You can find the room here.
Task 1: Introduction to MITRE
No answer needed
Task 2: Basic Terminology
No answer needed
Task 3: ATT&CK Framwork
Question 1: Besides blue teamers, who else will use the ATT&CK Matrix?
Answer: Red Teamers
Question 2: What is the ID for this technique?
Question 3: Based on this technique, what mitigation covers identifying social engineering techniques?
Answer: User Training
Question 4: What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)
Answer: Application Log,File,Network Traffic
Question 5: What groups have used spear-phishing in their campaigns? (format: group1,group2)
Answer: Axiom,GOLD SOUTHFIELD
Question 6: Based on the information for the first group, what are their associated groups?
Answer: Group 72
Question 7: What software is associated with this group that lists phishing as a technique?
Question 8: What is the description for this software?
Answer: Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.
Question 9: This group overlaps (slightly) with which other group?
Answer: Winnti Group
Question 10: How many techniques are attributed to this group?
Task 4: CAR Knowledge Base
Question 1: For the above analytic, what is the pseudocode a representation of?
Answer: Splunk Search
Question 2: What tactic has an ID of TA0003?
Question 3: What is the name of the library that is a collection of Zeek (BRO) scripts?
Question 4: What is the name of the technique for running executables with the same hash and different names?
Question 5: Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
Answer: Unit Tests
Task 5: MITRE Engage
Question 1: Under Prepare, what is ID SAC0002?
Answer: Persona Creation
Question 2: What is the name of the resource to aid you with the engagement activity from the previous question?
Answer: PERSONA PROFILE WORKSHEET
Question 3: Which engagement activity baits a specific response from the adversary?
Question 4: What is the definition of Threat Model?
Answer: A risk assessment that models organizational strengths and weaknesses
Task 6: MITRE D3FEND
Question 1: What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
Answer: Data Obfuscation
Question 2: In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produces?
Answer: Outbound Internet Network Traffic
Task 7: ATT&CK Emulation Plans
Question 1: In Phase 1 for the APT3 Emulation Plan, what is listed first?
Answer: C2 Setup
Question 2: Under Persistence, what binary was replaced with cmd.exe?
Question 3: Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
Answer: Pupy,Metasploit Framework
Question 4: What C2 framework is listed in Scenario 2 Infrastructure?
Question 5: Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
Task 8: ATT&CK and Threat Intelligence
Question 1: What is a group that targets your sector who has been in operation since at least 2013?
Question 2: As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
Answer: Cloud Accounts
Question 3: What tool is associated with the technique from the previous question?
Question 4: Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)
Answer: abnormal or malicious behavior
Question 5: What platforms does the technique from question #2 affect?
Answer: Azure AD, Google Workspace, IaaS, Office 365, SaaS
Task 9: Conclusion
No answer needed
Pyae Heinn Kyaw
Featured Photo – YouTube (Sezcurity)