Summiting the Pyramid v2.0.0

Summiting the Pyramid is a research project focused on engineering cyber analytics to make adversary evasion more difficult. This project is created and maintained by the MITRE Center for Threat-Informed Defense in futherance of our mission to advance the state of the art and the state of the practice in threat-informed defense globally.

Important

What’s New In V2:

In version 2.0, we updated and improved the project in the following ways!

• Exploring how detection accuracy and robustness relate to each other to create balanced analytics. See: What is a Robust Detection?

• Introducing Detection Decomposition Diagrams (D3), a new way to visualize and identify observables which are accurate and resistant to adversary evasion. Checkout some D3 examples here.

• New Summiting scoring models! We updated our host-based model to include host-based network events, and created a new network traffic model.

Contents

• Overview
• Introduction
  • Project Goal
  • What is a Robust Detection?
  • Deconstructing the Pyramid
  • Event Observables for Hosts and Networks
  • How Do We Create Robust Detections?
  • Assumptions and Caveats
• Definitions
  • Detection
  • Accuracy
  • Robust Detection
  • Observable
  • Analytic
  • Analytic Robustness Categories
  • Event Robustness Categories
  • Network Traffic Robustness Categories
  • Originator Endpoint
  • Responder Endpoint
• Model Mapping Pages
  • Level 5: Core to Sub-Technique or Technique
  • Level 4: Core to Some Implementations of (Sub-)Technique
  • Level 3: Core to Pre-Existing Tools or Inside Boundary
  • Level 2: Core to Adversary-Brought Tool or Outside Boundary
  • Level 1: Ephemeral Values
  • Column A: Application
  • Column U: User-Mode
  • Column K: Kernel-Mode
  • Column P: Payload Visibility
  • Column P: Header Visibility
  • Observables Quick Search
• Combining Observables
  • Understanding Resistance to Adversary Change Over Time
  • Evaluating Robustness
• Example Mappings
  • T1003.001: LSASS Memory
  • T1053.005 Scheduled Tasks
  • Remote Procedure Call (RPC) Protocol
  • Hypertext Transfer Protocol (HTTP)
  • T1204.001: User Execution: Malicious Link (i.e., Web Distributed Authoring and Versioning [WebDAV])
• How to Score Resistance to Adversary Evasion Over Time
  • Step 1: Scoring the Analytic’s Sensor Data
  • Step 2: Break Down Each of the Observables
  • Step 3: Analyze the Selection or Condition of the Analytic
  • Step 4: Give the Analytic a Final Score
• Analytics Repository
  • Suspicious ADFind
  • Scheduled Task/Job
  • Service Registry Permissions Weakness Check
  • Potential Access Token Abuse
  • Executable (EXE) File Download from a WebDAV Server
  • Link (LNK) File Download Containing a WebDAV UNC Hyperlink
  • Remote Registry Management Using Reg Utility
  • File Creation Date Changed to Another Year
  • Zeek DCE-RPC MITRE BZAR Execution
• Components of a Robust Detection
  • Accurate Detection
  • Accurate vs. Resistance
  • Bringing It All Together Through Robust Detection
• How to Build a Robust Detection
  • Identify All “Spanning Sets” of Observables for Malicious Behavior
  • Select Spanning Set(s) Most Specific to the Malicious Behavior
  • Add Exclusions for False Positive Reduction
  • Incorporate into Fused Analytic Frameworks
• Detection Decomposition Diagram (D3)
  • What Is D3?
  • Our Inspiration: Capability Abstraction
  • T1003.001: OS Credential Dumping LSASS Memory
  • T1053.005: Scheduled Tasks
  • T1110.001: Brute Force: Password Guessing
• Future Work
• Acknowledgements
• Changelog
  • Summiting the Pyramid 2.0

Notice

© 2023, 2024 MITRE Engenuity. Approved for public release. Document number(s) CT0078, CT0128.

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®: ATT&CK Terms of Use