Prisma Cloud Compute Edition Administrator’s Guide
    : ATT&CK Explorer
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Runtime defense
    6. ATT&CK Explorer
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    ATT&CK Explorer

    Table of Contents
    End-of-Life (EoL)

    ATT&CK Explorer

    Prisma Cloud’s monitoring section includes an Att&CK Explorer dashboard providing a framework that helps you to contextualize runtime audits, manage them, and generate risk reports.
    ATT&CK Explorer is a knowledge base of tactics and techniques that adversaries use to attack applications and infrastructure. It’s a useful framework for threat-informed defense, where a deep understanding of adversary tradecraft can help protect against attacks.
    The ATT&CK framework has two key concepts:
    • Tactics
       - An adversary’s technical goals.
    • Techniques
       - How those goals are achieved or What they acheive
    The relationship between tactics and techniques is presented as a matrix. One tactic in the matrix is called Persistence. After establishing a foothold in your environment, adversaries want to reliably return to it. Adversaries use a number of techniques to achieve persistence, such as Account Manipulation and Event Triggered Execution.

    Cloud Native threat matrix

    Prisma Cloud protects cloud native applications running in Kubernetes clusters, serverless functions, Containers-as-a-Service offerings, and virtual machines. The Cloud Native threat matrix covers the different techniques that impact cloud native applications across all these environments. It’s composed from ATT&CK for Linux, recent community efforts around ATT&CK for Containers and Kubernetes, and a few techniques from Prisma Labs. The Cloud Native threat matrix is the foundation for the ATT&CK dashboard.

    ATT&CK dashboard

    The ATT&CK dashboard serves as a portal to the raw events in the
    Monitor > Events
     view. All Prisma Cloud audits are mapped to the tactics and techniques in the ATT&CK framework. For example, when Defender detects a crypto miner in your environment, we map the audit to the Resource Hijacking technique under the Impact tactic.
    The ATT&CK dashboard collates audits, maps them to the tactics and techniques, and presents the data visually in the ATT&CK matrix. Each card in the matrix shows a count of events. Higher counts represent a higher severity issues. Filters let you slice and dice the data to inspect specific segments of your environment. The dashboard:
    • Presents a real-time view of tactics and techniques being employed by adversaries.
    • Identifies weaknesses in your defenses. Use the counts to prioritize work to fortify defenses for the techniques favored by adversaries.
    • Provides raw data for risk reports for management.
    Audits from the following subsystems flow into the ATT&CK dashboard:
    • Container runtime audits.
    • Host runtime audits.
    • Serverless runtime audits.
    • App-Embedded runtime audits.
    • WAAS audits.
    • Kubernetes audits.
    • Admission (OPA) audits.
    • Custom runtime rule audits for builtin system checks only. Currently, you cannot specify tactic and technique for user-defined custom runtime rules.
    To see the ATT&CK dashboard, open Console, and go to
    Monitor > ATT&CK
    . The following screenshot highlights the main components in the dashboard:
    1. Filter
     - Filter data in the dashboard by:
    • Impacted technique
      .
    • Date
      : View events that occurred in the past 24 hours, 7 days, 30 days, or 3 months.
    • Collection
      : View data for just some segment of your environment (e.g., a production cluster).
    2. Tactics
     - Tactics are listed across the top row of the matrix. A count shows the sum of all events for all corresponding techniques in the category. Each column lists the techniques that can be used to achieve the tactic.
    3. Techniques
     - Lists of techniques that can be used to achieve a tactic. The color of the card is based on the event count for a technique. If there is one or more events for a technique, the card is colored red. Otherwise, if there are no events, the card is gray. All techniques are fully described here.
    Clicking on an impacted technique card opens a dialog that shows all relevant audits for the technique.
    The following screenshot shows the dialog for the Privileged Container card. The dialogs are organized as follows:
    • Description.
    • Audit source filter (pick from the drop-down list).
    • Table of relevant audits.
    Syslog messages contain tactic and technique information for all relevant audits.

    Investigating incidents

    As you monitor your environment, you’ll see tactics and techniques are applied consistently across views. Tactics and techniques are shown in
    Monitor > ATT&CK
    ,
    Monitor > Events
    , and
    Monitor > Runtime > Incident explorer
    .

    Surfacing impacted techniques

    When investigating an incident, you’ll want to focus on the segment of your environment that has been impacted. Use the filter box to focus your view of the data.
    One important filter is
    Impacted techniques
    . Without the filter, all technique cards are displayed.
    With the filter, only techniques that have been detected are displayed. In the following screenshot, we’ve narrowed the data to:
    • Audits within the past seven days.
    • Containers in the frontend collection, which are exposed to the Internet, and likely where the attack started.
    • Attack techniques used by the adversary.

    Mapping audits to techniques

    Every audit (for example, runtime, admission, and so on) maps to one or more techniques. The following table shows the mappings.
    The
    Techniques
     column shows the technique to which an audit is always mapped.
    The
    Possible Additional Techniques
     column shows the techniques that to which an audit can be optionally mapped, depending on changing information from the audit. For example, for some audits, on new files being created, we will check if the process that created the files is a compiler. If so, we also map the audit to the
    Compile After Delivery
     technique.
    Category
    Audit Type
    Techniques (techniques that the audit is always mapped to)
    Possible Additional Techniques (techniques that the audit can optionally be mapped to, depending on changing information from the audit)
    Runtime Audits
    Cloud
    cloudMetadataProbing
    Cloud Instance Metadata API
    -
    Runtime Audits
    Kubernetes
    kubeletAPIAccess
    Access Kubelet Main API
    -
    Runtime Audits
    Kubernetes
    kubeletReadonlyAccess
    Query Kubelet Readonly API
    -
    Runtime Audits
    Kubernetes
    kubectlSpawned
    Access the Kubernetes API Server Software Deployment Tools
    Lateral Tool Transfer Exec Into Container Create Container Kubernetes Secrets
    Runtime Audits
    Kubernetes
    kubectlDownloaded
    Ingress Tool Transfer Software Deployment Tools,
    -
    Runtime Audits
    Network
    horizontalPortScanning
    Network Service Scanning
    -
    Runtime Audits
    Network
    verticalPortScanning
    Network Service Scanning
    -
    Runtime Audits
    Network
    explicitlyDeniedIP
    -
    -
    Runtime Audits
    Network
    customFeedIP
    -
    -
    Runtime Audits
    Network
    feedIP
    Command and Control / General Resource Hijacking
    -
    Runtime Audits
    Network
    unexpectedOutboundPort
    Exfiltration Command and Control / General
    -
    Runtime Audits
    Network
    suspiciousNetworkActivity
    -
    Man In The Middle Network Service Scanning
    Runtime Audits
    Network
    unexpectedListeningPort
    -
    -
    Runtime Audits
    Network
    explicitlyDeniedListeningPort
    -
    -
    Runtime Audits
    Network
    explicitlyDeniedOutboundPort
    -
    -
    Runtime Audits
    Network
    listeningPortModifiedProcess
    Command and Control / General
    -
    Runtime Audits
    Network
    outboundPortModifiedProcess
    Exfiltration Command and Control / General
    -
    Runtime Audits
    DNS
    feedDNS
    Command and Control / General Resource Hijacking
    Runtime Audits
    DNS
    explicitlyDeniedDNS
    -
    -
    Runtime Audits
    DNS
    dnsQuery
    -
    -
    Runtime Audits
    Processes
    unexpectedProcess
    Native Binary Execution
    Runtime Audits
    Processes
    portScanProcess
    Network Service Scanning
    Runtime Audits
    Processes
    explicitlyDeniedProcess
    Native Binary Execution
    Runtime Audits
    Processes
    modifiedProcess
    Foreign Binary Execution
    Runtime Audits
    Processes
    cryptoMinerProcess
    Resource Hijacking
    Runtime Audits
    Processes
    lateralMovementProcess
    -
    -
    Runtime Audits
    Processes
    tmpfsProcess
    -
    -
    Runtime Audits
    Processes
    policyHijacked
    Impair Defences
    -
    Runtime Audits
    Processes
    reverseShell
    Native Binary Execution
    -
    Runtime Audits
    Processes
    SuidBinaries
    Abuse Elevation Control Mechanisms
    -
    Runtime Audits
    Processes
    ProcUnknownOriginBinary
    Foreign Binary Execution
    -
    Runtime Audits
    Filesystem
    administrativeAccount
    -
    Account Manipulation Create Account Abuse Elevation Control Mechanisms
    Runtime Audits
    Filesystem
    sshAccess
    -
    Account Manipulation
    Runtime Audits
    Filesystem
    explicitlyDeniedFile
    -
    -
    Runtime Audits
    Filesystem
    malwareFileCustom
    -
    -
    Runtime Audits
    Filesystem
    malwareFileFeed
    -
    -
    Runtime Audits
    Filesystem
    execFileAccess
    -
    Masquerading IngressToolTransfer Compile After Delivery
    Runtime Audits
    Filesystem
    elfFileAccess
    -
    IngressToolTransfer Compile After Delivery
    Runtime Audits
    Filesystem
    secretFileAccess
    -
    -
    Runtime Audits
    Filesystem
    regFileAccess
    -
    -
    Runtime Audits
    Filesystem
    fileIntegrity
    -
    -
    Runtime Audits
    Filesystem
    alteredBinary
    Supply Chain Compromise
    -
    Runtime Audits
    Filesystem
    malwareDownloaded
    Ingress Tool Transfer
    Runtime Audits
    Filesystem
    suspiciousELFHeader
    Obfuscated Files
    Runtime Audits
    Filesystem
    executionFlowHijackAttempt
    Hijack Execution Flow
    Runtime Audits
    Filesystem
    RuntimeAttackTypeFSEncryptedBinary
    Obfuscated Files
    Runtime Audits
    Filesystem
    WildFireMalware
    -
    Masquerading IngressToolTransfer Compile After Delivery
    Runtime Audits
    Filesystem
    webShell
    Web Shell Ingress Tool Transfer
    -
    Runtime Audits
    Filesystem
    FSUnknownOriginBinary
    -
    Masquerading IngressToolTransfer Compile After Delivery
    Runtime Custom Rule
    Processes
    Running privileged process within container
    Software Deployment Tools
    -
    Runtime Custom Rule
    Processes
    Running cron app
    Scheduled Task / Job
    -
    Runtime Custom Rule
    Processes
    Database app spawned process
    Application Exploit (RCE) Exploitation Of Remote Services
    -
    Runtime Custom Rule
    Processes
    Suspicious networking tool
    -
    -
    Runtime Custom Rule
    Processes
    Suspicious networking scaning tool
    Network Service Scanning
    -
    Runtime Custom Rule
    Processes
    User creation (Container)
    Create Account
    -
    Runtime Custom Rule
    Processes
    User deletion (Container)
    Account Access Removal
    -
    Runtime Custom Rule
    Processes
    User modification (Container)
    Account Manipulation
    -
    Runtime Custom Rule
    filesystem
    Bash shell tampering
    Event Triggered Execution
    -
    Runtime Custom Rule
    filesystem
    Linux user management files
    CreateAccount Account Manipulation
    -
    Runtime Custom Rule
    filesystem
    Configuration file changes (Host)
    -
    -
    Runtime Custom Rule
    filesystem
    Configuration file changes (Container)
    -
    -
    Runtime Custom Rule
    network-outgoing
    Common data exfiltration ports
    Exfilitration
    -
    Runtime Custom Rule
    network-outgoing
    Common crypto mining pool ports
    Resource Hijacking
    -
    Runtime Custom Rule
    network-outgoing
    Cloud platform metadata API access (Container)
    Cloud Instance Metadata API
    -
    WAAS
    -
    xss
    ExploitationForPrivilegeEscalation
    WAAS
    -
    sqli
    Exploit Public-Facing Application Application Exploit (RCE)
    WAAS
    -
    cmdi
    Exploit Public-Facing Application Application Exploit (RCE)
    WAAS
    -
    lfi
    Exploit Public-Facing Application Application Exploit (RCE)
    WAAS
    -
    codeInjection
    Exploit Public-Facing Application Application Exploit (RCE)
    WAAS
    -
    deniedIP
    -
    -
    WAAS
    -
    deniedCountry
    -
    -
    WAAS
    -
    header
    -
    -
    -
    WAAS
    -
    attackTools
    NetworkServiceScanning
    -
    WAAS
    -
    shellshock
    Exploit Public-Facing Application Application Exploit (RCE)
    WAAS
    -
    disallowedFile
    -
    -
    WAAS
    -
    malformedRequest
    -
    -
    WAAS
    -
    informationLeak
    Exfilitration
    System Credential Dumping System Account Discovery File And Directory Discovery System Unsecured Credentials Network Configuration Discovery Software Discovery
    WAAS
    -
    unexpectedAPI
    -
    -
    WAAS
    -
    dos
    Endpoint Denial-of-Service
    -
    WAAS
    -
    searchEngineCrawler
    -
    -
    WAAS
    -
    businessAnalyticsBot
    -
    -
    WAAS
    -
    educationalBot
    -
    -
    WAAS
    -
    newsBot
    -
    -
    WAAS
    -
    financialBot
    -
    -
    WAAS
    -
    contentFeedClient
    -
    -
    WAAS
    -
    archivingBot
    -
    -
    WAAS
    -
    careerSearchBot
    -
    -
    WAAS
    -
    mediaSearchBot
    -
    -
    WAAS
    -
    genericBot
    -
    -
    WAAS
    -
    webAutomationTool
    -
    -
    WAAS
    -
    webScraper
    -
    -
    WAAS
    -
    apiLibrary
    -
    -
    WAAS
    -
    httpLibrary
    -
    -
    WAAS
    -
    sessionValidation
    -
    -
    WAAS
    -
    javascriptTimeout
    -
    -
    WAAS
    -
    missingCookie
    -
    -
    WAAS
    -
    browserImpersonation
    -
    -
    WAAS
    -
    requestAnomalies
    -
    -
    WAAS
    -
    userDefinedBot
    -
    -
    Kubernetes Audits
    -
    GKE - pod created in host process namespace
    Privileged Container
    Kubernetes Audits
    -
    GKE - pod created with host file system mount
    -
    -
    Kubernetes Audits
    -
    GKE - pod created without security context
    -
    -
    Kubernetes Audits
    -
    GKE - pod created on host network
    Privileged Container
    -
    Kubernetes Audits
    -
    GKE - privileged pod creation
    Privileged Container
    -
    Kubernetes Audits
    -
    GKE - Forbidden request
    -
    -
    Kubernetes Audits
    -
    GKE - exec or attach to a pod
    Exec Into Container
    -
    Kubernetes Audits
    -
    Twistlock Labs - GKE - Tampering with Twistlock configuration
    Impair Defences
    -
    Kubernetes Audits
    -
    Pod created in host process namespace
    Privileged Container
    -
    Kubernetes Audits
    -
    Pod created with host file system mount
    -
    -
    Kubernetes Audits
    -
    Pod created without security context
    -
    -
    Kubernetes Audits
    -
    Pod created on host network
    Privileged Container
    -
    Kubernetes Audits
    -
    Privileged pod creation
    Privileged Container
    -
    Kubernetes Audits
    -
    Forbidden request
    -
    -
    Kubernetes Audits
    -
    Exec or attach to a pod
    Exec Into Container
    -
    Kubernetes Audits
    -
    Twistlock Labs - Tampering with Twistlock configuration
    Impair Defences
    -
    Kubernetes Admission
    -
    CIS - Privileged pod created
    Privileged Container
    -
    Kubernetes Admission
    -
    CIS - Pod created in host process ID namespace
    Privileged Container
    -
    Kubernetes Admission
    -
    CIS - Pod created on host IPC namespace
    Privileged Container
    -
    Kubernetes Admission
    -
    CIS - Pod created on host network
    Privileged Container
    -
    Kubernetes Admission
    -
    CIS - Privilege escalation pod created
    Privileged Container
    -
    Kubernetes Admission
    -
    Pod created with sensitive host file system mount
    Writable Volumes
    -
    Kubernetes Admission
    -
    Exec or attach to a pod
    Exec Into Container
    -

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.