Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
Mastering Malware Analysis

You're reading from   Mastering Malware Analysis A malware analyst's practical guide to combating malicious software, APT, cybercrime, and IoT attacks

Arrow left icon
Product type Paperback
Published in Sep 2022
Publisher Packt
ISBN-13 9781803240244
Length 572 pages
Edition 2nd Edition
Arrow right icon
Authors (2):
Arrow left icon
Amr Thabet Amr Thabet
Author Profile Icon Amr Thabet
Amr Thabet
Alexey Kleymenov Alexey Kleymenov
Author Profile Icon Alexey Kleymenov
Alexey Kleymenov
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Part 1 Fundamental Theory
2. Chapter 1: Cybercrime, APT Attacks, and Research Strategies FREE CHAPTER 3. Chapter 2: A Crash Course in Assembly and Programming Basics 4. Part 2 Diving Deep into Windows Malware
5. Chapter 3: Basic Static and Dynamic Analysis for x86/x64 6. Chapter 4: Unpacking, Decryption, and Deobfuscation 7. Chapter 5: Inspecting Process Injection and API Hooking 8. Chapter 6: Bypassing Anti-Reverse Engineering Techniques 9. Chapter 7: Understanding Kernel-Mode Rootkits 10. Part 3 Examining Cross-Platform and Bytecode-Based Malware
11. Chapter 8: Handling Exploits and Shellcode 12. Chapter 9: Reversing Bytecode Languages – .NET, Java, and More 13. Chapter 10: Scripts and Macros – Reversing, Deobfuscation, and Debugging 14. Part 4 Looking into IoT and Other Platforms
15. Chapter 11: Dissecting Linux and IoT Malware 16. Chapter 12: Introduction to macOS and iOS Threats 17. Chapter 13: Analyzing Android Malware Samples 18. Index 19. Other Books You May Enjoy

The MITRE ATT&CK framework explained

As we have mentioned before, different cybersecurity vendors commonly give different names to hacker groups and malware families. Therefore, knowledge exchange becomes more complicated, eventually affecting the performance of the community. The MITRE ATT&CK framework was created to address this and other similar issues and let security experts speak the same language. This is a vendor-agnostic global knowledge base on various attack techniques grouped into tactics, which also provides examples of the attackers and malware utilizing them, giving the tactics widely accepted names.

Basic terminology

Here are some of the most important terms used in this field:

  • Tactic: Represents a high-level goal of the attacker, a reason why the corresponding action is performed
  • Technique: The practical way in which the defined high-level goal is achieved
  • Sub-technique: A more detailed and granular description of how exactly a certain action is conducted
  • Procedure: An actual implementation of the technique/sub-technique
  • TTPs: Stands for tactics, techniques, and procedures: a summary of the methods used by attackers with an explanation of what is achieved by utilizing them
  • Group: Represents a set of related adversarial activities likely to be performed by a single entity known under this name
  • Mitigation: Technology and concepts that are used to circumvent or prevent an attack
  • Software: Code that can be used to conduct adversary actions, combining both publicly available tools and malware
  • Matrix: A combination of TTPs related to a particular industry secto

There are several matrices within the framework for the enterprise, Industrial Control Systems (ICSs), and mobile sectors. The most commonly used one is the Enterprise Matrix, so let’s talk about it in greater detail.

Enterprise Matrix

At present, the Enterprise framework defines the following tactics:

  • Reconnaissance: This stage involves collecting relevant information about the victim to perform a successful attack, for example, about some organization’s infrastructure and personnel.
  • Resource development: Here, attackers establish all the required dependencies based on the collected information. This can be achieved by various means: buying/renting, creating, or stealing the prerequisites (for example, hosting or software).
  • Initial access: At this stage, attackers attempt to establish the first foothold within the victim’s environment. One of the most common examples of this tactic is sending spear-phishing messages (mainly emails).
  • Execution: Here, attackers execute code of any kind within the victim’s environment to achieve their goals.
  • Persistence: Includes everything attackers do to maintain their presence within the compromised environment. Common examples include adding malicious code to autorun or adding SSH keys to the list of authorized entries.
  • Privilege escalation: As the initial access is in many cases achieved by compromising low-access accounts, here, attackers attempt to gain higher-level permissions to have more control over the affected environment.
  • Defense evasion: The main goal of the attackers here is to avoid being detected until their objective is achieved. Examples include obfuscating malicious code or marking related files as hidden.
  • Credential access: This tactic involves stealing credentials to misuse them later. Some of the most common techniques here involve dumping saved credentials and intercepting them, for example, by logging pressed keys.
  • Discovery: Here, attackers collect information on the internals of the victim’s environment, starting with the network and the local systems. This information is generally used to facilitate other tactics, such as lateral movement.
  • Lateral movement: At this stage, attackers propagate upward to other machines until the systems of interest are reached.
  • Collection: Involves collecting various information of interest from the affected systems. Common examples include stealing proprietary source code and documents.
  • Command and control: This tactic covers the various ways attackers may remotely communicate with compromised systems.
  • Exfiltration: Techniques that attackers may utilize to actually move sensitive information out of the compromised environment.
  • Impact: Finally, this tactic describes other ways attackers may have a negative impact on compromised systems. Common examples include the manipulation, interruption, or destruction of critical systems and data.
Figure 1.1 – Web representation of the MITRE ATT&CK’s Enterprise Matrix

Figure 1.1 – Web representation of the MITRE ATT&CK’s Enterprise Matrix

It is worth mentioning that the framework is not static and constantly evolves, incorporating users’ feedback and addressing the new challenges the industry faces. Each version of the framework is shipped with a Structured Threat Information Expression (STIX) representation of itself: https://github.com/mitre-attack/attack-stix-data. It allows efficient integration with various software products and makes it possible to combine stability and efficiently oversee any changes introduced. STIX is a versatile format that is also commonly used by the cybersecurity community to exchange IoCs, where version 1 is XML-based and version 2 is JSON-based.

You have been reading a chapter from
Mastering Malware Analysis - Second Edition
Published in: Sep 2022
Publisher: Packt
ISBN-13: 9781803240244
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image