| 1 | using att&ck to find cyber threats and bolster cyber defense€¦ · deconstructing the...

© 2019 The MITRE Corporation. All rights reserved.health.mitre.org

MITRE is transforming data into insights to improve the

health system and reinvent the healthcare experience.

P I O N E E R I N G A H E A L T H I E R F U T U R E

Using ATT&CK to Find Cyber Threats and Bolster Cyber DefenseJulie ConnollyBlake StromHIMSS19 Cyber Command CenterFebruary 13, 2019

| 1 |

Approved for Public Release. Distribution unlimited. 18-0944-15

| 2 |

© 2018 The MITRE Corporation. All rights reserved. Approved for Public Release - Cases # 17-4500-7, 17-4293-4, 18-0075

| 3 |

Cybersecurity should be threat-informedKnowledge of my adversary can help me…

Better evaluate new security technologies

Perform gap analysis of current defenses

Prioritize detection/mitigation of heavily used techniques

Track a specific adversary’s set of techniques

Conduct adversary emulation (e.g. red-teaming)

© 2019 The MITRE Corporation. All rights reserved.

ATT&CK

David Bianco’s Pyramid of Pain

Source: David Biancohttps://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations.


Deconstructing the Lifecycle

Initial AccessExecution PersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control

Recon

Weaponize

Deliver

Exploit

Control

Execute

Maintain

Priority Definition • Planning, DirectionTarget SelectionInformation Gathering• Technical, People, OrganizationalWeakness Identification• Technical, People, OrganizationalAdversary OpSecEstablish & Maintain InfrastructurePersona DevelopmentBuild CapabilitiesTest CapabilitiesStage Capabilities

PRE-ATT&CK ATT&CK for Enterprise


Spanning Multiple Technology Domains

PRE-ATT&CK: left of exploit behaviors

Enterprise: Windows, Linux, Mac

Mobile: Android, iOS


ATT&CK for EnterpriseTactics – Adversary’s technical goal

Tech

niqu

es –

How

goa

l is a

chie

ved

Procedures – Specific technique implementation


Example Technique: New Service

Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1

Platform: Windows

Permissions required: Administrator, SYSTEM

Effective permissions: SYSTEM

Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation

• …

Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors• …

Data sources: Windows registry, process monitoring, command-line parameters

Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …

References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.


https://attack.mitre.org/wiki/Privilege_Escalation

Example Group: APT28

Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This

group reportedly compromised the Democratic National Committee in April 2016.5

Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-

4127 1 2 3 4 5 6 7

Techniques: • Data Obfuscation 1

• Connection Proxy 1 8

• Standard Application Layer Protocol 1

• Remote File Copy 8 9

• Rundll32 8 9

• Indicator Removal on Host 5

• Timestomp 5

• Credential Dumping 10

• Screen Capture 10 11

• Bootkit 7 and more…Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer,

CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6

References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?.

Retrieved August 19, 2015.

…


Example Software: Mivast

Description: Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.1

Aliases: Mivast

Type: Malware

Techniques Used: Registry Run Keys / Start Folder: Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicromediaCommonly Used Port: Mivast communicates over port 80 for C2.Command-Line Interface: Mivast has the capability to open a remote shell and run basic commands.Remote File Copy: Mivast has the capability to download and execute .exe files.Credential Dumping: Mivast has the capability to gather NTLM password information.

Groups: Deep Panda

References: 1. DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016

2. …


https://attack.mitre.org/wiki/Group/G0009

Use Cases

Threat Intelligence and Hunting

processes = search Process:Createreg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe")cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)output reg_and_cmd

DetectionPersistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery LateralMovement Execution Collection Exfiltration CommandandControl

AccessibilityFeatures AccessibilityFeatures BinaryPadding BruteForce AccountDiscoveryApplicationDeploymentSoftware

Command-Line AutomatedCollection AutomatedExfiltration CommonlyUsedPort

AppInitDLLs AppInitDLLsBypassUserAccountControl

CredentialDumpingApplicationWindowDiscovery

ExploitationofVulnerability

ExecutionthroughAPI ClipboardData DataCompressedCommunicationThroughRemovableMedia

BasicInput/OutputSystemBypassUserAccountControl

CodeSigning CredentialManipulationFileandDirectoryDiscovery

LogonScripts GraphicalUserInterface DataStaged DataEncryptedCustomCommandandControlProtocol

Bootkit DLLInjection ComponentFirmware CredentialsinFilesLocalNetworkConfigurationDiscovery

PasstheHash PowerShell DatafromLocalSystem DataTransferSizeLimitsCustomCryptographicProtocol

ChangeDefaultFileHandlers

DLLSearchOrderHijacking DLLInjectionExploitationofVulnerability

LocalNetworkConnectionsDiscovery

PasstheTicket ProcessHollowingDatafromNetworkSharedDrive

ExfiltrationOverAlternativeProtocol

DataObfuscation

ComponentFirmwareExploitationofVulnerability

DLLSearchOrderHijacking InputCapture NetworkServiceScanning RemoteDesktopProtocol Rundll32DatafromRemovableMedia

ExfiltrationOverCommandandControlChannel

FallbackChannels

DLLSearchOrderHijacking LegitimateCredentials DLLSide-Loading NetworkSniffingPeripheralDeviceDiscovery

RemoteFileCopy ScheduledTask EmailCollectionExfiltrationOverOtherNetworkMedium

Multi-StageChannels

Hypervisor LocalPortMonitor DisablingSecurityToolsTwo-FactorAuthenticationInterception

PermissionGroupsDiscovery

RemoteServices ServiceExecution InputCaptureExfiltrationOverPhysicalMedium

MultibandCommunication

LegitimateCredentials NewServiceExploitationofVulnerability

ProcessDiscoveryReplicationThroughRemovableMedia

Third-partySoftware ScreenCapture ScheduledTransfer MultilayerEncryption

LocalPortMonitor PathInterception FileDeletion QueryRegistry SharedWebrootWindowsManagementInstrumentation

PeerConnections

LogonScripts ScheduledTask FileSystemLogicalOffsets RemoteSystemDiscovery TaintSharedContentWindowsRemoteManagement

RemoteFileCopy

ModifyExistingServiceServiceFilePermissionsWeakness

IndicatorBlockingonHostSecuritySoftwareDiscovery

WindowsAdminSharesStandardApplicationLayerProtocol

NewServiceServiceRegistryPermissionsWeakness

IndicatorRemovalfromTools

SystemInformationDiscovery

WindowsRemoteManagement

StandardCryptographicProtocol

PathInterception WebShell IndicatorRemovalonHostSystemOwner/UserDiscovery

StandardNon-ApplicationLayerProtocol

RedundantAccess LegitimateCredentials SystemServiceDiscovery UncommonlyUsedPort

RegistryRunKeys/StartFolder

Masquerading WebService

ScheduledTask ModifyRegistry

SecuritySupportProvider NTFSExtendedAttributes

ServiceFilePermissionsWeakness

ObfuscatedFilesorInformation

ServiceRegistryPermissionsWeakness

ProcessHollowing

ShortcutModification RedundantAccess

WebShell RootkitWindowsManagementInstrumentationEventSubscription

Rundll32

WinlogonHelperDLL Scripting

SoftwarePacking

Timestomp

Adversary Emulation

Assessment and Engineering


| 12 |

Use Case: Architecture and Engineering


| 13 |

Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and ControlPersistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control

DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port

Legitimate CredentialsCredential Dumping Application Window

DiscoveryThird-party Software Clipboard Data Data Compressed Communication Through

Removable MediaAccessibility Features Binary Padding Application Deployment Software

Command-Line Data Staged Data EncryptedAppInit DLLs Code Signing

Credential Manipulation File and Directory DiscoveryExecution through API Data from Local System Data Transfer Size Limits Custom Command and

Control ProtocolLocal Port Monitor Component FirmwareExploitation of Vulnerability

Graphical User Interface Data from Network Shared Drive

Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration

DiscoveryInstallUtil Custom Cryptographic

ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShellData from Removable Media Exfiltration Over Command

and Control ChannelScheduled Task File Deletion Network Sniffing Local Network Connections

DiscoveryPass the Hash Process Hollowing Data Obfuscation

Service File Permissions WeaknessFile System Logical Offsets Two-Factor Authentication

Interception

Pass the Ticket Regsvcs/Regasm Email Collection Fallback ChannelsService Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other

Network MediumMulti-Stage Channels

Web Shell Indicator BlockingPeripheral Device Discovery

Remote File Copy Rundll32 Screen CaptureMultiband Communication

Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Exfiltration Over Physical

MediumBypass User Account ControlPermission Groups Discovery Replication Through

Removable MediaScripting Multilayer Encryption

Bootkit DLL Injection Service Execution Scheduled Transfer Peer ConnectionsChange Default File

AssociationIndicator Removal from

ToolsProcess Discovery Shared Webroot Windows Management

InstrumentationRemote File Copy

Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware

Indicator Removal on HostRemote System Discovery Windows Admin Shares

HypervisorSecurity Software Discovery Standard Cryptographic

ProtocolLogon Scripts InstallUtil

Modify Existing Service MasqueradingSystem Information Discovery Standard Non-Application

Layer ProtocolRedundant Access Modify RegistryRegistry Run Keys / Start

FolderNTFS Extended Attributes System Owner/User

DiscoveryUncommonly Used Port

Obfuscated Files or Information

Web ServiceSecurity Support Provider System Service Discovery

Shortcut Modification Process Hollowing

Windows Management Instrumentation Event

Subscription

Redundant Access

Regsvcs/RegasmRegsvr32

Winlogon Helper DLL RootkitRundll32Scripting

Software PackingTimestomp

White-shaded cells have no usage; darker cells have more.

Based on threat intelligence (internal, government-source, open-source).

Threat Intel: what do you need to worry about? (NOTIONAL)


| 14 |

Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and ControlDLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port










ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command



File System Permissions WeaknessFile System Logical Offsets Two-Factor Authentication

Interception



Web Shell Indicator Blocking Peripheral Device Discovery


Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical

MediumBypass User Account Control Permission Groups Discovery

Replication Through Removable Media

Scripting Video Capture Multilayer EncryptionBootkit DLL Injection Service Execution Scheduled Transfer Peer Connections

Change Default File Association

Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation

Remote File CopyIndicator Removal from

ToolsQuery Registry Taint Shared Content Standard Application Layer

ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild

HypervisorIndicator Removal on Host Security Software Discovery

Execution through Module Load Standard Cryptographic

ProtocolLogon ScriptsModify Existing Service InstallUtil System Information

DiscoveryStandard Non-Application

Layer ProtocolRedundant Access MasqueradingRegistry Run Keys / Start

FolderModify Registry System Owner/User


NTFS Extended Attributes Web ServiceSecurity Support Provider Obfuscated Files or

InformationSystem Service Discovery Data Encoding

Shortcut Modification System Time Discovery


Subscription

Process HollowingRedundant AccessRegsvcs/Regasm

Winlogon Helper DLL Regsvr32Netsh Helper DLL Rootkit

Authentication Package Rundll32External Remote Services Scripting


MSBuildNetwork Share RemovalInstall Root Certificate High Confidence Med Confidence No Confidence

Measuring Defense: what can you cover? (NOTIONAL)


| 15 |

Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and ControlDLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port










ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command



File System Permissions WeaknessFile System Logical Offsets Two-Factor Authentication

Interception





Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical

MediumBypass User Account Control Permission Groups Discovery

Replication Through Removable Media

Scripting Video Capture Multilayer EncryptionBootkit DLL Injection Service Execution Scheduled Transfer Peer Connections

Change Default File Association

Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation

Remote File CopyIndicator Removal from

ToolsQuery Registry Taint Shared Content Standard Application Layer

ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild

HypervisorIndicator Removal on Host Security Software Discovery

Execution through Module Load Standard Cryptographic

ProtocolLogon ScriptsModify Existing Service InstallUtil System Information

DiscoveryStandard Non-Application

Layer ProtocolRedundant Access MasqueradingRegistry Run Keys / Start

FolderModify Registry System Owner/User


NTFS Extended Attributes Web ServiceSecurity Support Provider Obfuscated Files or

InformationSystem Service Discovery Data Encoding

Shortcut Modification System Time Discovery


Subscription

Process HollowingRedundant AccessRegsvcs/Regasm

Winlogon Helper DLL Regsvr32Netsh Helper DLL Rootkit

Authentication Package Rundll32External Remote Services Scripting


MSBuildNetwork Share RemovalInstall Root Certificate

LegendModerate Confidence of DetectionHigh Confidence of Detection

Low Confidence of Detection

IOC Coverage

Prioritized Adversary Techniques

Prioritized ATT&CK Coverage Matrix (NOTIONAL)


| 16 |

Use Case: ATT&CK for Threat Intelligence


How ATT&CK Can Help with Threat Intelligence

• Moves to TTPs and behaviors• Provides a way to structure threat intelligence• Gives us a common language to communicate across

reports and organizations• Enables simpler comparison:

• One group to another• One malware sample to another• A group to your defenses


Comparing groups: APT 28 vs. Deep PandaPersistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control

DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used PortLegitimate Credentials

Credential Dumping Application Window Discovery

Third-party Software Automated Collection Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment

SoftwareCommand-Line Clipboard Data Data Encrypted

AppInit DLLs Code SigningCredential Manipulation File and Directory Discovery

Execution through API Data Staged Data Transfer Size Limits Connection ProxyLocal Port Monitor Component Firmware

Exploitation of Vulnerability Execution through ModuleLoad

Data from Local System Exfiltration Over Alternative Protocol

Custom Command and Control ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration

DiscoveryData from Network Shared

DrivePath Interception Disabling Security Tools Input Capture Logon Scripts Graphical User InterfaceExfiltration Over Command

and Control Channel

Custom Cryptographic ProtocolScheduled Task File Deletion Network Sniffing Local Network Connections

DiscoveryPass the Hash InstallUtil

Data from Removable MediaFile System Permissions Weakness

File System Logical Offsets Two-Factor Authentication Interception

Pass the Ticket MSBuild Data EncodingService Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Other

Network MediumData Obfuscation


Remote File Copy Process Hollowing Input Capture Fallback Channels

Authentication PackageExploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Exfiltration Over Physical

MediumMulti-Stage Channels

Bypass User Account ControlPermission Groups Discovery Replication Through

Removable MediaRegsvr32 Video Capture

Multiband CommunicationBootkit DLL Injection Rundll32 Scheduled Transfer

Component Object Model Hijacking

Component Object Model Hijacking

Process Discovery Shared Webroot Scheduled Task Multilayer Encryption

Basic Input/Output System Indicator Removal from Tools

Query Registry Taint Shared Content Scripting Remote File CopyRemote System Discovery Windows Admin Shares Service Execution Standard Application Layer

ProtocolChange Default File Association

Indicator Removal on Host Security Software Discovery Windows Management Instrumentation Standard Cryptographic

ProtocolComponent Firmware Install Root CertificateSystem Information

DiscoveryExternal Remote Services InstallUtil

Standard Non-Application Layer Protocol

Hypervisor MasqueradingLogon Scripts Modify Registry System Owner/User

DiscoveryModify Existing Service MSBuild Uncommonly Used PortNetsh Helper DLL Network Share Removal System Service Discovery Web ServiceRedundant Access NTFS Extended Attributes System Time Discovery

Registry Run Keys / Start Folder

Obfuscated Files or Information

Security Support Provider Process HollowingShortcut Modification Redundant Access


Subscription

Regsvcs/RegasmRegsvr32Rootkit

Winlogon Helper DLL Rundll32Scripting


Legend50APT 28

Deep Panda 2917Both


Sounds great, but how do I do this?

Remote Desktop Protocol

Disabling Security ToolsCreate Accounts


Example from industry – Unit 42 Adversary Playbook


| 21 |

Use Case: Detection and Analytics


Analytics vs. Indicators

AnalyticsIndicators

Known malicious behaviorFewer false positives

More atomicHigher quantity

Suspicious behaviorMore false positives

BroaderLower quantity


How do analytics work?

• Analytics look for observable events and artifacts that indicate adversary behavior

• E.g., if an adversary uses RDP, Windows Event Logs will show a Login with type=RemoteInteractive

• The trick: distinguishing the good from the badAlmost everything in ATT&CK

Our goal: place event in one circle

Evidence


Example: Detecting UAC Bypass

index=__your sysmon stuff__ IntegrityLevel=High |

search (

ParentImage=c:\\windows\\system32\\fodhelper.exe

ORCommandLine="*.exe\”*cleanmgr.exe /autoclean*"

OR ... |

eval PossibleTechniques=case(

like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", ...

)

FOR ILLUSTRATIVE PURPOSES ONLY - INCOMPLETE


Developing an Analytic

• Read the ATT&CK page and understand the attack• Look at references for who’s using it and how• Think from an adversary perspective• Try to mentally separate legitimate usage from malicious usage

• Try it• Carry out the attacks via your own testing or pre-written scripts• What does it look like in the logs?

• Write and iterate• Write your first search, narrow down false positives, and iterate• Keep testing – make sure you check for a variety of ways it can be used, not just

the easiest

| 26 |

• H-ISAC Working group,

led by Bill Barnes/Pfizer

• Healthcare companies

• Security vendors

• Dept. of Health & Human Services

(HHS)

• MITRE

H-ISACWorking Group: Building out and

sharing analytics to

cover techniques in

the ATT&CK™

matrix

ATT&CK Analytics Development: Don’t go it alone!


| 27 |

Use Case: Adversary Emulation


Adversary Emulation

• AKA: Threat-based Red Teaming• Adversary Emulation

• Emulate the techniques of an adversary that’s most likely to target your environment

• Focus on the behaviors of those techniques instead of specific implementations

https://giphy.com/explore/hackerman h5ps://tenor.com/view/hackerman-transforma:on-kung-fury-kung-fury-gif-7263543


| 29 |

• Common threat model used by both sides• Test individual patterns of behavior focusing on defense effectiveness

• Identify detection data sources, analytics, mitigations work

• Identify gaps in visibility, defensive tools, process

• Address gaps with defenders

• Re-test with varied behavior over time

Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery LateralMovement Execution Collection Exfiltration CommandandControl

AccessibilityFeatures AccessibilityFeatures BinaryPadding BruteForce AccountDiscoveryApplicationDeploymentSoftware

Command-Line AutomatedCollection AutomatedExfiltration CommonlyUsedPort

AppInitDLLs AppInitDLLsBypassUserAccountControl

CredentialDumpingApplicationWindowDiscovery

ExploitationofVulnerability

ExecutionthroughAPI ClipboardData DataCompressedCommunicationThroughRemovableMedia

BasicInput/OutputSystemBypassUserAccountControl

CodeSigning CredentialManipulationFileandDirectoryDiscovery

LogonScripts GraphicalUserInterface DataStaged DataEncryptedCustomCommandandControlProtocol

Bootkit DLLInjection ComponentFirmware CredentialsinFilesLocalNetworkConfigurationDiscovery

PasstheHash PowerShell DatafromLocalSystem DataTransferSizeLimitsCustomCryptographicProtocol

ChangeDefaultFileHandlers

DLLSearchOrderHijacking DLLInjectionExploitationofVulnerability

LocalNetworkConnectionsDiscovery

PasstheTicket ProcessHollowingDatafromNetworkSharedDrive

ExfiltrationOverAlternativeProtocol

DataObfuscation

ComponentFirmwareExploitationofVulnerability

DLLSearchOrderHijacking InputCapture NetworkServiceScanning RemoteDesktopProtocol Rundll32DatafromRemovableMedia

ExfiltrationOverCommandandControlChannel

FallbackChannels

DLLSearchOrderHijacking LegitimateCredentials DLLSide-Loading NetworkSniffingPeripheralDeviceDiscovery

RemoteFileCopy ScheduledTask EmailCollectionExfiltrationOverOtherNetworkMedium

Multi-StageChannels

Hypervisor LocalPortMonitor DisablingSecurityToolsTwo-FactorAuthenticationInterception

PermissionGroupsDiscovery

RemoteServices ServiceExecution InputCaptureExfiltrationOverPhysicalMedium

MultibandCommunication

LegitimateCredentials NewServiceExploitationofVulnerability

ProcessDiscoveryReplicationThroughRemovableMedia

Third-partySoftware ScreenCapture ScheduledTransfer MultilayerEncryption

LocalPortMonitor PathInterception FileDeletion QueryRegistry SharedWebrootWindowsManagementInstrumentation

PeerConnections

LogonScripts ScheduledTask FileSystemLogicalOffsets RemoteSystemDiscovery TaintSharedContentWindowsRemoteManagement

RemoteFileCopy

ModifyExistingServiceServiceFilePermissionsWeakness

IndicatorBlockingonHostSecuritySoftwareDiscovery

WindowsAdminSharesStandardApplicationLayerProtocol

NewServiceServiceRegistryPermissionsWeakness

IndicatorRemovalfromTools

SystemInformationDiscovery

WindowsRemoteManagement

StandardCryptographicProtocol

PathInterception WebShell IndicatorRemovalonHostSystemOwner/UserDiscovery

StandardNon-ApplicationLayerProtocol

RedundantAccess LegitimateCredentials SystemServiceDiscovery UncommonlyUsedPort

RegistryRunKeys/StartFolder

Masquerading WebService

ScheduledTask ModifyRegistry

SecuritySupportProvider NTFSExtendedAttributes

ServiceFilePermissionsWeakness

ObfuscatedFilesorInformation

ServiceRegistryPermissionsWeakness

ProcessHollowing

ShortcutModification RedundantAccess

WebShell RootkitWindowsManagementInstrumentationEventSubscription

Rundll32

WinlogonHelperDLL Scripting

SoftwarePacking

Timestomp

Red and Blue Working Together


How to start doing adversary emulation?

• Identify an adversary you want to emulate• Consider the target you’re going up against

• Defense Contractor

• Financial Sector

• Health Care

• E-Commerce

• Etc.

• Adversaries change accordingly

• Country Specific (APT3, APT28, APT29, APT34, ….)

• Financially Motivated (FIN6, FIN7, …)


Adversary Emulation and Plan Development

Threat Intelligence Acquisition

Extract Actionable Techniques and Analyze

M.O.

Develop Tools Set up Infrastructure

Emulate Adversary

Analyze Reporting:-Adversary Reports (APTX)-Reports on Adversary’s toolsets (APTX uses A,B,C)-Aliases (APTX i.e. ThreatGroup ###, adjective-animal)-Toolset aliases (A i.e. Trojan.malwareName)-Associated Campaigns (OperationZ)-Keep time of reports in mind

-Look for adversary behaviors-Look for tool functionality-Establish the adversary’s goal-Think about the what, why, and how

In ATT&CK -Technique, Tactic, Procedure

-What are the COTS /Open Source tools available?-Can you exhibit the right behaviors with these tools?--Can you extend them?--Can you modify them?-Do you need to develop something specific?--Delivery mechanisms--Command & Control

CapabiliYes

-Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks-Create Payloads ”inspired by” the adversary’s tradecraft--Modify IoCs and behaviors if possible--Obfuscate with purpose, NOT all the things

-Follow the M.O. of your target adversary-“Domain Admin” most likely isn’t your goal-Keep the ‘speed of the adversary’ in mind--Low and slow vs smash and grab


Adversary Emulation with ATT&CK: A starting point for Red/Blue Teams

Prototype APT3 emulation plan on attack.mitre.org

§ To kickstart the process for Red/Blue teams everywhere, MITRE is providing a prototype APT3 emulation plan.• All based on open-source intelligence• Breakdowns of APT tools and

capabilities mapped to ATT&CK• Descriptions of how these techniques

are implemented• Potential operator flows during

emulations• Cheat Sheets of commands across

o Live off the Land binaries/scriptso Open source toolso Commercial toolkits


| 33 |

Bringing it all together…

Future Vision: Threat-Informed Defense (but for real)

CTI in ATT&CK

Intelligence-Driven Adversary Emulation An ever-improving and well-validated defense

Realistic Threat Model

© 2019 The MITRE Corporation. All rights reserved.health.mitre.org

MITRE is transforming data into insights to improve the

health system and reinvent the healthcare experience.

P I O N E E R I N G A H E A L T H I E R F U T U R E

Join us to advance the nation's progress toward an integrated health system with improved access and quality at a sustainable cost.

attack.mitre.org

[email protected]: @MITREattack

[email protected]

| 35 |

| 1 | using att&ck to find cyber threats and bolster cyber defense€¦ · deconstructing the...

Documents