Exploring 5 Techniques from the MITRE ATT&CK Cloud Matrix Specific to O365

MITRE isn’t resting on their laurels with ATT&CK; they keep making it better. ATT&CK now includes cloud-specific content, and I don’t mean just generalized cloud guidance. Just like how ATT&CK has specific Techniques for Windows and Linux, ATT&CK’s cloud matrix defines Techniques specific to Office 365, Azure, AWS, Google, and others. It also covers most of the same Tactics found in the original ATT&CK matrix, including:

  • Initial Access: Get into your network
  • Persistence: Maintain their foothold
  • Privilege Escalation: Gain higher-level permissions
  • Defense Evasion: Avoid being detected
  • Credential Access: Steal account names and passwords
  • Discovery: Figure out your environment
  • Lateral Movement: Move through your environment
  • Collection: Gather data of interest to their goal
  • Exfiltration: Steal data

The only ones missing at this time are:

  • Execution: Run malicious code
  • Command and Control: Communicate with compromised systems to control them
  • Impact: Where the adversary tries to manipulate, interrupt, or destroy your systems and data.

In addition, MITRE’s cloud matrix already has over 40 different documented Techniques, and in this real training for free ™ event, Randy Franklin Smith of Ultimate Windows Security will provide an overview of the matrix and show you how it fits into the overall ATT&CK framework.

Then, members of LogRhythm’s Threat Research team — Brian Coulson, Dan Kaiser, and Sally Vincent — demonstrate how you can use the following 5 cloud Techniques to identify anomalies in an Office 365 environment:

  • T1114: Email Collection
  • T1534: Internal Spearphishing
  • T1098: Account Manipulation
  • T1136: Create Account
  • T1192: Spearphishing Link

Watch the on-demand webinar now to learn to protect your resources using MITRE ATT&CK’s cloud matrix.

Duration: 01:27:28