Working with the MITRE ATT&CK knowledge base
Detective Work

© Photo by Volodymyr Hryshchenko on Unsplash
The MITRE ATT&CK website keeps information on attackers and intrusion techniques. We'll show you how to use that information to look for evidence of an attack.
Security has many facets and angles, and if you really want to be safe, you need to be aware of them all. One important skill is to become familiar with the logfiles on your system and the information they might reveal (see the box entitled "All About Logs"). But the attackers have become increasingly sophisticated in recent years, and to stay ahead of them, you need all the help you can get. Another important source of information is the MITRE ATT&CK website [1]. MITRE ATT&CK is a structured, globally available knowledge base describing tactics and attackers. In addition to tracking the various attack methods used in the wild, MITRE ATT&CK also provides clues that will help you look for evidence.
Searching for Evidence
It's best to learn from examples. One threat facing users today is attacks related to stealing system resources for the purposes of mining cryptocurrency. The techniques that hackers use are quite interesting and sometimes unconventional. The Rocke group is a good example. Rocke is a Chinese group of cyber criminals who specialize in malware attacks to gain access for crypto mining [2][3][4][5]. This group has been operating since 2018 and is dynamically developing its arsenal. The group evolves quickly and changes its techniques. Analysis of a Rocke group attack is not as easy as it might seem, but luckily, you can turn to the MITRE ATT&CK framework. Some of the techniques that MITRE ATT&CK associates with the Rocke group include:
- T1036.005 – Masquerading: Match Legitimate Name or Location
- T1053.003 – Scheduled Task/Job: Cron
- T1574.006 – Hijack Execution Flow: Dynamic Linker Hijacking
[...]
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
LibreOffice 7.5 has Arrived and is Loaded with New Features and Improvements
The favorite office suite of the Linux community has a new release that includes some visual refreshing and new features across all modules.
-
The Next Major Release of Elementary OS Has Arrived
It's been over a year since the developers of elementary OS released version 6.1 (Jólnir) but they've finally made their latest release (Horus) available with a renewed focus on the user.
-
KDE Plasma 5.27 Beta Is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.