Countering Ransomware with MITRE

ATT&CK
Student Guide

Revision 2022.05.31
Table of Contents
Introduction 4

Why Focus on Ransomware? 5

What is Ransomware? 5
The First Reported Ransomware 5
Ransomware Examples 5
Industry Reports 6
To Pay, or Not to Pay? 6

Why Ransomware is so Successful 7

Code Sharing and Reuse 7
Ransomware-as-a-Service 8
Initial Access Brokers 8
Cryptocurrency 8
Double Extortion 9
Wipers 9
Re-infection 9
Additional Factors 10
Precursory Vs Payload TTPs 11
Human Operated Ransomware 11
Learning more about Precursory TTPs 12
FIN6 Threat Group TTPs 12
Ryuk Ransomware TTPs 12
FIN6 & Ryuk TTPs 12
Conti Playbook Leak (2021) 13

Preparing for Ransomware 14

Assume Breach 14
Threat Modeling 15
Understanding your Attack Surface 15
Tabletop Exercises 16
Ransomware Readiness 17
Leveraging your Technologies 18
Leveraging your People 18
Leveraging your Processes 19
Threat-informed Defense 20
Purple Teaming 21

Using MITRE ATT&CK to Counter Ransomware 22

MITRE ATT&CK Recap 22
ATT&CK for Defenders 22
Example 23
Pre-Security Optimization 23
Continuous Security Validation through Security Optimization 24

2
 Approaches to Emulation 25
Planning and Considerations 26
Methods of Testing: Atomic 26
Methods of Testing: Anatomic 27
Methods of Testing: PCAP Replay 27
FIN6 Attack Flow 27
Prevention 27
Detection 28
Reviewing and Reporting on Results and Findings 28

Closing Comments 29
Native Cloud Security Controls 29
Next Steps 29

3
 Introduction
This guide will introduce you to the practical application of MITRE ATT&CK, and how you can
leverage it to counter and combat ransomware. This course will be delivered through a series of
lectures, learning activities, and labs, to enable you to put into practice what you learn as you
progress through this course. Upon completion of this course, you will be able to:

● Describe ransomware and the challenges it poses today

● Understand what a typical ransomware attack chain looks like
● Recognize how to prepare for ransomware
● Understand how MITRE ATT&CK plays an integral part in threat emulation
● Understand how to proactively emulate ransomware TTPs using a security optimization
such as AttackIQ

4
 Why Focus on Ransomware?

What is Ransomware?
In its simplest form, ransomware is a form of malicious software (malware) that infects a system
until a ransom is paid. There are other features and layers of ransomware which will be discussed
later in this module.

The First Reported Ransomware

Starting out with a quick fun fact, one of the earliest reported ransomware examples was
discovered back in 1989. A biologist by the name of Dr. Joseph Popp attended an in-person AIDS
conference, and deliberately placed lots of floppy disks containing the ransomware around the
conference. Once the unsuspecting victims loaded the floppy disk on their computers, and once
their computer had booted up 90 times since the floppy disk was first loaded, the files on the
computer were encrypted with the ransomware. The ransom note requested $189 to be sent to an
address in Panama. This became known as the AIDS trojan but is also known as the PC Cyborg
trojan.

Ref: [Link]

Ransomware Examples
It’s no secret that ransomware has been a growing concern in recent years. From CryptoLocker
which infected thousands of devices between 2013 to 2014, and WannaCry in 2017 which crippled
numerous companies around the world due to fast worm-like propagation using the leaked NSA
exploits by the Shadow Brokers group. REvil ransomware is known to execute large-scale attacks
on companies such as Travelex and Kaseya. And finally, DarkSide which was responsible for
impacting the Colonial Pipeline last year. Every week that passes us by, there are more
ransomware discoveries made, and ransomware intrusions reported. These high-profile attacks
have given ransomware center stage as one of the most prolific classes of malware in recent
times.

5
 Industry Reports
There is certainly no shortage of industry reports and publications covering ransomware. In the
2021 Verizon Data Breach Investigations Report (DBIR), ransomware appeared in 10% of breaches,
which was more than double the frequency from the previous year.

Ref: [Link]

The Sophos 2021 State of Ransomware report shows that ransomware doesn’t discriminate
against a particular industry sector or vertical. With retail and education sectors being top targets
out of the 5400 survey respondents, we have also observed during the pandemic that medical
science, research, and healthcare sectors are sadly not exempt from ransomware-related attacks
either.

Ref:
[Link]
-[Link]

In the CoveWare quarterly report for Q4 published in February 2022, the average ransom amount
has risen by 130% from the previous quarter to $322,168.

Ref:
[Link]
o-refine-tactics-in-q4-2021

To Pay, or Not to Pay?

So what should you do if you get hit by a ransomware attack? The FBI actually advises against
paying a ransom demand, although it’s often reported that companies do in fact pay the ransom,
particularly when there is no quick way to restore services. Only last year we heard that the
Colonial Pipeline paid $5 million in ransom money in order to restore the pipeline, due to the huge
amount of disruption that had caused within a very short space of time along the East Coast of
America.

Ref: [Link]

6
 Why Ransomware is so Successful
Ransomware has become so successful in recent years primarily due to the fact that cyber
criminals quickly realized that ransomware is an extremely lucrative and profitable way of netting
large sums of money. As an example, WannaCry featured the EternalBlue and DoublePulsar SMB
based Windows exploits which enabled it to rapidly self-propagate and spread to other vulnerable
machines on the network, causing rapid and widespread infection rates around the world.
Crippling a system by encrypting the data, and sometimes even exfiltrating that data, has enabled
ransomware to become the weapon of choice for many cyber criminals looking for short or long
term profits.

Ref: [Link]

Code Sharing and Reuse

Code sharing and reuse happen across the tech industry all the time. It enables software
developers and engineers to essentially copy, paste and modify code, rather than writing an
application from scratch. Unfortunately, malware is no exception. Malicious code and software is
often found on popular code repositories such as GitHub. So rather than reinventing the wheel,
code sharing has enabled increased accessibility for criminals to get started, by developing their
own projects, or using code from leaked projects. Offensive security tools (OSTs) are often created
by legitimate companies and researchers to highlight a particular technique or vulnerability. Sadly
OSTs often become further weaponized through customization for malicious purposes. Intezer
released some great research and a tool to visualize how (for example), a custom Mimikatz library
relates to the usage by multiple APT groups.

Ref: [Link]

7
 Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) has seen a gradual increase in recent years, which has enabled
affiliates to join an existing RaaS scheme or be recruited through underground hacking forums.
The ransomware developers who possess the skill, knowledge, and tradecraft, can offer up these
paid-for services through advertising and recruitment posts. Regardless of the skill level, an
affiliate can essentially begin their own ransomware campaign, and depending on their level of
access, can have access to certain functionality. For example, access to a payment and chat portal
in order to interact with the ransomware victim, or portals to track how many hosts they have
infected, along with details about those hosts, and so on. The RaaS developers typically will take
either a percentage of the profit from the affiliate, or charge a monthly subscription service,
offering different payment tier levels depending on the desired level of functionality.

Ref: [Link]

Initial Access Brokers

Often for a very low fee, administrator-level access can be purchased and used as a direct entry
point into an organization, using an initial access broker. These are typically marketplace
advertising access using various protocols and credentials. Remote Desktop Protocol (RDP), a
commonly used method for accessing a remote host or server using a graphical user interface
(GUI) in a corporate environment, when left unsecured, is often exposed and subsequently
compromised. The access is either used directly or sold through such marketplaces. Similarly,
other remote access protocols such as Secure Shell (SSH) and Telnet are also advertised, providing
access to physical or virtual hosts for both on-premise and/or cloud-hosted environments.

Cryptocurrency
It wasn’t that long ago whereby ransomware operators would use actual bank accounts to receive
and withdraw ransom payments. With the rise of cryptocurrency and a wide array of different
coins and protocols now available, the criminals can now transact anonymously, creating a huge
challenge for law enforcement and investigators. Crypto mixers and tumblers which effectively
pool together funds from multiple inputs for a certain period of time, further add to the level of
sophistication in tracing the money back to the criminals.

8
 Double Extortion
Double extortion has only been around for a few years. Prior to double extortion, a paying
ransomware victim would hope to stay out of the media spotlight. After double extortion was
introduced, victims were not under additional pressure due to the threat of having their data
leaked into the public domain. This adds additional fear and pressure on the victim in terms of not
only reporting the incident but also deciding whether or not to pay the ransom demand. With
double extortion added as a new layer with a growing number of ransomware groups, this tactic
has a higher chance of causing reputational damage, in the event that sensitive information gets
posted publicly.

Ref:
[Link]
es-if-not-paid/

Wipers
Some ransomware will often appear and act like ransomware on the surface, yet under the hood
actually triggers what is known as a (disk) wiper. And so rather than targeting a company for
financial gain, wipers are typically used by nation-states to destroy data and cause disruption. One
recent example referred to by Microsoft as WhisperGate, was recently discovered and found to be
targeting organizations in Ukraine.

Ref: [Link]

Re-infection
Contrary to popular belief, once you become a victim, unfortunately, it doesn’t automatically
exclude you from becoming a victim again in the future. In an article written by the National
Cyber Security Center (NCSC), one such example highlights the need for securing the
environment post-compromise so as to avoid the attacker breaking back into the same
environment. Not doing so will likely result in the attacker reinfecting and effectively doubling
their money, or they might opt to sell on access to a different ransomware group.

Ref: [Link]

9
 Additional Factors
Ransomware often entrenches itself in the target operating system by performing actions such as
privilege escalation, process injection, and persistence, before detonating the final payload.
Ransomware is able to enumerate the target host and adjacent networks, as well as locally
installed applications and security tools, which are often killed in an attempt to interfere with any
prevention or detection capabilities. There are also other advanced techniques used not only in
the ransomware payload but also as part of the precursory events that lead up to the eventual
payload. This includes Living-off-the-Land binaries (LOLBins) which ship by default with all major
operating systems as well as many commercial and open source applications. LOLBins enable
actors to remain hidden, by blending in their activities in order to appear to be part of business as
usual activity, subsequently making it much harder for defenders to detect and/or respond to an
intrusion. Examples of other advanced techniques are the use of timing attacks, anti-debugger
detection, control flow flattening, dynamic loading of APIs, signed binaries, encryption, and
obfuscation. These advanced techniques further add to the time it takes to analyze malicious
samples in order to extract indicators of compromise (IOCs) and tactics, techniques, and
procedures (TTPs), as well as to bypass security controls such as antivirus engines and other
signature-based detection tools. One final point is that the pandemic has changed how many
organizations operate. With a global shift to remote working and an increase in cloud adoption,
attackers will likely continue to adapt and look for weaknesses.

10
 Precursory Vs Payload TTPs
Ransomware is often blended together with the use of droppers, downloaders, launchers, and
other malware. Depending on the complexity of how the ransomware is delivered, we typically
refer to this in stage, for example, 1st stage, 2nd stage, and so on. Like so many attacks and
intrusions, ransomware often starts out with a phishing email. This could contain a malicious link
to a fake login page, or contain an attachment with an enticing or urgent title in order to socially
engineer the unsuspecting user to gain initial access. A ransomware group could also start out
their attack with the use of stolen credentials, and using exposed services such as RDP or SSH.
They might even gain access via a vulnerability into a device on the perimeter network such as a
VPN server, which enables them to further pivot and move laterally within the environment.
Referencing MITRE ATT&CK, ransomware attacks generally move from left to right along the
tactics as shown in the matrix. An attack may not necessarily leverage every tactic, and not always
in a structured order. As an example, if a host is compromised, then that host will likely be used to
repeat some of the same tactics and techniques once access is gained to additional hosts.

Human Operated Ransomware

While some ransomware is designed to run without any interaction, in the last couple of years,
human-operated ransomware has also become more common. Microsoft released a blog post
that showed us how different ransomware groups utilize different adversary behaviors, tactics, and
TTPs, in order to reach the final stage of the attack, and how each group delivers and deploys their
ransomware through some level of human interaction. While each campaign may utilize different
IOCs such as C2 infrastructure, file hashes, or specific file and registry locations in order to get the
final payload delivered, often the underlying precursory tactics, techniques, and procedures used
in the overall attack flow are often quite similar. These precursory events, prior to the ransomware
being detonated, are critical to understanding which security controls the attackers may bypass,
in order to get them to their end goal. This documenting and mapping using real adversary
behaviors is a great leap forward in helping to understand and visualize threats using MITRE
ATT&CK.

Ref:
[Link]
thcare-critical-services-heres-how-to-reduce-risk/

11
 Learning more about Precursory TTPs
The DFIR Report, a website known for consistently posting fascinating write-ups based on
real-world intrusions, lists many examples of ransomware intrusions. Often there are similarities
observed in terms of the precursory events and TTPs used by the various groups, prior to their
ransomware payload being deployed.

Ref: [Link]

FIN6 Threat Group TTPs

To further highlight this, we can use the freely and publicly available ATT&CK Navigator tool from
MITRE, to visualize the TTPs used by the financially-motivated FIN6 threat group.

Ref: [Link]

Ryuk Ransomware TTPs

In some instances, the FIN6 threat group has been known to deploy Ryuk ransomware. We can
separately load the Ryuk payload-specific TTPs into a new tab or layer using the ATT&CK Navigator.

Ref: [Link]

FIN6 & Ryuk TTPs

Overlaying FIN6 and Ryuk together into a single view, we can start to visualize the precursory TTPs
of FIN6, the Ryuk payload-specific TTPs, as well as many other TTPs, shared amongst them.

Ref: [Link]

12
 Conti Playbook Leak (2021)
Last year, a disgruntled Conti ransomware group affiliate decided to leak the Conti attacker's
playbook on a well-known hacking forum. This leaked playbook offers a rare insight into one of the
most active and successful ransomware groups to have operated in the last couple of years. There
are some great resources online which unpack the playbook and TTPs used by Conti, so I highly
encourage you to check them out. Note that I am only referencing the leaked playbook from last
year, not to be mistaken for the more recent chat log leaks posted in 2022.

Ref:
[Link]
attack-playbook/

13
 Preparing for Ransomware

Assume Breach
By now it’s probably become fairly apparent that tackling ransomware is a big challenge, and the
damage and disruption it can cause can be devastating. With the ever-changing threat landscape
and the constant barrage of emerging threats, one of the first things you can do is to adopt the
principle of Assume Breach. The assume breach principle came from General Michael Hayden, a
former Director of the NSA and CIA, who stated: “Fundamentally, if somebody wants to get in,
they’re getting in…accept that. What we tell clients is number one, you’re in the fight, whether you
thought you were or not. Number two, you almost certainly are penetrated”.

Ref: [Link], [Link]. (2018). Cybersecurity - Attack and Defense Strategies. Packt Publishing

Rather than waiting and hoping for a breach not to happen, the assumed breach principle shifts
the focus in a way that gets you thinking that a breach will either inevitably occur, has already
occurred, or may already be underway within your organization. With mergers and acquisitions,
and organizations growing in size and complexity, the assumed breach principle can often be a
starting point to begin shifting the culture and mindset amongst your security teams, which is
often one of the more challenging and yet overlooked aspects within cybersecurity. Back in 2010
when MITRE first began their research, they adopted the assume breach mindset, and focused on
post-compromise detections of adversary behavior i.e. after they gained access to a system within
a network. The adoption of the assume breach principle subsequently led to the ever-useful and
expanding ATT&CK framework, that many of us now heavily depend on.

Ref:
[Link]
%[Link]

14
 Threat Modeling
Threat modeling is the practice of understanding and modeling potential threats, and then
modeling what you want to protect from those threats. There are various types of threat modeling
frameworks such as:

● STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service,

Elevation of Privileges)
● CVSS (Common Vulnerability Scoring System)
● PASTA (Process for Attack Simulation and Threat Analysis)
● ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

The one you’re more likely to be familiar with is the ATT&CK framework. ATT&CK is a knowledge
base containing a breakdown and classification mapping of offensively oriented actions. This
library effectively lays out the various tactics, techniques, sub-techniques, and procedures, with
objects and relationships that align to groups, software, data sources, detections, and more.

Ref: [Link]

Understanding your Attack Surface

One of the key components of threat modeling is understanding your attack surface. As systems,
software, and network environments grow ever more complex, it’s absolutely critical to
understand the environment you wish to defend and protect. A good starting point is to compile
an inventory of your assets such as servers, endpoints, and security controls. Understanding your
business structure, for example, your departments, business units, regions, and locations are also
incredibly useful in understanding data flow patterns. Crown jewel assets such as business-critical
systems which are likely to be high-value targets that often store customer information or
payment details should also be accounted for, as well as regularly reviewed. Your organization may
already have topology maps and diagrams of your environment, but if not, you can build out your
own diagram using the Unified Modeling Language (UML) to represent your own environment.
This can include key assets such as crown jewels, security controls, zoners, boundaries, data
centers, and so on. All of this can help in understanding data flows and patterns, as well as the
different access control across different areas of the business. Having this knowledge will help you
to start looking at your estate in the eyes of a potential or current adversary.

15
 Tabletop Exercises
Just like any other threat category, you can prepare for ransomware by assessing the potential
targets within your organization, and understanding data flows, key assets, and where the worst
damage and disruption might occur. You could plan to carry out a tabletop exercise where you
perform risk and impact analysis of a potential ransomware attack. For example, assuming that
your Active Directory environment was compromised. What might the attack do next? Where
might they pivot to next, and how might they evade detection? Is there even a security control
deployed and capable of preventing and/or detecting such activity? Understanding a worst-case
scenario in the context of a ransomware intrusion will help you to start thinking about precursory
events, and how different tactics and techniques align to your security controls. If you imagine a
scenario whereby a critical customer database is encrypted due to a ransomware infection forcing
the data to become unavailable, think how an attacker might have reached that database in the
first place. How would they have moved laterally, to reach the database server? How might they
have escalated privileges, and so on? Such exercises will assist with understanding which security
controls might be traversed or bypassed, as well as sparking constructive and relevant discussion
amongst your security teams.

16
 Ransomware Readiness
Other cybersecurity programs can also be implemented in order to prepare for ransomware, as
well as other threats to the business. Educating your users through security awareness training
often helps to reduce social engineering attempts such as phishing emails. It encourages your
users to be more vigilant and more cautious when it comes to opening emails and attachments
from untrustworthy sources. A security champion scheme can also be created to focus on a
culture of proactiveness within your user community, and you could even gamify this and set up a
reward scheme to encourage your users to show an interest in the security of the business, by
reporting phishing emails or other potential security risks.

Ref:
​[Link]
champions-program

Building as well as regularly reviewing an effective incident response plan is also fundamental to
your security practice, particularly in the context of ransomware. Reviewing roles and
responsibilities, service level agreements (SLAs), incident handling procedures, and data
restoration processes will make a ransomware intrusion situation much less stressful and painful.
As an extension to this, you may also want to ensure that you have plans in place for media
interaction, press releases, issuing public statements, and customer announcements, in the event
that you are hit with ransomware. All these practices will strengthen your overall security posture,
but also increase the reaction time taken to respond to and deal with a ransomware outbreak.

17
 Leveraging your Technologies
When you think about security controls, it’s important to really understand their function and
applicability to the various use cases they are set out to protect against. Ultimately a security
control is designed to prevent and/or detect certain activities, tactics, and techniques. Liaising
with subject matter experts (SMEs) or even with the vendor directly, will help to build knowledge
in understanding what each security control is expected to do. It’s not uncommon for
assumptions to be made regarding a particular security control. There is often a preconceived
notion or expectation that a given security control will prevent and/or detect a particular action,
yet the control may have never been designed to defend against that particular type of action. So
it’s a great idea to inventory your security controls within your environment. This can include full
product names, versions, installed modules, their capabilities, policies applied, which groups,
zones, or areas they’re protecting, as well as who has access to them.

Leveraging your People

Your security teams all play a key role in the overall cybersecurity mission, and everyone in those
teams all has valid opinions, war stories, and a wealth of knowledge and information to share.
Understanding which team does what, the scope of their work, as well as their day-to-day
activities, may shine a light on potential gaps or weaknesses. One of the key things to consider
when it comes to people is that cybersecurity work is challenging, fast-paced, and endlessly
evolving. Sadly, burnout in our industry is not uncommon, so ensuring that your security teams
are taking breaks, as well as enabling opportunities to advance their career should not be
underestimated. An industry-wide problem is staff turnover and churn rates. With so many
vacancies out there, security professionals with only a minimal amount of experience generally
speaking have quite a lot of choices and options open to them. Security professionals are
accustomed to working in stressful and pressured environments. They are often passionate about
what they do, which is often a big reason why we all keep coming back for more. So my advice is,
don't take them for granted. Supporting them personally, as well as in their career, may likely
prolong their time spent at your company, and subsequently, strengthen the wider security teams
and ultimately the security of the underlying business. Remember, cybersecurity is a team sport.

18
 Leveraging your Processes
Lastly, a word on processes. Processes are often underestimated, but without good processes,
chaos ensues in the form of miscommunication, unnecessary stress, and mistakes being made
which could potentially be avoided. Understanding the security pipeline within your organization,
for example from when an incident or alert is first triaged, how it is escalated, through to
remediation or mitigation, is crucially important. In many cases, there may be multiple security
products, tools, and dashboards used to collect, display, analyze triage, and document incidents.
Whether you use TheHive, Jira, Cortex, or some other collaboration platform, it’s important to
understand how these tools fit into the broader picture and how they align with your business
processes. Some parts of your processes may be manual, and other parts may be performed
through automation such as API calls or scripts. Understanding the end-to-end flow of work is
important, and it’s a good idea to run regular feedback sessions so that your team can relay their
valuable observations and highlight things that are working well as well as not so well. This not
only benefits their day-to-day lives but also streamlines the overall security processes and their
effectiveness. There will always be times when processes in place cannot be followed, but good
processes will generally result in improved due diligence, and more effective use of everyone's
time, particularly during a ransomware-related incident.

19
 Threat-informed Defense
Taken from MITRE’s website, “threat-informed defense applies a deep understanding of adversary
tradecraft and technology to protect against, detect, and mitigate cyber-attacks. It’s a
community-based approach to a worldwide challenge”.

Ref: [Link]

In other words, if you and your peers work together towards a common goal, you’re more likely to
succeed in fending off cyber-attacks. ATT&CK gives us a way to quantify and understand the threat
landscape by testing known adversary behaviors for threat detection and remediation, so we
should be using this knowledge in our day to day roles as well as within the wider community by
incorporating our people, processes, and technologies to help to make threat-informed decisions.
The purpose is to gain both an operational and strategic advantage over the adversary. Some of
the ways you can start to be more threat-informed are:

● By collecting, generating, and sharing cyber threat intelligence (CTI), for example,
ransomware groups
● Determining common TTPs those ransomware groups use
● Determining common security controls within your environment
● Start a more collaborative purple teaming approach to include all security teams into
discussions

20
 Purple Teaming
If you’ve gone to this effort, or you’re already partway through your own project of incorporating
some of the topics I’ve discussed so far, then there's a good chance you’ve already heard of the
concept of purple teaming. Purple teaming is really a way of putting into practice a
threat-informed defense. A purple team isn’t the creation of a new physical team, but rather an
organizational concept that includes members from both red and blue teams. Historically red and
blue teams are extremely focused on their own mission and objectives, i.e. offensive or defensive
security practices. Forming a purple team and having regular team meetings from every stage of
the security optimization life cycle will give a huge advantage at the operational and strategic
levels.

While purple teaming is more commonly seen as a mixture of both red and blue teams, there are
no limitations to this. You could in fact take this one step further by incorporating other teams
within these discussions. This is sometimes referred to as a fusion cell, a term that was used to
describe how the U.S military, intelligence, and law enforcement combined their resources into a
unified network. A fusion cell in the context of purple teaming, could not only combine red and
blue team members but additionally, members from cyber threat intelligence (CTI), security
engineering, application security, DevSecOps, infrastructure and endpoint security, security
operations center (SOC), incident response (IR), IT Ops teams and so on. This enables other teams
within the business to weigh in and add their valuable viewpoints and concerns to the
discussions, from the perspective of triage, risk, governance, compliance, and so on.

Ref: [Link]

21
Using MITRE ATT&CK to Counter Ransomware

MITRE ATT&CK Recap

In the previous module we touched on the practice of threat modeling, and I mentioned ATT&CK. I
mentioned how ATT&CK came about through the practice of assume breach, and that it’s a
knowledge base containing hundreds of mappings in the form of objects aligned to tactics,
techniques, procedures, data sources, and so on. I also mentioned that a typical attack chain
typically starts with initial access, and then gradually moves left to right along the tactical level
until the final ransomware payload is delivered and executed. Historically, security vendors have
incorporated ATT&CK mappings into their toolsets, enabling security analysts to see which TTP a
particular activity relates to. Public reports of known threats and intrusions often include TTP
mappings when known and observed. While this is incredibly useful, I think the focus needs to
shift in order to favor and assist the defenders. Consideration of the underlying security controls
within the environment is crucial in understanding how adversary behaviors can be prevented
and/or detected.

ATT&CK for Defenders

With ATT&CK version 10 released back in October 2021, the matrix now includes data source
mappings. While ATT&CK is typically seen from the lens of an adversary, these additional
mappings using data sources, as well as mitigations, allow defenders to focus more specifically on
the security controls within their environment.

Ref: [Link]

One thing to consider is that for the most part, attackers don’t really care much for your security
controls. They will often be so focused on their own objectives. IOCs change often and typically has
a short shelf life, but TTPs tend to change less frequently. This means that understanding the
common TTPs used by threat groups, and how those TTPs align to your security controls, forms a
good starting point to implement your security controls more effectively.

22
 Example
While it’s important to understand the adversary's behaviors from an attacker's perspective, it’s
even more important to understand how to digest that information as a defender. As an example,
the Access Token Manipulation (T1134) behavior includes defender-specific information and
metadata pertaining to mitigations and detections. This is a huge step forward as it enables
defenders to start considering how the attack occurs but introduces ways in which to prevent
and/or detect that particular technique using either native operating system controls or 3rd party
security controls, either to protect the endpoint, server, or network. This information is crucial
when it comes to discussing remediation or mitigation strategies, particularly if you are already
implementing a purple team.

Pre-Security Optimization
Many organizations today leverage either a red team and/or a penetration testing team on some
type of regular to semi-regular testing cadence. While these assessments are invaluable, both
approaches only offer a point in time snapshot of typically one very small area within the overall
network environment. This raises some interesting questions, for example: What percentage of
coverage is your red team and/or pen-test team realistically able to cover in a single year? How
many years might it take them to test the entire estate? Even if the testing was assisted with the
use of ATT&CK, how long might it take to align each TTP to every security control within your
organization? How much money might it cost to test the entire state, in a single year, every year?
Are the security gaps being dealt with in a timely manner, or are they disappearing off of the radar
until the next test in another 6-12 months' time? And are they evolving their assessments to test
more advanced techniques, or are they finding and testing the same low-hanging fruit TTPs
against different areas of the business? Ultimately if you’re not testing your assets or security
controls on a regular (preferably continuous) cadence, it’s likely that the security gaps are
widening each time a red team or pen-test assessment is completed anyway.

23
 Continuous Security Validation through Security
Optimization
Knowing the challenges that ransomware and other threats pose, utilizing ATT&CK for defensive
purposes and alignment to your security controls, and incorporating good practices such as
purple teaming and threat-informed defense, will undoubtedly put you in a strong position to
start practicing and implementing security optimization. This can be done in order to test and
validate your security controls and assets, at scale, continuously, and in production, via threat
emulation. Doing so will help to identify security gaps at scale in a much shorter time frame,
freeing your red team or penetration testing team resources up to focus on more sophisticated
attacks and emerging TTPs instead, and by feeding that back into an automated testing cadence.
Testing and validating your security controls at scale can be done via scheduled testing, fully
automated, which then leads to quick identification of configuration or environmental drift. In
other words, if something changes in the environment, such as a security control that degrades,
and without continuous security validation, how long might it take for someone on your team to
find and report the degraded state? What about your red team? When might they next get round
to testing and confirming whether they can successfully bypass or circumvent a given security
control? Testing and validating your security controls assist benefits risk and compliance,
governance, and auditing by being able to provide answers via reports to senior leadership. By
continually practicing this, your risk exposure and attack surface will inevitably reduce over a
much shorter time frame. You will also be able to proactively monitor new infrastructure changes,
additions of servers, and other security controls in the future, as well as assess supply chains with
3rd parties, partners, and so on. Without question, continuously testing and validating your
security controls will lead to a much-improved level of security posture and security maturity, and
inevitably close the gaps that ransomware groups often aim to exploit.

24
 Approaches to Emulation
Threat and adversary emulation is one of the best ways that you can not only test and validate
your security controls but additionally your people and processes too. You may be surprised at
how much you can learn by testing just a single technique, as it will likely spark useful discussions
amongst your teams. Where should you begin though? If you have a CTI team or resources, you
may wish to explore which threats or groups might be more likely to target your company or
industry, or alternatively look at historical attacks of known threats that have targeted your
business in the past. Emulating adversary behaviors is useful, particularly if you are looking to
operationalize ATT&CK.

Alternatively, you could take a more control-centric view, meaning that rather than testing for a
specific threat profile or TTP, you concentrate on the security controls that you have in your
environment. As many attacks start out at the endpoint, you might want to look at testing your
endpoint security controls, in order to understand what is/isn’t prevented/detected, to perform
gap analysis, and to gain deeper insights and understanding. There isn’t necessarily a right or
wrong approach when it comes to the decision of what to test first. The main goal should be to
make a start, usually on a small scale, work on refining the process, then expand your scope.
Emulating a TTP will usually fall into two buckets when it comes to discovering gaps and
discussing results: either a direct or an indirect result. As an example, a direct result could be
related to a given security control not preventing and/or detecting a particular adversary behavior
due to misconfiguration of a security policy. An indirect finding could be due to a missed
detection due to a huge backlog of alert notifications. Both types of findings are highly important,
and implementing threat and adversary emulation will often highlight direct and indirect results
that require remediation.

25
 Planning and Considerations
You will want to plan many aspects before you begin testing, such as which assets or security
controls you want to focus on, who wants to be part of the testing, whether the SOC should have
knowledge of any testing, and what roles and responsibilities each person has and so on. It’s a
good idea to perform testing on a single asset or security control, with a single adversary behavior
to be emulated. You can think of this as a sort of unit test, which tests the process end to end,
from execution through to remediation. Reviewing and triaging the results will produce lots of
good discussion points, all of which will be incredibly valuable. Once you’re satisfied with the end
result, you can start to roll out to a wider scope in order to include more assets as well as more
TTPs. Switching from manual to regular continuous testing will be incredibly fruitful, as well as
useful when it comes to monitoring for environmental and configuration drift. This will make it
easier to identify when something changes and will be evident when a reduction in test result
scores is observed. I’ve mentioned prevention and detection quite a bit so far. Although we always
want to try and prevent threats where possible, sometimes and for good reason, it might suffice to
simply detect a known technique. Many companies use a SIEM to aggregate and correlate events
and alerts from multiple data sources and technologies. Putting your SIEM to the test might help
to highlight indirect results, such as time delays for alerts to reach your SOC, collection issues,
ingestion issues, parsing issues, as well as rule efficacy issues.

Methods of Testing: Atomic

When it comes to adversary and threat emulation, there are a couple of different methods to
explore when it comes to performing the actual testing. The first method is known as atomic
testing. This is a way to emulate one or more IOC or TTP-based scenarios, which act independently
of each other. For example, using your platform of choice, you might create an atomic-based
assessment, select one or more techniques to test, select or more assets to test, and then start the
assessment run. Each TTP will be run sequentially, one after the other, each within its own process
context. Depending on what the TTP is emulating, this could result in the testing of built-in
operating system security controls such as User Account Control (UAC), network controls, DLP,
application whitelisting, and so on.

26
 Methods of Testing: Anatomic
The next method is known as anatomic testing. These are known as Attack Flows by MITRE. This
type of assessment allows TTPs to effectively be chained together and execute under a single
process context. This means that unlike in atomic testing where they are run independently,
anatomic TTPs are related to one another. This is due to the IF-ELSE nature of anatomic testing,
which allows for custom branching and sequencing using multi-stage attack patterns. Anatomic
testing allows a custom attack chain to be built and tailored to represent any sequence of threats.
Anatomic testing is a great way to test security controls that incorporate artificial intelligence and
machine learning within their operating stack.

Methods of Testing: PCAP Replay

Lastly, there is testing using packet captures (PCAP), which are replayed in order to emulate
malicious traffic. This is performed between two hosts and is used to test and validate your
network security controls. PCAP replay based testing can be performed east-to-west/west-to-east
(i.e. internal to internal), or, south-to-north/north-to-south (internal to external/external to internal).
Within the AttackIQ platform, the ability to replay PCAP files across the network between two
hosts comes in the form of what we refer to as our Network Control Validation module.

FIN6 Attack Flow

Using a security optimization platform such as AttackIQ, supports testing in production and at
scale, in order to assess your security controls against a wide array of TTPs aligned to and found in
ATT&CK. The example shown is the FIN6 threat group, which is represented in what MITRE calls an
Attack Flow. There are the precursory events, and the full attack chain used to test whatever
security controls you have in your environment, in order to find out at what stage of the attack
gets prevented and/or detected.

Prevention
As AttackIQ is aligned to ATT&CK, you can quickly start to visualize in the form of heatmaps and
other metrics, as well as start to build a narrative regarding what can be prevented and/or
detected. Relaying the results back to the respective owners of those security controls, can lead to
constructive discussions around analysis and remediation.

27
 Detection
Detection can also be tracked and accounted for during testing, which again can be used to
provide heat maps and other metrics and reports of how your security controls weigh up when it
comes to detection. With this increased visibility of how your security controls are working in the
real world, and by testing them continuously, this will most likely allow CISOs and their security
teams to sleep a little better. Operationalizing ATT&CK through security optimization makes sense
and enables your security teams to start practicing threat-informed defense and purple teaming,
by using the ATT&CK vocabulary and taxonomy in order to discuss assessment output and results
via threat emulation. Practicing this will keep driving the conversation forward across your security
teams, and supports the overall security program of the CISO.

Reviewing and Reporting on Results and Findings

Irrespective of what the results bring, whether something in the environment changed, or
whether a security control simply fails to prevent and/or detect a given technique, the results will
all weigh into the larger discussions around what to do next. For example, in some instances, it
might be acceptable to have something not prevented but instead detected, such as with the use
of discovery-based LOLbins used by ransomware. In some environments, LOLBins might not be so
easy to prevent due to causing potential disruption. In this instance, detecting LOLBin activity may
suffice. Discussing and agreeing on the results, findings, and risk acceptance criteria should be a
big focus. The result may either end up being escalated to the relevant team for further review,
triage, tuning, and testing or may even be escalated directly to the vendor that produces that
particular security control. If a given result is not considered critical to the business, then there
may be an accepted and agreed level of risk to the business, which will likely help compliance, risk,
or governance teams in gaining additional visibility for future reporting and auditing. Overall this
process should spark constructive and useful conversations and should occur as regularly as
people can agree to. Regular meetings will help to keep the results and findings on everyone's
radar, and help team leads prioritize and distribute workloads. Meshing together the respective
teams through a purple or fusion team will eventually enable a more streamlined approach due to
the increased sharing and collaboration of not just what was being tested, but more importantly
what remediation steps were taken. This is particularly useful when expanding out a security
optimization program across multiple business units, regions, or locations within your
organization.

28
 Closing Comments

Native Cloud Security Controls

AttackIQ is a founding research partner of the Centre for Threat-Informed Defense (CTID) and has
assisted with numerous projects that are publicly available, which help the overall cybersecurity
community. While traditional controls such as AV, IDS, and firewalls are important, so too are the
native cloud security controls for the major cloud service providers such as Azure, AWS, and GCP.
Using the output from these projects, help you to start planning for cloud-based threats, which
I’m fairly sure over time we will see an eventual increase in ransomware and other types of
malware targeting those cloud providers and their customers.

Ref: [Link]

Next Steps
As a final resource, be sure to check out the PDF “Countering Ransomware with MITRE ATT&CK 101
Guide.

Ref: [Link]

We would like to thank you for spending your time with us today. We hope this introduction to
Countering Ransomware with MITRE ATT&CK has been useful. Please email your questions to
academy@[Link].

Your next steps are to take the final exam and to start putting what you’ve learned into action by
further exploring some of the key topics and concepts from this course.

You should have received a survey about this course in your email. We would greatly appreciate it
if you could take the time to give us your honest feedback. This feedback directly helps us shape
future content. Additionally, if you’re a member of the Informed Defenders community you will
receive points just for completing the survey.

29