Wilson Mar bio photo

Wilson Mar


Calendar YouTube Github


How to to protect IT assets by mitigating attacker TTPs defined in Mitre’s ATT&CK

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


Mitre (a non-profit research lab funded by the US government) defined their Mitre ATT&CK to present – for each stage in a typical “kill chain” – the TTPs (Tactics + Techniques + Procedures) adversaries use to attack computer systems. Use it to analyze the kill chain adversaries could possibly use to get in, do damage, and cover their tracks. All to prevent that in the future.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Mouse over each TTP for a T number referencing the Procedures, Assets, Mitigations, and Detection within each variation of Mitre’s original ATT&ACK framework:

Attack Tactics

  1. Reconnaissance
  2. Resource Development

  3. Initial Access
  4. ML Model Access (not in standard & Dragos)
  5. Execution
  6. Persistence (not in Dragos)
  7. Privilege Escalation
  8. Defense Evasion

  9. Credential Access (not in Dragos)
  10. Discovery
  11. Lateral Movement (not in ML)
  12. Collection
  13. Command and Control or ML Attack Staging or “Inhibit Response Function” in Dragos

  14. Exfiltration (or Impair Process Control in Dragos)
  15. Impact

Alphabetical order


12) Collection
13) Command And Control
 9) Credential Access
 8) Defense Evasion
10) Discovery
 5) Execution
14) Exfiltration
15) Impact
 3) Initial Access
11) Lateral Movement
 6) Persistence
 7) Privilege Escalation
 1) Reconnaissance

SLSA Threats

The SLSA (Supply chain Levels for Software Artifacts) standards and controls (from Googlers) define how to build secure resilient software using a secure supply chain. Its aim is to stop tampering such as this series of threats:


Each threat is addressed by controls defined in my list of actions to secure the software supply chain grouped along three “tracks” (aspects) of threats in the supply chain:

  • Source code threats -> Check Expectations
  • Build threats -> Check Dependencies
  • Dependency threats -> Check SLSA Build level


The NIST AI Risk Management Framework (AI RMF 1.0) and companion Playbook at https://www.nist.gov/itl.ai-risk-management-framework focuses on these requirements:

  • Valid & Reliable
  • Safe
  • Secure & resilient
  • Explainable & Interpretable
  • Privacy-Enhanced
  • Fair: With Harmful Bias managed
  • Accountable & Transparent


The OWASP Top 10 for LLM at https://owasp.org/www-project-top-10-for-large-language-model-applications


  • https://llmtop10.com/
  • https://www.youtube.com/watch?v=cYuesqIKf9A by IBM
  • https://www.youtube.com/watch?v=J1auLaU9SAA OWASP Cincinnati meetup fea. Steve Wilson of Contrast Sec.
  • https://snyk.io/blog/addressing-risks-in-the-owasp-top-10-for-llms/


TODO: Add based on each stage in the kill chain:

  1. Initial Access vector – How did the attacker get in?
  2. How is the adversary accessing the environment?
  3. How did the attacker move laterally? (RDP, SSH, network shares, malware, etc.)
  4. How is the adversary maintaining control persistence? (How are they staying in?)
  5. How is the attacker communicating with the C2 (Command and Control) server?
  6. What is the method of persistence (malware backdoor, webshell, legitimate credentials, remote tools, etc.)?
  7. What is the attacker doing on the system? (What commands are they running?)
  8. Has data been exfiltrated and if so, what kind of data and via what mechanism?


VIDEO: Mark Simos and Ken Malcolmson explain Microsoft’s view of the cyber attack chain:


They show Microsoft’s how product addresses major TTPs.


It’s part of the Microsoft Reference Architecture

John Flores (MicrosoftGuyJFlo) wrote the Entra and Security docs at Microsoft.