G.l.e.n.n N.o.l.a.nFeb 15

Saturday #blueteam pondering -

Are lateral movement and privilege escalation two distinct concepts?

What is lateral movement really?
Have access here.
Want access over there.
Do things to exploit weakness.
Get access over there.
Lateral movement has happened.

This story is access centric.

Except, in common parlance:
. lateral movement is network centric.
. privilege escalation is access centric.

Gestalt for me: trouble comes when:
user account scope-of-access =
network-reach scope-of-access

Trying to illustrate -
What onwards value is domain admin on a member host without effective interactive network-reach to a DC? i.e. effective onwards network-reach scope-of-access is unavailable to other hosts.

In other words, achieving privilege escalation on a member host is little, when onwards network-reach scope-of-access does not include other hosts on the private network.

Scope-of-access is the key conceptual distinction for both account-level and network-level access.

Account scope-of-access is a long used concept, perhaps a little out of favour.

There are degrees of onwards network-reach. Necessary network connections between member hosts and DCs does not immediately equate to material scope-of-access.

I reckon ‘network-reach scope-of-access’ is a handy phrase. Perhaps it explicitly surfaces a concept in common use with graph theory modeling of attack paths?

Thoughts?

#blueteam
#lateralmovement #privelege_escalation
#mitre #mitreattack #mitreattck
#activedirectory
#infosec #cybersecurity

isecjobs.comFeb 14
HIRING: Senior Cloud Security Engineer (m/f/d) - Platform Engineering / Berlin or Hamburg, Germany
💰 EUR 70K+

👉 https://isecjobs.com/J712374/

#AWS #CICD #Cloud #ComputerScience #Kubernetes #MITREATTCK #Monitoring #OpenSource #OWASP #Privacy #DEjobs #PlatformEngineering
Senior Cloud Security Engineer (m/f/d) - Platform Engineering at MOIA - Berlin or Hamburg, Germany

MOIA is hiring for Full Time Senior Cloud Security Engineer (m/f/d) - Platform Engineering - Berlin or Hamburg, Germany, a senior-level InfoSec / Cybersecurity role offering benefits such as career development, competitive pay, conferences, flex hours, flex vacation, health care, home office stipend, pet friendly, relocation support, salary bonus.

isecjobs.com
John Philip BellJan 27

I'm trying to document a DoS that happened yesterday... I get a CVSS3 score but am having trouble using MITRE ATT&CK, anybody wanna chime in here?

CVSSv3 : 5.3 (AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Attacker hits the cable with a big chunk of iron (anchor)... 🤔😉🚢⚓

🤪

#mitreattackframework #mitreattck #mitreattck

RickyJan 2, 2023
Just signed up! Who else is taking this course?
https://www.antisyphontraining.com/getting-started-in-security-with-bhis-and-mitre-attck-w-john-strand/
#BHIS #mitreattck #infosec #redteam
@blackhillsinfosec @Antisy_Training
Getting Started in Security with BHIS and MITRE ATT&CK w/ John Strand – Antisyphon Training

J. R. DePriest    :EA DATA. SF:Dec 12, 2022

@fugueish Yes, but I think your CSIRP and related processes would need to reference MITRE ATT&CK and require it before it would be widely used.
It can get you started on mapping out any possible threat, risk, or attack you can think of and help you come up with mitigations. But if everybody isn't using it, you'll have references and language that only some teams understand.
In real life, it is nice when our security tools link to MITRE ATT&CK because we can quickly understand what a particular alert is about. But we don't put that on a report that goes to anybody else, because, as of right now, they would have no idea what T1548.002 means.

#mitre #mitreattack #mitreattck #csirp #csirt #infosec

Abuse Elevation Control Mechanism: Bypass User Account Control, Sub-technique T1548.002 - Enterprise | MITRE ATT&CK®

Melinda MarksDec 6, 2022
Great article here on how to best use the MITRE ATT@CK framework
#ciso #infosec #infosecurity #cybersecurity #mitreattck https://www.csoonline.com/article/3681990/the-changing-role-of-the-mitre-att-ck-framework.html
The changing role of the MITRE ATT&CK framework

Organizations are using the MITRE ATT&CK framework as more than a security operations reference architecture, adding new use cases and making it part of strategic future plans.

CSO Online
_Veronica_Nov 29, 2022
I like Mitre ATT&CK, but it feels too enterprise centric and often lacking behaviors usually tied to other scenarios such as home infections. These intrusions are not doing internal lateral movement, but scanning/attacking the internet. Somehow “network service discovery “ feels inappropriate for such behavior. #threatintel #mitreattck
Show threadMJS Nov 20, 2022
#infosec #lgbt #MITRE #mitreattck #ICS
postmodernNov 19, 2022
Other than MITRE ATT&CK which is very broad and exhaustive, is there a attribute list for "capabilities" or "functionality" (or whatever you want to call them) that exploits or payloads grant the user? I'm looking for things like command-exec, file-read, file-write, etc.
#infosec #taxonomy #postexploitation #mitreattck
Taylor ParizoNov 18, 2022

Great way of adding MITRE ATT&Ck analytics to your SIEM for threat hunting. They even added an intelligence component that resembles MITRE's Software/Groups tabs so your references are in one place.
#ThreatIntel #ThreatHunting #mitreattck

https://thehackernews.com/2022/11/threat-hunting-with-mitre-att-and-wazuh.html