Full Report
John Strand // This is the second part of our series about Attack Tactics, sponsored by our sister company, Active Countermeasures. In the first part we discussed how we’d attack. […] The post WEBCAST: Attack Tactics Part 2 appeared first on Black Hills Information Security, Inc..
Analysis Summary
This document summarizes information based *only* on the provided text snippet. The context describes a webcast focusing on a review of attack tactics from a defensive perspective. It mentions several security concepts, tools, and frameworks relevant to both offensive and defensive operations.
# Tool/Technique: Attack Tactics (General Concept)
## Overview
The topic covered in this webcast (Part 2 of a series) discusses defensive counter-measures against a previously modeled attack scenario. The focus is on how organizations can implement security controls to stop attacks at every stage.
## Technical Details
- Type: Technique (Conceptual Framework/Methodology)
- Platform: General (Applicable across various platforms and environments)
- Capabilities: Analysis of attack methodologies ("how we’d attack") and mapping corresponding defensive controls. This includes leveraging event logs and SIEM solutions.
- First Seen: 11 Jun 2018 (Date of webcast)
## MITRE ATT&CK Mapping
As this is a summary of **Attack Tactics** generally, specific TTPs are not detailed in the context. However, the discussion implicitly covers multiple phases of adversary behavior. Mentioned defensive mechanisms imply mappings across the entire ATT&CK matrix, particularly **Defense Evasion** and **Detection**.
## Functionality
### Core Capabilities
- Reviewing and analyzing attack progression (covered in Part 1).
- Detailing defensive components necessary to stop attacks at each step.
- Utilizing event logs and Security Information and Event Management (SIEM) solutions for detection.
### Advanced Features
- Discussion includes User Behavior Entity Analytics (UBEA).
- Mention of the Cyber Kill Chain framework.
## Indicators of Compromise
No specific IoCs (hashes, file names, network addresses) are provided as the content focuses on defense methodology rather than a specific malware sample.
## Associated Threat Actors
No specific threat actors are named, but the content pertains to defending against threat actors generally.
## Detection Methods
The discussion explicitly highlights defensive technologies:
- Event Logs
- SIEM (Security Information and Event Management)
- UBEA (User Behavior Entity Analytics)
## Mitigation Strategies
The primary strategy mentioned is implementing defensive controls to "stop us every step of the way," referencing specific technologies like SIEM and UBEA. The overall goal is "to make your next pentester cry; to make hackers give up."
## Related Tools/Techniques
- Cyber Kill Chain (Framework referenced)
- PowerShell (Tagged topic)
- Active Directory (Tagged topic)
- Phishing (Tagged topic)
- Sysmon (Tagged tool/technology)
***
# Tool/Technique: RITA (Security Tool)
## Overview
RITA (Security Tool/Framework) is listed among the free resources provided by Black Hills Information Security and is related to network monitoring and detection.
## Technical Details
- Type: Tool (Network Traffic Analysis)
- Platform: Likely Network Infrastructure
- Capabilities: Network detection and analysis tool, often associated with identifying malicious beaconing or suspicious activity.
- First Seen: N/A (Listed resource)
## MITRE ATT&CK Mapping
Implied mapping involves **Command and Control** (C2) detection and **Exfiltration**.
## Functionality
### Core Capabilities
- Network traffic monitoring and analysis.
- (Inferred based on common knowledge of RITA): Detecting beaconing and potentially malicious network protocols.
### Advanced Features
- N/A (Information is extremely limited by the source context)
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
N/A
## Detection Methods
- Behavioral detection mechanisms that monitor network sessions for anomalous patterns.
## Mitigation Strategies
- Implementing network visibility solutions capable of detecting C2 communications.
## Related Tools/Techniques
- RITA is explicitly mentioned as a free tool offered by Active Countermeasures (a sister company).
***
# Tool/Technique: Netcat (nc)
## Overview
Netcat (nc) is mentioned as a network utility tool that has earned significant recognition in the cybersecurity community.
## Technical Details
- Type: Tool (General Utility/Network Listener/Sender/Scanner)
- Platform: Cross-platform (Linux, Windows, macOS)
- Capabilities: Reading from and writing to network connections using TCP or UDP.
- First Seen: N/A (Classic tool)
## MITRE ATT&CK Mapping
Associated with multiple tactics, including **Command and Control** (T1071), **Data Staging** (T1105), and potentially **Discovery** (T1046, T1048).
## Functionality
### Core Capabilities
- Establishing network connections (client/server).
- Transferring data over a socket.
### Advanced Features
- Used for banner grabbing, port scanning, basic tunneling, and shell delivery.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `nc`
- Registry Keys: N/A
- Network Indicators: Activity generated by arbitrary port usage or unusual protocol handling.
- Behavioral Indicators: Process execution of `nc` for establishing non-standard connections.
## Associated Threat Actors
N/A (This is a standard utility used by attackers and defenders alike).
## Detection Methods
- Signature-based detection on known Netcat binaries.
- Behavioral detection monitoring for unusual process creation involving network sockets.
## Mitigation Strategies
- Application whitelisting to prevent execution of unauthorized binaries like Netcat derivative tools.
- Strong monitoring of outbound network connections made by common utilities.
## Related Tools/Techniques
- Offensive Tooling Cheatsheets are mentioned in resource lists.
***
*Note: The summary relies heavily on the context provided by the tagged topics and names mentioned in the article snippet, as the main body text only describes the scope of the webcast, not the specific technical details of every listed item.*