store it into the map structurally to form a huge case database. From att & CK's point of view, they have also done hard work manually, building the ontology, building the dictionary, and then standardizing everyone's language to improve knowledge fusion Efficiency. At present, 95 apt organization information will be converted into results and stored. Support the U.S. government in announcing sanctions against apt in the Federal Register.

"Our mission is to create new ways and technologies to stop, detect, disrupt and deceive adversaries who attack us networks and information," mitre said. We are building reliable and resilient systems and enabling the flexibility of command and control of cyberspace operations. " Unconsciously, NSA and mitre have built a large network. The U.S. military is promoting joint operations, taxii interconnection, Stix interoperability and openc2 interoperability.

There are CEIM China national information exchange model led by CETC in China. Academician Fang Binxing and teacher Jia Yan have done a lot of work in promoting the network shooting range under the actual combat. Cnnvd national information security vulnerability database has done a lot of work in knowledge accumulation, but these are still lack of integration. In particular, there is a lack of modeling dictionaries in threat description language. How to guide the defense in the shooting range from the perspective of actual combat is still an important research direction. The goal of Lvmeng's exploration in shooting range, knowledge map and threat metalanguage is to better promote the interconnection and interoperability of Lvmeng's equipment and better conduct apt protection.

After the Gulf War, the U.S. air force carried out air attack like playing air war games, and the future network war will also be a scene where attackers attack like playing games and defenders defend like playing games. The advanced nature of weapon and equipment and the intelligence of command system become very important. CVE or ATT&CK is a good weapon to help win network warfare.

Reference link:

[1].《MITRE ATT&CK Gamma : Design and Philosophy》 https://www.mitre.org/publications/technical-papers/mitre-attack-design-and-philosophy

Past review

Comparative analysis of maturity and security functions of mainstream cloud native microservice API gateway

VPN vs proxy

Spear and shield of artificial intelligence -- confrontation learning

[recruitment] recruitment announcement of interns of Lvmeng science and Technology Innovation Center (long term effective)

The original article of the official account only represents the author's viewpoint and does not represent the position of the Green League. All original content copyright belongs to green alliance technology research communication. Without authorization, no media, WeChat official account is allowed to be copied, reproduced, excerpts or otherwise used. The reprint should be marked from the Green Alliance Technology Research Newsletter and attached to the link.

About us

Lvmeng technology research communication is operated by Lvmeng technology innovation center, which is the leading technology research department of Lvmeng technology. It includes Cloud Security Lab, security big data analysis lab and Internet of things Security Lab. The team members are composed of doctors and masters from Tsinghua University, Peking University, Harbin Institute of technology, Chinese Academy of Sciences, Beijing post and other key universities.

As one of the important training units of "post doctoral workstation sub station of Haidian Park of Zhongguancun Science and Technology Park", Lvmeng science and technology innovation center has carried out post doctoral joint training with Tsinghua University. The scientific research achievements have covered all kinds of national projects, national patents, national standards, high-level academic papers, professional books, etc.

We continue to explore the cutting-edge academic direction in the field of information security, starting from practice, combining the company's resources and advanced technology, to achieve a concept level prototype system, and then deliver product line incubation products and create huge economic value.

Long press the QR code above to follow us