Attack/Defense Trees

You will turn this exercise in as part of Project Part 3.  

Section 1 (data for attack and defense trees):  Consider OpenEMR a healthcare company.   Use the ATT&CK Framework to provide you the data you need to realistically populate attack/defense trees.

1. Name five attack groups that target healthcare companies. 

2. For each attack group, identify up to ten techniques used by the attack group.   

--------------------------

Table 1

Method 1:  Table method

3. Complete a table with the five attack groups across the top (columns) and techniques in the rows (record unique identifier and name).  Put an X in a box if an attack group uses the technique. If more than one attack group uses the same technique, the table will have more than one X for the technique. 

OR

  Method 2:  Navigator method

3.  Use the ATT&CK Navigator (from class on 3/4).  Document the five attack groups and their color.  Indicate on the Navigator the techniques used by each group.  Use a different color scheme to indicate when a technique is used by 2, 3, 4, or 5 groups.

Table 1 should be complete with all the techniques used by the attackers.  There are no limits (like "up to 10 techniques") for this table.  

--------------------

4. Table 2:  Create a table with techniques (unique identifier and name) used by multiple tactics only in the rows. The columns will be the tactic(s) for the techniques. All other techniques will be assumed to be only used by one tactic and will be visible by the navigator/table.  Note:  this table will be blank if you have no techniques used by more than one tactic.   

5. Table 3:  Create a table similar to #4, but that has the mitigations (found in the ATT&CK framework) for each of the techniques  (unique identifier and name) used by the attack group.   The techniques can be the rows, the tactics can be the columns.  You can limit yourself to 1-2 mitigations per technique but have approximately 25 mitigations in your table.

Section 2 (Attack and Defense trees): You will now use this data to draw attack/defense trees for OpenEMR. The tactics are the goal (root of the attack tree), the techniques are the leaves of the attack tree.  For each attack tree, create a defense tree.  Create a name for the defense to the tactic and put that at the root of a defense tree, and the mitigations populate the defense tree.  

6.  Using the specific data from the tables, develop an attack tree for up to 10 tactics. In the box indicate how many times attack groups used a technique (This will be a number from 1-5 indicating how many of the 5 attack groups used this technique.)

7. Using the specific data from the tables, develop up to 10 defense trees for the tactics identified in #5. In the box, indicate how many times a mitigation could be used to defend against the technique used by an attack group.