Mapping ATT&CK TTPs from CTI reports
In the identification stage of responding to a security incident, obtaining enough information about IoCs and IoAs is crucial.
One of the main challenges of mapping CTI to ATT&CK is the approach used to create reports. When analysts document information about an attack or campaign, they focus more on providing technical details regarding the attack and IoCs, but the ATT&CK framework is based more on behaviors or IoAs.
So, let's learn how to identify behaviors from a TI report to map it to ATT&CK TTPs.
Case study – a weaponized document
It is 3 A.M., and you get a call from an important manufacturing company in South Korea. The cybersecurity department reports that there has been suspicious behavior within their corporate network. The security operations center (SOC) team identified and blocked a connection from the production area manager's computer, PROD-SK07, to the mail[.]namusoft[.]kr domain.
