⭐ Day 5 – MITRE ATT&CK Framework ;
Today students understand how attackers attack systems step-by-step.
MITRE ATT&CK is like a map of hacker behavior used worldwide by SOC teams.
🧠 What is MITRE ATT&CK? (Simple)
MITRE ATT&CK explains every stage of a cyber attack in an organized way.
It helps SOC analysts to:
- Detect threats
- Understand attacker behavior
- Create alerts in SIEM
- Do better investigations
- Communicate clearly with teams
🏴☠️ Basic Explanation (With Easy Example)
Imagine a thief breaking into a house:
- Looks around
- Finds a weak door
- Breaks in
- Moves inside
- Steals things
MITRE ATT&CK has the same idea for cyber attacks.
🔥 14 MITRE ATT&CK Stages (Beginner-Level Explanation)
1. Reconnaissance
Attacker collects info.
Example: Scanning website, finding emails.
2. Resource Development
Attacker prepares tools.
Example: Creating malware, buying domains.
3. Initial Access
Attacker enters the system.
Example: Phishing, exploiting vulnerability.
4. Execution
Malicious code runs.
Example: Opening a malicious PDF, running PowerShell.
5. Persistence
Attacker stays inside.
Example: New admin user, startup script.
6. Privilege Escalation
Attacker becomes admin/root.
Example: Kernel exploit.
7. Defense Evasion
Avoid SOC, SIEM, antivirus.
Example: Clearing logs, disabling AV.
8. Credential Access
Stealing passwords.
Example: Keylogging, brute force, dumping LSASS.
9. Discovery
Understanding the environment.
Example: Listing users, servers, shares.
10. Lateral Movement
Moving to other systems.
Example: RDP to server using stolen password.
11. Collection
Gathering valuable data.
12. Command & Control (C2)
Attacker communicates with remote server.
13. Exfiltration
Stealing data out of the network.
14. Impact
Final damage.
Example: Ransomware, deleting data.
🧪 Real-Time Example (Tell Students)
Phishing → Ransomware Attack
| Stage | What Happens |
|---|---|
| Initial Access | User clicks phishing email |
| Execution | Malware runs |
| Persistence | Attacker creates hidden account |
| Lateral Movement | Spreads to servers |
| Exfiltration | Steals data |
| Impact | Ransomware triggered |
🔍 Day 5 Mini Hands-On Lab
In Splunk, run:
1. Failed logins
index=* fail
MITRE Stage: Credential Access
2. Top hosts
index=* | stats count by host
MITRE Stage: Discovery
3. Suspicious activity trend
index=* | timechart count
MITRE Stage: Execution / Discovery
🎤 Trainer Script
Speak this to make the concept easy:
“MITRE ATT&CK is like Google Maps for cyber attacks.
It tells us exactly where the attacker is in the attack chain, so we know how to respond.”
📝 Homework
Search online:
“MITRE ATT&CK real world attack examples”
Submit:
- Attack name
- MITRE stages
- How SOC can detect it
"Share Knowledge" 
Leave a comment