MITRE PRE-ATT&CK

MITRE PRE-ATT&CK matrix used to be its own standalone matrix.

• Contained a collection of tactics and techniques.

• Mapped to the Recon and Weaponize stages of the cyber kill chain.

Now, PRE-ATT&CK is the first two stages of the MITRE ATT&CK for the Enterprise framework.

• Reconnaissance

• Resource Development

PRE-ATT&CK: Reconnaissance

The first stage of PRE-ATT&CK focuses on gathering target information from a variety of different sources:

• Active Scanning

• Gather Victim Host information

• Gather Victim Identity information

• Gather Victim Network information

• Gather Victim Organization information

• Phishing for info

• Search closed sources

• Search Open Technical Databases

• Search Open Website/Domains

• Search Victim-owned websites.

PRE-ATT&CK: Resource Development

The second stage of PRE-ATT&CK involves the attacker developing or acquiring the tools need to perform their attack:

• Acquire Access

• Acquire Infrastructure

• Compromise Accounts

• Compromise Infrastructure

• Develop Capabilities

• Establish Accounts

• Obtain Capabilities

• Stage Capabilities

The Resource Development tactic of PRE-ATT&CK largely occurs on the attacker's infrastructure.

• No Interaction with target systems for defenders to detect.

• Depends heavily on attacker's goals and resources.

Network Scanning

Network Scanning is a method of learning a Network’s architecture.

• Port Scanning - Scanning for Open ports in the network.

• Banner Collection - Many applications print banners stating info about themselves, e.g., SSH Server [the software in-use version number].

• Vulnerability Scanner - Scanning for vulnerabilities.

*Scapy – A python lib designed for working with network traffic.