This chapter will provide a deeper look at the different techniques that are covered by the ATT&CK framework and the potential gaps in it. The reader will understand how to rank different techniques and their applicability to their own environments. This will focus specifically on the cloud, Windows, macOS, mobile, and network frameworks. We will cover the following topics:

• A deep dive into the techniques in the cloud framework
• A deep dive into the techniques in the Windows framework
• A deep dive into the techniques in the macOS framework
• A deep dive into the techniques in the network framework
• A deep dive into the techniques in the mobile framework

For this specific chapter, there are no installations or specific technologies that are required.

As mentioned in Chapter 4, What Is the ATT&CK Framework?, the MITRE ATT&CK framework has different matrices for the different enterprises, one of those enterprises being the cloud. While this is great, you have to remember that you might have to customize any techniques so that they fit your specific cloud environment, but there are currently matrices for Office 365, Azure AD, Google Workspace, Software as a Service (SaaS), and Infrastructure as a Service (IaaS). In this section, we will start by looking at the tactics that are covered and the unique techniques before discussing the sub-techniques and supplemental information.

We’ll start at the top by discussing the generic cloud enterprise matrix, which has the following tactics and techniques:

• Initial Access
  • Drive-by Compromise, Exploit Public Facing Application, Phishing, Trusted Relationship, and Valid Accounts
• Execution
  • User Execution and Serverless...

Windows machines make up over 200 million enterprise users with many high-target organizations being primarily Windows users, such as the US government. Due to the number of Windows users, roughly 80% of all malware attacks target Windows users specifically. That means that you have to be extra vigilant if you work on a security team in a Windows environment and need to ensure that proper logging, detections, risk categorizations, and detections are put in place. The Windows matrix encompasses all controls and is not broken down based on the Operating System (OS) version or if it is a server or endpoint, so there is definitely a level of tweaking that is necessary when reviewing the matrix. The matrix in its entirety looks like the following:

• Initial Access

Drive-by Compromise, Exploit Public Facing Application, External Remote Services, Hardware Additions, Phishing, Replication Through Removable Media, Supply...

While there is a significantly higher number of Windows users than macOS users, there are still over 100 million macOS users and macOS endpoints are growing in popularity, especially in the private business sector and specifically for tech companies. Overall, the difference in size means that there are fewer attacks that are targeted at macOS endpoints, but that certainly doesn’t mean that there are none. Additionally, it’s important to note that there are a significant number of techniques and sub-techniques that are different between the macOS and Windows matrices due to how the base OS works and how the filesystems are set up. If anything, macOS aligns more closely with the Linux OS. Similarly to the Windows section, we’ll dig into a few different techniques and sub-techniques:

• Initial Access
  • Drive-by Compromise, Exploit Public Facing Application, External Remote Services, Hardware Additions, Phishing...

Now that endpoints have been covered, we’ll take a deeper look at the network matrix. One interesting note about this matrix is that network is very vague, as there can be many different components that make up a network, and that means that the implementation of the mitigation and detection strategies will have to be heavily tweaked to fit your environment. There is only one matrix, whereas we saw in the cloud, there were multiple, so that means that there are some controls that won’t apply to your environment at all, depending on how it is configured. The network matrix looks like this:

• Initial Access
  • Exploit Public Facing Application
• Execution
  • Command and Scripting Interpreter
• Persistence
  • Modify Authentication Process, Pre-OS Boot, and Traffic Signaling
• Defense Evasion
  • Impair Defenses, Indicator Removal on Host, Modify Authentication Process, Modify System Image, Network Boundary Bridging, Pre...

We live in a connected world and it’s rare to see a person without at least one mobile device. In our pockets, we have access to a ton of financial and personal information, not to mention that most of us also have access to our corporate networks. It’s also a known factor that end users are considered one of the weakest links in an organization’s security posture. That said, we understand that you can only recommend instead of apply security controls to end users with their personal phones, but you can protect your organization-owned mobile devices. One good thing about mobile devices is that there really are only iOS- and Android-based devices, so you don’t have to factor in a ton of variations, just the base OSes and then the additional producers. In this section, we’ll take a look at the overarching mobile matrix, the Android matrix, and the iOS matrix and pick out a few techniques to review...

We looked at multiple different types of matrices within the MITRE ATT&CK framework, and keep in mind that there are regular updates to these in the form of changes to techniques, sub-techniques, and so on, so you’ll want to periodically review the matrices to ensure that you are applying the latest information in your assessments.

In the next chapter, we’ll cover how to actually apply the controls from the MITRE ATT&CK framework to your environment, so you can fuse your knowledge of the controls with some practical experience and work to implement some of the detection and monitoring steps within your own networks.