Learning cybersecurity for the first time is a very difficult task. Possibly just as challenging is the task of teaching it to those new to the concepts, processes, and technologies. Many reasons contribute to this present reality. A few of the most obvious offenders are the rate of change within technology, the prerequisite knowledge that should be obtained before learning about information security/cyber, the vast amount of concepts, topics, and domains that encompass “cybersecurity,” and the challenge to overcome/address the fact that many experts do not have the same opinions on how cyber is best done. One belief that a majority of cyber practitioners agree on is that cybersecurity is one of those trades that are best learned by doing. Books, lectures, and videos just never will compare to the skills and information gained from working through concepts in a hands-on system fashion. Some domains of industry cybersecurity programs may be less technical than others, but it is always incredibly useful to understand systems and the technical restrictions and concepts that rule them. One effective method to teach cybersecurity topics in a hands-on manner is through Capture-the-Flag (CTF) events. These are educational exercises in the form of challenges that require users to perform certain actions to find hidden flags or answers within a “box” (computer, website, file, etc). These challenges are very popular for teaching students skills as they take advantage of the gamified style of learning. One difficulty with CTFs is identifying the overlap between what is done in a CTF box and cybersecurity actions at the industry level. Sure, some skills will fit nicely into both the education and workforce/industry realms (such as recon and network traffic analysis), but for the 95% of cyber professionals who are not working in penetration testing, it takes a little more work to realize the overlap. One way I think we could better develop useful skills and knowledge with CTF-style learning is to clearly identify tasks relating to real-world cyber activity. This could be achieved by utilizing a common understanding of what actions were taken to find the flag, how that task is most commonly accomplished in the real world, and how it could be defended within a corporate infrastructure. This information could be accomplished by identifying and listing MITRE ATT&CK® TTPs within CTF challenges. It is one thing for a student to be able to say they found the flag, it is quite another for them to explain how they utilized Active Scanning, Gather Victim Host Information, Search Open Websites/Domains, Valid Accounts, Command and Scripting Interpreter, Exploitation for Privilege Escalation, to identify the hidden flag. This will create a better knowledge grasp of industry terminology while enjoying the fun nature of a CTF. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of real-world tactics and techniques used by cyber adversaries to compromise systems. The framework aims to help organizations across industries better understand threats and protect their critical systems. ATT&CK has standardized threat behavior and also offers intelligence regarding specific APT groups, software/malware, cyber attack chains/campaigns, data sources for detection, and much more. It is based on real-world observations and acts as a behavior model for cyber adversary activity. With the ATT&CK matrix, organizations can plot each step of a cyber-attack and effectively describe the goals and methods an adversary has executed during an incident. The ATT&CK framework consists of Tactics, Techniques, and Procedures, which all sound very similar to the normal person. To fully grasp the ATT&CK framework, knowing the distinction between these three terms is critical. It can get confusing, so let’s define TTPs: > Tactic – The technical goals of an adversary. > Technique – How those goals are achieved.Ask 15 people how to secure a network, and you’ll likely get 15 unique answers.
> Gamified Learning through Capture-the-Flag Events
> Real-world Cyber Activity
>What is ATT&CK®?
Examples: Reconnaissance, Initial Access, and Privilege Escalation
Examples: Phishing for Information (T1598), Scheduled Task/Job (T1053), and Data Encoding (T1132)
> Sub Techniques (Procedures)- *Mostly* specific implementations of a technique
Examples: Spear phishing link (T1598.003) and SSH (T1021.004).
ATT&CK currently supports Enterprise, ICS, and Mobile systems matrices. A portion of the ATT&CK Matrix for Enterprise is shown below. The top row lists the Tactics, each Tactic column lists the associated Techniques, and Sub-Techniques are seen by expanding certain Techniques. As of March 2024, there are 14 Tactics, 201 Techniques, and 424 Sub-techniques in the Enterprise ATT&CK matrix. The enterprise matrix can be sorted by platform, offering a matrix for Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, and Containers. There are also matrices for ICS and Mobile (iOS and Android) devices.
> Top use cases for ATT&CK include:
Cyber Threat Intelligence Enrichment:
The framework can help organizations enrich their cyber threat intelligence by identifying context on specific attacker TTPs, as well as knowledge of potential artifacts, targets, and indicators of compromise (IOCs). This enrichment allows for threat-informed decision-making and more effective threat mitigation strategies. ATT&CK can be mapped to finished reporting and raw data for CTI analysis and targeted defensive recommendations based on the analysis.
Detection and Threat Hunting:
ATT&CK enables SOCs to develop detection, response, and hunt plans based on the most commonly recognized adversary TTPs, allowing security teams to nail down potential dangers and proactively implement countermeasures. MITRE notes that “Organizations can utilize knowledge of adversary TTPs as described in ATT&CK to develop, test, tune, and employ robust analytics to detect and investigate malicious cyber activity. The ATT&CK Framework can assist organizations to develop hypotheses, determine data collection requirements, identify and mitigate collection gaps, test and tune analytics using purple-teaming, and conduct a threat-informed hunt.”
Red Teaming and Adversary Emulation:
The ATT&CK framework presents a systematic way to replicate genuine attacker techniques during red teaming exercises and adversary emulations, ultimately assessing an organization's defensive capabilities. ATT&CK offers adversary emulation concepts and how to research, implement, and ethically execute adversary TTPs based on ATT&CK.
Security Evaluation and Gap Analysis:
ATT&CK can be utilized to locate the strengths and weaknesses of organizational security posture, allowing gaps to be seen, and the ability to prioritize security control investments that will effectively defend against relevant threats.
SOC Maturity Assessment:
The ATT&CK framework supports organizations in assessing their Security Operations Center (SOC) maturity. This process includes measuring the ability to detect, respond to, and mitigate various TTPs within ATT&CK. Similarly to a gap analysis, the assessment provides visibility into areas for improvement and prioritizing resources to strengthen the overall security posture.
Behavioral Analytics Development:
By mapping the TTPs in the ATT&CK framework to specific user and system behaviors, organizations can develop behavioral analytic models to identify anomalous activities that may be indicative of potential threats or concerns. This proactive approach enhances detection capabilities and helps security teams to mitigate risks.
Training and Education:
By maintaining an up-to-date and accurate catalog of adversary TTPs, the framework makes for a useful resource for training and informing security members on the latest adversarial tactics and methods.
The team at Hack the Box explains that “the MITRE ATT&CK framework is an indispensable asset for security operations, offering a shared language and structure for describing and understanding adversarial behavior. It is vital for enhancing various aspects of security operations, from threat intelligence and behavioral analytics to SOC maturity assessment and cyber threat intelligence enrichment.”
> Common CTF ATT&CK TTP List
Now that we know what ATT&CK is and how it can be used, I want to provide a list of 50 of the most common ATT&CK TTPs that are used in CTF challenges (according to myself and Season III, US Cyber Team RvB Coach Christopher Haller, he knows a thing or two). These TTPs are either methods used to hide flags by challenge developers or actions that need to be taken to retrieve/find the flag. They are grouped by Tactic here for easy organization.
50 common ATT&CK Techniques found within CTFs:
Reconnaissance
- T1595: Active Scanning - Commonly seen in pwn challenges
- T1595.003: Wordlist Scanning - Commonly seen in web challenges
- T1592: Gather Victim Host Information - Commonly seen in pwn challenges
- T1589: Gather Victim Identity Information - Commonly seen in pwn challenges
- T1596: Search Open Technical Databases - Commonly seen in OSINT challenges
- T1593: Search Open Websites/Domains - Commonly seen in OSINT challenges
Resource Development
- T1587: Develop Capabilities
- T1587.001: Develop Capabilities - Malware - Commonly seen in RE/pwn challenges
- 1587.004: Develop Capabilities - Exploits - Commonly seen in RE/pwn challenges
Initial Access
- T1569: Content Injection - Commonly seen in Web/pwn challenges
- T1190: Exploit Public-Facing Application - Commonly seen in Web challenges
- T1078: Valid Accounts - Commonly seen in pwn challenges
Execution
- T1059: Command and Scripting Interpreter - Commonly seen in pwn challenges
- T1053: Scheduled Task/Job - Commonly seen in pwn challenges
- T1203: Exploitation for Client Execution - Commonly seen in pwn challenges
Persistence
- T1098: Account Manipulation - Commonly seen in pwn challenges
- T1136: Create Account - Commonly seen in web/pwn challenges
- T1053: Scheduled Task/Job - Commonly seen in web/pwn challenges
- T1505: Server Software Component - Commonly seen in pwn challenges
Privilege Escalation
- T1548: Abuse Elevation Control Mechanism - Commonly seen in pwn challenges
- T1098: Account Manipulation - Commonly seen in pwn challenges
- T1611: Escape to Host - Commonly seen in pwn challenges
- T1068: Exploitation for Privilege Escalation - Commonly seen in pwn challenges
Defense Evasion
- T1564: Hide Artifacts - Commonly seen in forensics challenges
- T1027: Obfuscated Files or Information - Commonly seen in forensics challenges
- T1055: Process Injection - Commonly seen in pwn challenges
- T1550: Use Alternate Authentication Material - Commonly seen in pwn challenges
- T1622: Debugger Evasion - Commonly seen in RE/pwn challenges
- T1070: Indicator Removal - Commonly seen in forensics challenges
- T1140: Deobfuscate/Decode Files or Information - Commonly seen in crypto challenges
Credential Access
- T1110: Brute Force - Commonly seen in pwn challenges
- T1555: Credentials from Password Stores - Commonly seen in pwn challenges
- T1606: Forge Web Credentials - Commonly seen in web challenges
- T1040: Network Sniffing - Commonly seen in forensics challenges
- T1003: OS Credential Dumping - Commonly seen in pwn challenges
- T1539: Steal Web Session Cookie - Commonly seen in web challenges
- T1552: Unsecured Credentials - Commonly seen in web/pwn challenges
Discovery
- T1083: File and Directory Discovery - Commonly seen in forensics challenges
- T1654: Log Enumeration - Commonly seen in forensics challenges
- T1040: Network Sniffing - Commonly seen in forensics challenges
Lateral Movement
- T1570: Lateral Tool Transfer - Commonly seen in pwn challenges
- T1021: Remote Services - Commonly seen in pwn challenges
Collection
- T1213: Data from Information Repositories - Commonly seen in pwn challenges
- T1005: Data from Local System - Commonly seen in forensics challenges
Command and Control
- T1132: Data Encoding - Commonly seen in forensics challenges
- T1001: Data Obfuscation - Commonly seen in forensics challenges Forensics
- T1095: Non-Application Layer Protocol - Commonly seen in forensics challenges
Exfiltration
- T1041: Exfiltration Over C2 Channel - Commonly seen in pwn challenges
Impact
- T1498: Network Denial of Service - Commonly seen in forensics challenges
- T1486: Data Encrypted for Impact - Commonly seen in crypto challenges
The techniques are highlighted in the corresponding image of an ATT&CK layer.
| COLOR KEY | |
|---|---|
ORANGE = PWN | GREEN - FORENSICS |
YELLOW = RE | PURPLE = WEB |
BLUE - OSINT | RED = CRYPTO |
This Navigator Layer can be downloaded for further viewing or to make your own modifications and adjustments from my Github found here: https://github.com/purplevan/attack_ctf_layer/tree/main.
> Utilizing ATT&CK and CTFs for Learning Cyber
Here are just a few of the reasons why it would be beneficial to learn cybersecurity through CTF challenges within the context of ATT&CK TTPs.
- Relate to real-world cyber-attack TTPs
- Understand how to better communicate the skills and knowledge gained in CTFs
- Better preparation for industry terms and understanding of how to categorize cyber attacks
- Develop a ‘purple team’ mentality by identifying attack and defense measures
There is at least one resource that already maps challenges to ATT&CK TTPs.
Hack The Box Academy is one training site that does a great job of identifying ATT&CK coverage for challenges and training provided. They specify both Techniques and Sub-Techniques, offering even better information than some vendors/DFIR reports out there.
Below is an example of the TTPs found in the Windows Attacks & Defense module. 
AUTHOR: Micah VanFossen
Micah is a SIEM / Data Engineer. He works to defend against threats by identifying, obtaining, and utilizing relevant data to create detections and inform strategic decisions. He holds a Master's degree in Cybersecurity and a list of top industry certifications, but the differentiator in his career has been his passion to learn, create solutions, and educate others. He is a firm believer in resourceful education and the power of curiosity.
CONTRIBUTOR: Chris Haller
Chris, the Season III, US Cyber Team Red vs Blue Coach is certified as GSE #329 and a US Navy Veteran who has a passion for uncovering operating risks for organizations. He has been awarded his Master's in Cybersecurity Management and Policy from UMGC and a Graduate Certificate in Penetration Testing and Ethical Hacking from the SANS Technology Institute. Chris is a passionate CTF player, CTF coach, mentor, and HackTheBox creator. Chris has way too many certifications and will be publishing a book on computer hacking.
