Mapping 'Compromised Insider' Use Case to the MITRE ATT&CK Data Source & Technique

Published: 29th June

If this is one of your use cases, Cyberseer would work with your environment to ensure we have the right data sources to provide visibility of the MITRE techniques.

Hover over each tactic heading to reveal data source & technique:

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.

DATA SOURCES

• Application Log Content
• File Creation
• Network Connection Creation
• Network Traffic Content
• Process Creation
• Application Log Content
• Network Traffic Flow
• Logon Session Creation
• User Account Authentication

MITRE Techniques

•T1566 Phishing
•T1078 Valid Accounts

Execution consists of techniques that result in adversary-controlled code running on a local or remote system.

DATA SOURCES

  • Application Log Content
  • Command Execution
  • Container Creation
  • Container Start
  • File Creation
  • File Modification
  • Image Creation
  • Instance Creation
  • Instance Start
  • Module Load
  • Network Connection Creation
  • Network Traffic Content
  • Process Creation
  • Scheduled Job Creation
  • Script Execution

MITRE Techniques

  • T1059 Command and Scripting Interpreter
  • T1053 Scheduled Task/Job
  • T1204 User Execution
  • T1047 Windows Management Instrumentation

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.

DATA SOURCES

  • Active Directory Object Modification
  • Command Execution
  • Container Creation
  • File Creation
  • File Metadata
  • File Modification
  • Module Load
  • OS API Execution
  • Process Access
  • Process Creation
  • Process Metadata
  • Scheduled Job Creation
  • User Account Metadata
  • WMI Creation
  • Windows Registry Key

MITRE Techniques

  • T1134 Access Token Manipulation
  • T1068 Exploitation for Privilege Escalation
  • T1055 Process Injection
  • T1053 Scheduled Task/Job
  • T1078 Valid Accounts

Credential Access consists of techniques for stealing credentials like account names and passwords.

DATA SOURCES

  • Application Log Content
  • User Account Authentication
  • Active Directory Object Access
  • Command Execution
  • File Access
  • Network Traffic Content
  • Network Traffic Flow
  • OS API Execution
  • Process Access
  • Process Creation
  • Windows Registry Key Access

MITRE Techniques

  • T1110 Brute Force
  • T1555 Credentials from Password Stores
  • T1557 Man-in-the-Middle
  • T1003 OS Credential Dumping
  • T1558 Steal or Forge Kerberos Tickets

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.

DATA SOURCES

  • Asset logon and access
  • Authentication and access management
  • VPN and zero trust network access
  • Application Activity
  • Privileged access management and activity
  • File monitoring
  • Remote logon activity
  • DLP alerts
  • Web activity

MITRE Techniques

  • T1087 Account Discovery
  • T1135 Network Share Discovery
  • T1040 Network Sniffing
  • T1057 Process Discovery
  • T1518 Software Discovery

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

DATA SOURCES

  • Command Execution
  • File Access
  • Firewall Enumeration
  • Firewall Metadata
  • OS API Execution
  • Process Creation
  • User Account Metadata

MITRE Techniques

  • T1534 Internal Spear phishing
  • T1563 Remote Service Session Hijacking
  • T1021 Remote Services

Exfiltration consists of techniques that adversaries may use to steal data from your network.

DATA SOURCES

  • Cloud Storage Creation
  • Cloud Storage Modification
  • Command Execution
  • File Access
  • Network Connection Creation
  • Network Traffic Content
  • Network Traffic Flow
  • Script Execution
  • Snapshot Creation
  • Snapshot Modification

MITRE Techniques

  • T1048 Exfiltration Over Alternative Protocol
  • T1041 Exfiltration Over C2 Channel
  • T1052 Exfiltration Over Physical Medium
  • T1567 Exfiltration Over Web Service
  • T1537 Transfer Data to Cloud Account

Latest blogs

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Cyberseer Threat Findings Report

Published: 19th February

Keeping your business safe is your number one priority.
It's ours too.

Fusing advanced threat detection technologies with deep forensic expertise, we help you join all the dots to rapidly distel threats. Our innovative solutions give you all the confidence and proactive control you need – whatever comes your way. 

We’re here to help you keep your people and your reputation safe. It’s what we do for companies around the world every day.

With Cyberseer, you’re no longer on your own.

Within this threat findings report we detail some example anomalies detected in customer’s operational environments, where Cyberseer prevented or limited the damage these cyber threats can inflict. Informing customers about relevant threats as early as possible gives them the best chance to proactively address security weaknesses and take actions to prevent data loss, brand damage or system failure.

Complete the short form below to gain access to the full threat findings report.

Request Cyberseer Threat Findings

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting

Cyberseer Annual Review

Published: 15th February

2020 was a year to remember for all the wrong reasons. Organisations were forced to immediately change to new ways of working and interacting with users and consumers.

In this report, Cyberseer reviews the issues of 2020:

  • Cloud Transformation
  • The Remote Workforce
  • Cybercrime
  • Supply Chain Security

During 2020, there was monumental change both within organisations and how consumers interact with these organisations. Within this paper we review how you can secure the cloud, the remote workforce (those users connecting to the cloud),  how cybercrime has taken advantage of COVID-19 and the increased number of attacks on supply chain security.  Complete the short form below to gain access to the full report.

Request Cyberseer Annual Review

Latest blogs

Discoveries made by the Cyberseer SOC​

Why is visibility so important in today’s new norm of remote working.

What are Cloud Security and Posture Management tools?

Securing the Cloud Infrastructure: Native vs Cloud Control

Google Chronicle: The forward-thinking solution for threat hunting