A way to find the adversary in your network devices
Network devices are end points too. That's why I mapped the MITRE ATT&CK Enterprise Tactics and Techniques to the network devices and their operating systems. I hope the MITRE ATT&CK team incorporates these changes. Additionally, there are simple Sigma rules to aide in detection.
Out of the current 244 Enterprise ATT&CK Techniques, I believe that 64 of them can apply to Network Devices as endpoints to be exploited. They are listed in the MITRE folder, along with a JSON file of the Techniques from ATT&CK Navigator.
In the mitre_attack/README.MD file, each one is listed, with what data source you may need, the example commands, and a brief comment on why it's applicable.
- It's my opinion that "Network Devices" be added as an additional Platform to the Enterprise technology area
- Network Device Logs should be expanded and redefined:
- Network Device logs - Specifically refers to Syslog from the device
- Accounting, Authentication, Authorization (AAA) - referring to remote logging from TACACS+/RADIUS
- That the Techniques that are applicable to Network Devices get updated to reflect that
In the rules directory are 12 rules that map back to MITRE ATT&CK Techniques. They are all written in Sigma format to be SIEM agnostic. They are all based on the assumption that you currently, or will, collect AAA logs from your network devices - specifically the "Accounting" logs.
To read more about TACACS and RADIUS see this resource.
- Thanks to Florian and his Sigma project https://github.com/Neo23x0/sigma
- Thanks to the ATT&CK Team at MITRE https://github.com/mitre-attack