Mitre ATT&CK
Versi integrasi: 15.0
Mengonfigurasi integrasi Mitre ATT&CK di Google Security Operations
Untuk mendapatkan petunjuk mendetail terkait cara mengonfigurasi integrasi di Google SecOps, lihat Mengonfigurasi integrasi.
Parameter integrasi
Gunakan parameter berikut untuk mengonfigurasi integrasi:
| Nama Tampilan Parameter | Jenis | Nilai Default | Wajib | Deskripsi |
|---|---|---|---|---|
| Nama Instance | String | T/A | Tidak | Nama Instance yang ingin Anda konfigurasi integrasinya. |
| Deskripsi | String | T/A | Tidak | Deskripsi Instance. |
| Root API | String | https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json | Ya | Alamat instance Mitre ATT&CK. |
| Verifikasi SSL | Kotak centang | Dicentang | Tidak | Gunakan kotak centang ini jika koneksi Mitre ATT&CK Anda memerlukan verifikasi SSL. |
| Menjalankan dari Jarak Jauh | Kotak centang | Tidak dicentang | Tidak | Centang kolom untuk menjalankan integrasi yang dikonfigurasi dari jarak jauh. Setelah dicentang, opsi akan muncul untuk memilih pengguna jarak jauh (agen). |
Tindakan
Untuk mengetahui informasi selengkapnya tentang tindakan, lihat Merespons tindakan tertunda dari Ruang Kerja Anda dan Melakukan tindakan manual.
Mendapatkan Intrusi Terkait
Deskripsi
Mengambil informasi tentang intrusi yang terkait dengan teknik serangan MITRE.
Parameter
| Parameter | Jenis | Nilai Default | Wajib | Deskripsi |
|---|---|---|---|---|
| ID Teknik | String | T/A | Ya | Menentukan ID yang akan digunakan untuk menemukan intrusi terkait. |
| Jenis ID | DDL | ID Serangan Nilai Opsional: Nama Serangan, ID serangan, ID Serangan Eksternal |
Ya | Tentukan jenis ID yang akan digunakan.
Kemungkinan nilainya adalah sebagai berikut:
Meskipun UI menampilkan opsi parameter sebagai |
| Jumlah Maksimum Intrusi yang Akan Ditampilkan | String | 20 | Tidak | Tentukan jumlah penyusupan yang akan ditampilkan. |
Run On
Tindakan ini dijalankan di semua entity.
Hasil Tindakan
Hasil Skrip
| Nama Hasil Skrip | Opsi Nilai | Contoh |
|---|---|---|
| is_success | Benar/Salah | is_success:False |
Hasil JSON
Contoh berikut menunjukkan output hasil JSON yang diterima saat menggunakan tindakan Get Associated Intrusions:
[
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group ...",
"created":"2017-12-14T16:46:06.044Z",
"x_mitre_contributors":["Romain Dumont, ESET"],
"modified":"2019-07-17T13:11:37.402Z",
"name":"APT32",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_version":"2.0",
"aliases":["APT32","SeaLotus","OceanLotus","APT-C-00"],
"type":"intrusion-set",
"id":"intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e",
"external_references":
[
{
"url":"https://attack.mitre.org/groups/G0050",
"source_name":"mitre-attack",
"external_id":"G0050"
},{
"source_name":"APT32",
"description":"(Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)"
}]},{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name":"BRONZE BUTLER",
"created":"2018-01-16T16:13:52.465Z",
"description":"[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with...",
"modified":"2019-03-22T19:57:36.804Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references": [
{
"url":"https://attack.mitre.org/groups/G0060",
"source_name":"mitre-attack",
"external_id":"G0060"
},{
"source_name":"BRONZE BUTLER",
"description":"(Citation: Trend Micro Daserf Nov 2017)"
}],
"x_mitre_version":"1.0",
"type":"intrusion-set",
"id":"intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"aliases":["BRONZE BUTLER","REDBALDKNIGHT","Tick"]
},{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name":"CopyKittens",
"created":"2018-01-16T16:13:52.465Z",
"description":"[CopyKittens](https://attack.mitre.org/groups/G0052) is a cyber espionage group that has been ...",
"modified":"2019-05-03T16:42:19.026Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":
[{
"url":"https://attack.mitre.org/groups/G0052",
"source_name":"mitre-attack",
"external_id":"G0052"
},{
"source_name":"CopyKittens",
"description":"(Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)"
},],
"x_mitre_version":"1.1",
"type":"intrusion-set",
"id":"intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"aliases":["CopyKittens"]
}
]
Mendapatkan Mitigasi
Deskripsi
Mengambil informasi tentang mitigasi yang terkait dengan teknik serangan MITRE.
Parameter
| Parameter | Jenis | Nilai Default | Wajib | Deskripsi |
|---|---|---|---|---|
| ID Teknik | String | T/A | Ya | Menentukan ID yang akan digunakan untuk menemukan mitigasi yang terkait dengan teknik serangan. |
| Jenis ID | DDL | ID Serangan Nilai Opsional: Nama Serangan, ID serangan, ID Serangan Eksternal |
Ya | Tentukan jenis ID yang akan digunakan.
Kemungkinan nilainya adalah sebagai berikut:
Meskipun UI menampilkan opsi parameter sebagai |
| Jumlah Maksimum Mitigasi yang Akan Ditampilkan | String | 20 | Tidak | Tentukan jumlah penyusupan yang akan ditampilkan. |
Run On
Tindakan ini dijalankan di semua entity.
Hasil Tindakan
Hasil Skrip
| Nama Hasil Skrip | Opsi Nilai | Contoh |
|---|---|---|
| is_success | Benar/Salah | is_success:False |
Hasil JSON
[
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"created":"2018-10-17T00:14:20.652Z",
"x_mitre_deprecated":true,
"modified":"2019-07-24T14:26:14.411Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":
[{
"url":"https://attack.mitre.org/mitigations/T1022",
"source_name":"mitre-attack",
"external_id":"T1022"
},{
"url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"source_name":"Beechey 2010",
"description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
},{
"url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"source_name":"Windows Commands JPCERT",
"description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
},{
"url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"source_name":"NSA MS AppLocker",
"description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
},{
"url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"source_name":"Corio 2008",
"description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
},{
"url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
"source_name":"TechNet Applocker vs SRP",
"description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}],
"x_mitre_version":"1.0",
"type":"course-of-action",
"id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
"name":"Data Encrypted Mitigation"
}
]
Mendapatkan Detail Teknik
Deskripsi
Mengambil informasi mendetail tentang teknik serangan MITRE.
Parameter
| Parameter | Jenis | Nilai Default | Wajib | Deskripsi |
|---|---|---|---|---|
| ID Teknik | String | T/A | Ya | Tentukan daftar ID yang dipisahkan koma yang akan digunakan untuk menemukan informasi mendetail tentang teknik. Contoh: identifier_1,identifier_2 |
| Jenis ID | DDL | ID Serangan Nilai Opsional: Nama Serangan, ID serangan, ID Serangan Eksternal |
Ya | Tentukan jenis ID yang akan digunakan.
Kemungkinan nilainya adalah sebagai berikut:
Meskipun UI menampilkan opsi parameter sebagai |
| Membuat Insight | Kotak centang | Tidak dicentang | Tidak | Jika diaktifkan, tindakan akan membuat insight terpisah untuk setiap teknik yang diproses. |
Run On
Tindakan ini dijalankan di semua entity.
Hasil Tindakan
Hasil Skrip
| Nama Hasil Skrip | Opsi Nilai | Contoh |
|---|---|---|
| is_success | Benar/Salah | is_success:False |
Hasil JSON
{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references":
[{
"url":"https://attack.mitre.org/techniques/T1022",
"external_id":"T1022",
"source_name":"mitre-attack"
},{
"url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
"source_name":"Zhang 2013",
"description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
},{
"url":"https://en.wikipedia.org/wiki/List_of_file_signatures",
"source_name":"Wikipedia File Header Signatures",
"description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
}],
"created":"2017-05-31T21:30:30.26Z",
"x_mitre_platforms":["Linux","macOS","Windows"],
"type":"attack-pattern",
"description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.\\n\\nOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
"kill_chain_phases":
[{
"phase_name":"exfiltration",
"kill_chain_name":"mitre-attack"
}],
"modified":"2018-10-17T00:14:20.652Z",
"id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_network_requirements":false,
"x_mitre_version":"1.0",
"x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
"x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. \\n\\nA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. \\n\\nNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
"name":"Data Encrypted"
}
Mendapatkan Detail Teknik
Deskripsi
Mengambil informasi mendetail tentang teknik serangan MITRE.
Parameter
| Parameter | Jenis | Nilai Default | Wajib | Deskripsi |
|---|---|---|---|---|
| ID Teknik | String | T/A | Ya | Tentukan daftar ID yang dipisahkan koma yang akan digunakan untuk menemukan informasi mendetail tentang teknik. Contoh: identifier_1,identifier_2 |
| Jenis ID | DDL | ID Serangan Nilai Opsional: Nama Serangan, ID serangan, ID Serangan Eksternal |
Ya | Tentukan jenis ID yang akan digunakan.
Kemungkinan nilainya adalah sebagai berikut:
Meskipun UI menampilkan opsi parameter sebagai |
| Membuat Insight | Kotak centang | Tidak dicentang | Tidak | Jika diaktifkan, tindakan akan membuat insight terpisah untuk setiap teknik yang diproses. |
Run On
Tindakan ini dijalankan di semua entity.
Hasil Tindakan
Hasil Skrip
| Nama Hasil Skrip | Opsi Nilai | Contoh |
|---|---|---|
| is_success | Benar/Salah | is_success:False |
Hasil JSON
[{
"Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
"EntityResult": {
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"external_references":[{
"url":"https://attack.mitre.org/techniques/T1022",
"external_id":"T1022",
"source_name":"mitre-attack"
},{
"url":"http://www.netsec.colostate.edu/~zhang/DetectingEncryptedBotnetTraffic.pdf",
"source_name":"Zhang 2013",
"description":"Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015."
},{
"url":"https://en.wikipedia.org/wiki/List_of_file_signatures","source_name":"Wikipedia File Header Signatures",
"description":"Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016."
}],
"created":"2017-05-31T21:30:30.26Z",
"x_mitre_platforms":["Linux","macOS","Windows"],
"type":"attack-pattern",
"description":"Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.nnOther exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)",
"kill_chain_phases":[{
"phase_name":"exfiltration",
"kill_chain_name":"mitre-attack"
}],
"modified":"2018-10-17T00:14:20.652Z",
"id":"attack-pattern--d54416bd-0803-41ca-870a-ce1af7c05638",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"x_mitre_network_requirements":false,
"x_mitre_version":"1.0",
"x_mitre_data_sources":["File monitoring","Process monitoring","Process command-line parameters","Binary file metadata"],
"x_mitre_detection":"Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software. nnA process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. nnNetwork traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. (Citation: Zhang 2013) If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)",
"name":"Data Encrypted"
}
}]
Repositori Kasus
| Jenis Hasil | Nilai / Deskripsi | Jenis |
|---|---|---|
| Pesan output* | Jika setidaknya satu ID diproses: print "Retrieved detailed information about the following techniques: {0}\n".format(new line separated list of processed techniques) Jika setidaknya satu ID tidak diproses: print "Action wasn't able to retrieve detailed information about the following techniques: {0}\n".format(new line separated list of unprocessed techniques) Jika tidak ada ID yang diproses print "Action wasn't able to find the provided techniques." |
Umum |
Mendapatkan Mitigasi Teknik
Deskripsi
Mengambil informasi tentang mitigasi yang terkait dengan teknik serangan MITRE.
Parameter
| Parameter | Jenis | Nilai Default | Wajib | Deskripsi |
|---|---|---|---|---|
| ID Teknik | String | T/A | Ya | Tentukan ID yang akan digunakan untuk menemukan mitigasi yang terkait dengan teknik serangan. Nilai dipisahkan koma. |
| ID Serangan | DDL | ID Serangan Nilai Opsional: Nama Serangan, ID serangan, ID Serangan Eksternal |
Ya | Tentukan jenis ID yang akan digunakan. Kemungkinan nilai: Nama Serangan (Contoh: Manipulasi Token Akses) ID Serangan (Contoh: attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790) ID Serangan Eksternal (Contoh: T1050) |
| Jumlah Maksimum Mitigasi yang Akan Ditampilkan | String | 20 | Tidak | Tentukan jumlah mitigasi yang akan ditampilkan. |
Run On
Tindakan ini dijalankan di semua entity.
Hasil Tindakan
Hasil Skrip
| Nama Hasil Skrip | Opsi Nilai | Contoh |
|---|---|---|
| is_success | Benar/Salah | is_success:False |
Hasil JSON
[{
"Entity": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0",
"EntityResult": {
"mitigations": [{
"created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description":"Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"created":"2018-10-17T00:14:20.652Z",
"x_mitre_deprecated":true,
"modified":"2019-07-24T14:26:14.411Z",
"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],
"external_references":[{"url":"https://attack.mitre.org/mitigations/T1022",
"source_name":"mitre-attack",
"external_id":"T1022"
},{
"url":"http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599",
"source_name":"Beechey 2010",
"description":"Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014."
},{
"url":"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html",
"source_name":"Windows Commands JPCERT",
"description":"Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016."
},{
"url":"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm",
"source_name":"NSA MS AppLocker",
"description":"NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016."
},{
"url":"http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx",
"source_name":"Corio 2008",
"description":"Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014."
},{
"url":"https://technet.microsoft.com/en-us/library/ee791851.aspx",
"source_name":"TechNet Applocker vs SRP",
"description":"Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016."
}],
"x_mitre_version":"1.0",
"type":"course-of-action",
"id":"course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b",
"name":"Data Encrypted Mitigation"
}]
}
}]
Repositori Kasus
| Jenis Hasil | Nilai / Deskripsi | Jenis |
|---|---|---|
| Pesan output* | Tindakan tidak boleh gagal atau menghentikan eksekusi playbook: Jika "ErrorCode" dalam respons (is_success=false) atau jika tidak ada data yang ditampilkan (is_success=true) "Tindakan tidak dapat menemukan mitigasi untuk teknik berikut: <identifiers> Jika berhasil: "Successfully retrieved mitigations for the following techniques: <identifiers>" (Berhasil mengambil mitigasi untuk teknik berikut: <identifiers>) Tindakan akan gagal dan menghentikan eksekusi playbook: jika error fatal, error SDK, seperti kredensial salah, tidak ada koneksi, lainnya: "Error saat menjalankan tindakan "Get Techniques Mitigations". Alasan: {0}''.format(error.Stacktrace) |
Umum |
Ping
Deskripsi
Uji Konektivitas.
Parameter
T/A
Run On
Tindakan ini dijalankan di semua entity.
Hasil Tindakan
Hasil Skrip
| Nama Hasil Skrip | Opsi Nilai | Contoh |
|---|---|---|
| is_success | Benar/Salah | is_success:False |
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.