Mapping 'Compromised Insider' Use Case to the MITRE ATT&CK Data Source & Technique

Published: 29th June

If this is one of your use cases, Cyberseer would work with your environment to ensure we have the right data sources to provide visibility of the MITRE techniques.

Hover over each tactic heading to reveal data source & technique:

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.

DATA SOURCES

• Application Log Content
• File Creation
• Network Connection Creation
• Network Traffic Content
• Process Creation
• Application Log Content
• Network Traffic Flow
• Logon Session Creation
• User Account Authentication

MITRE Techniques

•T1566 Phishing
•T1078 Valid Accounts

Execution consists of techniques that result in adversary-controlled code running on a local or remote system.

DATA SOURCES

  • Application Log Content
  • Command Execution
  • Container Creation
  • Container Start
  • File Creation
  • File Modification
  • Image Creation
  • Instance Creation
  • Instance Start
  • Module Load
  • Network Connection Creation
  • Network Traffic Content
  • Process Creation
  • Scheduled Job Creation
  • Script Execution

MITRE Techniques

  • T1059 Command and Scripting Interpreter
  • T1053 Scheduled Task/Job
  • T1204 User Execution
  • T1047 Windows Management Instrumentation

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.

DATA SOURCES

  • Active Directory Object Modification
  • Command Execution
  • Container Creation
  • File Creation
  • File Metadata
  • File Modification
  • Module Load
  • OS API Execution
  • Process Access
  • Process Creation
  • Process Metadata
  • Scheduled Job Creation
  • User Account Metadata
  • WMI Creation
  • Windows Registry Key

MITRE Techniques

  • T1134 Access Token Manipulation
  • T1068 Exploitation for Privilege Escalation
  • T1055 Process Injection
  • T1053 Scheduled Task/Job
  • T1078 Valid Accounts

Credential Access consists of techniques for stealing credentials like account names and passwords.

DATA SOURCES

  • Application Log Content
  • User Account Authentication
  • Active Directory Object Access
  • Command Execution
  • File Access
  • Network Traffic Content
  • Network Traffic Flow
  • OS API Execution
  • Process Access
  • Process Creation
  • Windows Registry Key Access

MITRE Techniques

  • T1110 Brute Force
  • T1555 Credentials from Password Stores
  • T1557 Man-in-the-Middle
  • T1003 OS Credential Dumping
  • T1558 Steal or Forge Kerberos Tickets

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.

DATA SOURCES

  • Asset logon and access
  • Authentication and access management
  • VPN and zero trust network access
  • Application Activity
  • Privileged access management and activity
  • File monitoring
  • Remote logon activity
  • DLP alerts
  • Web activity

MITRE Techniques

  • T1087 Account Discovery
  • T1135 Network Share Discovery
  • T1040 Network Sniffing
  • T1057 Process Discovery
  • T1518 Software Discovery

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

DATA SOURCES

  • Command Execution
  • File Access
  • Firewall Enumeration
  • Firewall Metadata
  • OS API Execution
  • Process Creation
  • User Account Metadata

MITRE Techniques

  • T1534 Internal Spear phishing
  • T1563 Remote Service Session Hijacking
  • T1021 Remote Services

Exfiltration consists of techniques that adversaries may use to steal data from your network.

DATA SOURCES

  • Cloud Storage Creation
  • Cloud Storage Modification
  • Command Execution
  • File Access
  • Network Connection Creation
  • Network Traffic Content
  • Network Traffic Flow
  • Script Execution
  • Snapshot Creation
  • Snapshot Modification

MITRE Techniques

  • T1048 Exfiltration Over Alternative Protocol
  • T1041 Exfiltration Over C2 Channel
  • T1052 Exfiltration Over Physical Medium
  • T1567 Exfiltration Over Web Service
  • T1537 Transfer Data to Cloud Account

Latest blogs

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Webinar: Has Google solve Security's big data problem? - Recording

Organisations are challenged by the evolving threat landscape, the requirement to collect and process more security data, and a growing attack surface. In addition, organisations find it difficult to keep up with the operational needs of their cybersecurity analytics and operations technologies while manual processes lead to scalability problems

During this exclusive session, Cyberseer’s Founder, Garath Lauder, will ask some key questions around this world-first technology in cybersecurity powered by Google’s search capabilities.
 
Google’s unique unlimited hot storage model combined with Google’s economies of scale provide significant advantages for organisations, increasing visibility and improving the fidelity of forensic investigations.

So, can Google solve the vast data issue being generated by the security infrastructure?

Interested in a service?

If you would like to know more then you can download a data sheet, white paper, request a demo or get in touch with us!

Infographic: Threats From Within: Five Ways to Boost Your Detection Capability & Capacity

This infographic explores five ways to boost your detection capability and capacity:

  1. Know what to look for
  2. Employ zero trust
  3. Bring in the big guns
  4. Focus on reducing time to detection
  5. Get real-time threat detection

For more insights, read our latest eBook: Threats From Within here.

Many security teams have long feared the worst – that innocent worker can cause as much damage as malicious hackers. And this has often been the case. But whereas breaches in the past may have been the results of clicking a link in a fraudulent e-mail, there is now a far more ominous threat from within: the malicious insider.

Cyberseer Threat Findings Report

Published: 19th February

Keeping your business safe is your number one priority.
It's ours too.

Fusing advanced threat detection technologies with deep forensic expertise, we help you join all the dots to rapidly distel threats. Our innovative solutions give you all the confidence and proactive control you need – whatever comes your way. 

We’re here to help you keep your people and your reputation safe. It’s what we do for companies around the world every day.

With Cyberseer, you’re no longer on your own.

Within this threat findings report we detail some example anomalies detected in customer’s operational environments, where Cyberseer prevented or limited the damage these cyber threats can inflict. Informing customers about relevant threats as early as possible gives them the best chance to proactively address security weaknesses and take actions to prevent data loss, brand damage or system failure.

Complete the short form below to gain access to the full threat findings report.

Request Cyberseer Threat Findings

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Cyberseer Annual Review

Published: 15th February

2020 was a year to remember for all the wrong reasons. Organisations were forced to immediately change to new ways of working and interacting with users and consumers.

In this report, Cyberseer reviews the issues of 2020:

  • Cloud Transformation
  • The Remote Workforce
  • Cybercrime
  • Supply Chain Security

During 2020, there was monumental change both within organisations and how consumers interact with these organisations. Within this paper we review how you can secure the cloud, the remote workforce (those users connecting to the cloud),  how cybercrime has taken advantage of COVID-19 and the increased number of attacks on supply chain security.  Complete the short form below to gain access to the full report.

Request Cyberseer Annual Review

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Webinar series: 11am, Thursday 26th November

An intro to Google Cloud's Chronicle

A global, cloud-native platform that makes security analytics instant, easy, and cost-effective.

Google Chronicle, official partner of Cyberseer
What you’ll take away from this webinar
Who Should Attend?

C-level execs | CIO’s | CISO’s | Operation security managers | SOC managers |  Security architects and Risk managers.

Feedback from past events.
Register for the webinar today!
About the webinar

Google Chronicle is a global security telemetry platform for investigation and threat hunting within an enterprise network. It makes security analytics instant, easy, and cost-effective.

Built on core Google infrastructure, Chronicle brings unmatched speed and scalability to analysing massive amounts of security telemetry. As a cloud service, it requires zero customer hardware, maintenance, tuning, or ongoing management. Join the webinar to see it in action!

Presenters
Ian Dutton, Strategic Architect, Cyberseer
Ian Dutton
Strategy Director

Ian has over 22 years of experience in Networking and Cyber Security, having worked with a multitude of both new and highly established vendors providing solutions in areas of availability, connectivity, security, performance and analytics. He has long been a trusted advisor creating solutions for customers across Data Centre, Hybrid Cloud and Multi-Cloud environments.

Date and Duration

11am, Thursday 26th November

25 mins

Why join a Cyberseer webinar?​

Why join a Cyberseer webinar?​

Understand Your Enterprise’s Cloud Risk!

Organisations used to know exactly what assets they were using within their enterprise. The assets and data were visible and as such policy could be enforced fairly easily, but the cloud has removed many restrictions and made it more flexible to run applications and services. These SaaS, IaaS and PaaS services can be easily and quickly deployed by anyone within the organisation in a matter of clicks. It’s this simplicity and availability that poses new security challenges for your enterprise data.

If you want to easily audit and secure your existing cloud environment, discover unsanctioned services or are looking to move to the cloud and want to reduce the complexity and risk of securing your IaaS, PaaS and SaaS environments, then this is the talk for you!

To learn more about C3M Cloud Control then please click here >>

To book a demo of C3M Cloud Control then please click here >>

Interested in a service?

If you would like to know more then you can download a data sheet, white paper, request a demo or get in touch with us!

Covid-19 Dramatically Changes Cyber Security Forever

Published: 6th November

The pandemic has set huge challenges for organisations worldwide. Overnight, organisations have had to rapidly transform just to function, and the demand on digital infrastructures have skyrocketed. Some organisations kept continuity by shifting business entirely online, creating demand for virtual processes and remote collaboration on a scale we have never seen.

Cyberseer have compiled some observations to consider below:

Cyberseer Infographic - Covid 19 Dramatically Changes Cyber Security Forever

Lessons from Covid-19 have permanently changed society and to a lesser extent the way we think about cyber security. Our practices must evolve. By making the entire system easier to protect and manage, it is also much easier to recover.

By Elizabeth Gladen

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Webinar: An intro to Obsidian for SaaS Security - Recording

As organisations move their critical business systems to SaaS, infoSec departments must figure out how to safely enable the use of SaaS without slowing down the business. They are finding themselves poorly equipped to detect and respond to cloud breaches, insider threat, data leakage and weak security posture.

Without unified visibility across their SaaS apps, they are not able to answer basic questions: Who can access SaaS apps? Who are the privileged users? Which accounts are compromised? Who is sharing files externally? Are applications configured according to best practices? It is time to level up security for SaaS with cloud detection and response (CDR).

Join Ian Dutton as he demos Obsidian to protect all of your key apps such as Salesforce, Microsoft 365, G Suite, Zoom, and Box with continuous monitoring and analytics without impacting productivity.

Interested in a service?

If you would like to know more then you can download a data sheet, white paper, request a demo or get in touch with us!