| 1 | using att&ck to find cyber threats and bolster cyber defense€¦ · deconstructing the...
TRANSCRIPT
© 2019 The MITRE Corporation. All rights reserved.health.mitre.org
MITRE is transforming data into insights to improve the
health system and reinvent the healthcare experience.
P I O N E E R I N G A H E A L T H I E R F U T U R E
Using ATT&CK to Find Cyber Threats and Bolster Cyber DefenseJulie ConnollyBlake StromHIMSS19 Cyber Command CenterFebruary 13, 2019
| 1 |
Approved for Public Release. Distribution unlimited. 18-0944-15
| 2 |
© 2018 The MITRE Corporation. All rights reserved. Approved for Public Release - Cases # 17-4500-7, 17-4293-4, 18-0075
| 3 |
Cybersecurity should be threat-informedKnowledge of my adversary can help me…
Better evaluate new security technologies
Perform gap analysis of current defenses
Prioritize detection/mitigation of heavily used techniques
Track a specific adversary’s set of techniques
Conduct adversary emulation (e.g. red-teaming)
© 2019 The MITRE Corporation. All rights reserved.
ATT&CK
David Bianco’s Pyramid of Pain
Source: David Biancohttps://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations.
© 2019 The MITRE Corporation. All rights reserved.
Deconstructing the Lifecycle
Initial AccessExecution PersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Priority Definition • Planning, DirectionTarget SelectionInformation Gathering• Technical, People, OrganizationalWeakness Identification• Technical, People, OrganizationalAdversary OpSecEstablish & Maintain InfrastructurePersona DevelopmentBuild CapabilitiesTest CapabilitiesStage Capabilities
PRE-ATT&CK ATT&CK for Enterprise
© 2019 The MITRE Corporation. All rights reserved.
Spanning Multiple Technology Domains
PRE-ATT&CK: left of exploit behaviors
Enterprise: Windows, Linux, Mac
Mobile: Android, iOS
© 2019 The MITRE Corporation. All rights reserved.
ATT&CK for EnterpriseTactics – Adversary’s technical goal
Tech
niqu
es –
How
goa
l is a
chie
ved
Procedures – Specific technique implementation
© 2019 The MITRE Corporation. All rights reserved.
Example Technique: New Service
Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1
Platform: Windows
Permissions required: Administrator, SYSTEM
Effective permissions: SYSTEM
Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation
• …
Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors• …
Data sources: Windows registry, process monitoring, command-line parameters
Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …
References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.
© 2019 The MITRE Corporation. All rights reserved.
Example Group: APT28
Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This
group reportedly compromised the Democratic National Committee in April 2016.5
Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-
4127 1 2 3 4 5 6 7
Techniques: • Data Obfuscation 1
• Connection Proxy 1 8
• Standard Application Layer Protocol 1
• Remote File Copy 8 9
• Rundll32 8 9
• Indicator Removal on Host 5
• Timestomp 5
• Credential Dumping 10
• Screen Capture 10 11
• Bootkit 7 and more…Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer,
CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6
References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?.
Retrieved August 19, 2015.
…
© 2019 The MITRE Corporation. All rights reserved.
Example Software: Mivast
Description: Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.1
Aliases: Mivast
Type: Malware
Techniques Used: Registry Run Keys / Start Folder: Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicromediaCommonly Used Port: Mivast communicates over port 80 for C2.Command-Line Interface: Mivast has the capability to open a remote shell and run basic commands.Remote File Copy: Mivast has the capability to download and execute .exe files.Credential Dumping: Mivast has the capability to gather NTLM password information.
Groups: Deep Panda
References: 1. DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016
2. …
© 2019 The MITRE Corporation. All rights reserved.
Use Cases
Threat Intelligence and Hunting
processes = search Process:Createreg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe")cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)output reg_and_cmd
DetectionPersistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery LateralMovement Execution Collection Exfiltration CommandandControl
AccessibilityFeatures AccessibilityFeatures BinaryPadding BruteForce AccountDiscoveryApplicationDeploymentSoftware
Command-Line AutomatedCollection AutomatedExfiltration CommonlyUsedPort
AppInitDLLs AppInitDLLsBypassUserAccountControl
CredentialDumpingApplicationWindowDiscovery
ExploitationofVulnerability
ExecutionthroughAPI ClipboardData DataCompressedCommunicationThroughRemovableMedia
BasicInput/OutputSystemBypassUserAccountControl
CodeSigning CredentialManipulationFileandDirectoryDiscovery
LogonScripts GraphicalUserInterface DataStaged DataEncryptedCustomCommandandControlProtocol
Bootkit DLLInjection ComponentFirmware CredentialsinFilesLocalNetworkConfigurationDiscovery
PasstheHash PowerShell DatafromLocalSystem DataTransferSizeLimitsCustomCryptographicProtocol
ChangeDefaultFileHandlers
DLLSearchOrderHijacking DLLInjectionExploitationofVulnerability
LocalNetworkConnectionsDiscovery
PasstheTicket ProcessHollowingDatafromNetworkSharedDrive
ExfiltrationOverAlternativeProtocol
DataObfuscation
ComponentFirmwareExploitationofVulnerability
DLLSearchOrderHijacking InputCapture NetworkServiceScanning RemoteDesktopProtocol Rundll32DatafromRemovableMedia
ExfiltrationOverCommandandControlChannel
FallbackChannels
DLLSearchOrderHijacking LegitimateCredentials DLLSide-Loading NetworkSniffingPeripheralDeviceDiscovery
RemoteFileCopy ScheduledTask EmailCollectionExfiltrationOverOtherNetworkMedium
Multi-StageChannels
Hypervisor LocalPortMonitor DisablingSecurityToolsTwo-FactorAuthenticationInterception
PermissionGroupsDiscovery
RemoteServices ServiceExecution InputCaptureExfiltrationOverPhysicalMedium
MultibandCommunication
LegitimateCredentials NewServiceExploitationofVulnerability
ProcessDiscoveryReplicationThroughRemovableMedia
Third-partySoftware ScreenCapture ScheduledTransfer MultilayerEncryption
LocalPortMonitor PathInterception FileDeletion QueryRegistry SharedWebrootWindowsManagementInstrumentation
PeerConnections
LogonScripts ScheduledTask FileSystemLogicalOffsets RemoteSystemDiscovery TaintSharedContentWindowsRemoteManagement
RemoteFileCopy
ModifyExistingServiceServiceFilePermissionsWeakness
IndicatorBlockingonHostSecuritySoftwareDiscovery
WindowsAdminSharesStandardApplicationLayerProtocol
NewServiceServiceRegistryPermissionsWeakness
IndicatorRemovalfromTools
SystemInformationDiscovery
WindowsRemoteManagement
StandardCryptographicProtocol
PathInterception WebShell IndicatorRemovalonHostSystemOwner/UserDiscovery
StandardNon-ApplicationLayerProtocol
RedundantAccess LegitimateCredentials SystemServiceDiscovery UncommonlyUsedPort
RegistryRunKeys/StartFolder
Masquerading WebService
ScheduledTask ModifyRegistry
SecuritySupportProvider NTFSExtendedAttributes
ServiceFilePermissionsWeakness
ObfuscatedFilesorInformation
ServiceRegistryPermissionsWeakness
ProcessHollowing
ShortcutModification RedundantAccess
WebShell RootkitWindowsManagementInstrumentationEventSubscription
Rundll32
WinlogonHelperDLL Scripting
SoftwarePacking
Timestomp
Adversary Emulation
Assessment and Engineering
© 2019 The MITRE Corporation. All rights reserved.
| 12 |
Use Case: Architecture and Engineering
© 2019 The MITRE Corporation. All rights reserved.
| 13 |
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and ControlPersistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate CredentialsCredential Dumping Application Window
DiscoveryThird-party Software Clipboard Data Data Compressed Communication Through
Removable MediaAccessibility Features Binary Padding Application Deployment Software
Command-Line Data Staged Data EncryptedAppInit DLLs Code Signing
Credential Manipulation File and Directory DiscoveryExecution through API Data from Local System Data Transfer Size Limits Custom Command and
Control ProtocolLocal Port Monitor Component FirmwareExploitation of Vulnerability
Graphical User Interface Data from Network Shared Drive
Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration
DiscoveryInstallUtil Custom Cryptographic
ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShellData from Removable Media Exfiltration Over Command
and Control ChannelScheduled Task File Deletion Network Sniffing Local Network Connections
DiscoveryPass the Hash Process Hollowing Data Obfuscation
Service File Permissions WeaknessFile System Logical Offsets Two-Factor Authentication
Interception
Pass the Ticket Regsvcs/Regasm Email Collection Fallback ChannelsService Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other
Network MediumMulti-Stage Channels
Web Shell Indicator BlockingPeripheral Device Discovery
Remote File Copy Rundll32 Screen CaptureMultiband Communication
Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Exfiltration Over Physical
MediumBypass User Account ControlPermission Groups Discovery Replication Through
Removable MediaScripting Multilayer Encryption
Bootkit DLL Injection Service Execution Scheduled Transfer Peer ConnectionsChange Default File
AssociationIndicator Removal from
ToolsProcess Discovery Shared Webroot Windows Management
InstrumentationRemote File Copy
Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware
Indicator Removal on HostRemote System Discovery Windows Admin Shares
HypervisorSecurity Software Discovery Standard Cryptographic
ProtocolLogon Scripts InstallUtil
Modify Existing Service MasqueradingSystem Information Discovery Standard Non-Application
Layer ProtocolRedundant Access Modify RegistryRegistry Run Keys / Start
FolderNTFS Extended Attributes System Owner/User
DiscoveryUncommonly Used Port
Obfuscated Files or Information
Web ServiceSecurity Support Provider System Service Discovery
Shortcut Modification Process Hollowing
Windows Management Instrumentation Event
Subscription
Redundant Access
Regsvcs/RegasmRegsvr32
Winlogon Helper DLL RootkitRundll32Scripting
Software PackingTimestomp
White-shaded cells have no usage; darker cells have more.
Based on threat intelligence (internal, government-source, open-source).
Threat Intel: what do you need to worry about? (NOTIONAL)
© 2019 The MITRE Corporation. All rights reserved.
| 14 |
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and ControlDLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate CredentialsCredential Dumping Application Window
DiscoveryThird-party Software Clipboard Data Data Compressed Communication Through
Removable MediaAccessibility Features Binary Padding Application Deployment Software
Command-Line Data Staged Data EncryptedAppInit DLLs Code Signing
Credential Manipulation File and Directory DiscoveryExecution through API Data from Local System Data Transfer Size Limits Custom Command and
Control ProtocolLocal Port Monitor Component FirmwareExploitation of Vulnerability
Graphical User Interface Data from Network Shared Drive
Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration
DiscoveryInstallUtil Custom Cryptographic
ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command
and Control ChannelScheduled Task File Deletion Network Sniffing Local Network Connections
DiscoveryPass the Hash Process Hollowing Data Obfuscation
File System Permissions WeaknessFile System Logical Offsets Two-Factor Authentication
Interception
Pass the Ticket Regsvcs/Regasm Email Collection Fallback ChannelsService Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other
Network MediumMulti-Stage Channels
Web Shell Indicator Blocking Peripheral Device Discovery
Remote File Copy Rundll32 Screen CaptureMultiband Communication
Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
MediumBypass User Account Control Permission Groups Discovery
Replication Through Removable Media
Scripting Video Capture Multilayer EncryptionBootkit DLL Injection Service Execution Scheduled Transfer Peer Connections
Change Default File Association
Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation
Remote File CopyIndicator Removal from
ToolsQuery Registry Taint Shared Content Standard Application Layer
ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild
HypervisorIndicator Removal on Host Security Software Discovery
Execution through Module Load Standard Cryptographic
ProtocolLogon ScriptsModify Existing Service InstallUtil System Information
DiscoveryStandard Non-Application
Layer ProtocolRedundant Access MasqueradingRegistry Run Keys / Start
FolderModify Registry System Owner/User
DiscoveryUncommonly Used Port
NTFS Extended Attributes Web ServiceSecurity Support Provider Obfuscated Files or
InformationSystem Service Discovery Data Encoding
Shortcut Modification System Time Discovery
Windows Management Instrumentation Event
Subscription
Process HollowingRedundant AccessRegsvcs/Regasm
Winlogon Helper DLL Regsvr32Netsh Helper DLL Rootkit
Authentication Package Rundll32External Remote Services Scripting
Software PackingTimestomp
MSBuildNetwork Share RemovalInstall Root Certificate High Confidence Med Confidence No Confidence
Measuring Defense: what can you cover? (NOTIONAL)
© 2019 The MITRE Corporation. All rights reserved.
| 15 |
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and ControlDLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate CredentialsCredential Dumping Application Window
DiscoveryThird-party Software Clipboard Data Data Compressed Communication Through
Removable MediaAccessibility Features Binary Padding Application Deployment Software
Command-Line Data Staged Data EncryptedAppInit DLLs Code Signing
Credential Manipulation File and Directory DiscoveryExecution through API Data from Local System Data Transfer Size Limits Custom Command and
Control ProtocolLocal Port Monitor Component FirmwareExploitation of Vulnerability
Graphical User Interface Data from Network Shared Drive
Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration
DiscoveryInstallUtil Custom Cryptographic
ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command
and Control ChannelScheduled Task File Deletion Network Sniffing Local Network Connections
DiscoveryPass the Hash Process Hollowing Data Obfuscation
File System Permissions WeaknessFile System Logical Offsets Two-Factor Authentication
Interception
Pass the Ticket Regsvcs/Regasm Email Collection Fallback ChannelsService Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other
Network MediumMulti-Stage Channels
Web Shell Indicator Blocking Peripheral Device Discovery
Remote File Copy Rundll32 Screen CaptureMultiband Communication
Basic Input/Output SystemExploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
MediumBypass User Account Control Permission Groups Discovery
Replication Through Removable Media
Scripting Video Capture Multilayer EncryptionBootkit DLL Injection Service Execution Scheduled Transfer Peer Connections
Change Default File Association
Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation
Remote File CopyIndicator Removal from
ToolsQuery Registry Taint Shared Content Standard Application Layer
ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild
HypervisorIndicator Removal on Host Security Software Discovery
Execution through Module Load Standard Cryptographic
ProtocolLogon ScriptsModify Existing Service InstallUtil System Information
DiscoveryStandard Non-Application
Layer ProtocolRedundant Access MasqueradingRegistry Run Keys / Start
FolderModify Registry System Owner/User
DiscoveryUncommonly Used Port
NTFS Extended Attributes Web ServiceSecurity Support Provider Obfuscated Files or
InformationSystem Service Discovery Data Encoding
Shortcut Modification System Time Discovery
Windows Management Instrumentation Event
Subscription
Process HollowingRedundant AccessRegsvcs/Regasm
Winlogon Helper DLL Regsvr32Netsh Helper DLL Rootkit
Authentication Package Rundll32External Remote Services Scripting
Software PackingTimestomp
MSBuildNetwork Share RemovalInstall Root Certificate
LegendModerate Confidence of DetectionHigh Confidence of Detection
Low Confidence of Detection
IOC Coverage
Prioritized Adversary Techniques
Prioritized ATT&CK Coverage Matrix (NOTIONAL)
© 2019 The MITRE Corporation. All rights reserved.
| 16 |
Use Case: ATT&CK for Threat Intelligence
© 2019 The MITRE Corporation. All rights reserved.
How ATT&CK Can Help with Threat Intelligence
• Moves to TTPs and behaviors• Provides a way to structure threat intelligence• Gives us a common language to communicate across
reports and organizations• Enables simpler comparison:
• One group to another• One malware sample to another• A group to your defenses
© 2019 The MITRE Corporation. All rights reserved.
Comparing groups: APT 28 vs. Deep PandaPersistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used PortLegitimate Credentials
Credential Dumping Application Window Discovery
Third-party Software Automated Collection Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment
SoftwareCommand-Line Clipboard Data Data Encrypted
AppInit DLLs Code SigningCredential Manipulation File and Directory Discovery
Execution through API Data Staged Data Transfer Size Limits Connection ProxyLocal Port Monitor Component Firmware
Exploitation of Vulnerability Execution through ModuleLoad
Data from Local System Exfiltration Over Alternative Protocol
Custom Command and Control ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration
DiscoveryData from Network Shared
DrivePath Interception Disabling Security Tools Input Capture Logon Scripts Graphical User InterfaceExfiltration Over Command
and Control Channel
Custom Cryptographic ProtocolScheduled Task File Deletion Network Sniffing Local Network Connections
DiscoveryPass the Hash InstallUtil
Data from Removable MediaFile System Permissions Weakness
File System Logical Offsets Two-Factor Authentication Interception
Pass the Ticket MSBuild Data EncodingService Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Other
Network MediumData Obfuscation
Web Shell Indicator Blocking Peripheral Device Discovery
Remote File Copy Process Hollowing Input Capture Fallback Channels
Authentication PackageExploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Exfiltration Over Physical
MediumMulti-Stage Channels
Bypass User Account ControlPermission Groups Discovery Replication Through
Removable MediaRegsvr32 Video Capture
Multiband CommunicationBootkit DLL Injection Rundll32 Scheduled Transfer
Component Object Model Hijacking
Component Object Model Hijacking
Process Discovery Shared Webroot Scheduled Task Multilayer Encryption
Basic Input/Output System Indicator Removal from Tools
Query Registry Taint Shared Content Scripting Remote File CopyRemote System Discovery Windows Admin Shares Service Execution Standard Application Layer
ProtocolChange Default File Association
Indicator Removal on Host Security Software Discovery Windows Management Instrumentation Standard Cryptographic
ProtocolComponent Firmware Install Root CertificateSystem Information
DiscoveryExternal Remote Services InstallUtil
Standard Non-Application Layer Protocol
Hypervisor MasqueradingLogon Scripts Modify Registry System Owner/User
DiscoveryModify Existing Service MSBuild Uncommonly Used PortNetsh Helper DLL Network Share Removal System Service Discovery Web ServiceRedundant Access NTFS Extended Attributes System Time Discovery
Registry Run Keys / Start Folder
Obfuscated Files or Information
Security Support Provider Process HollowingShortcut Modification Redundant Access
Windows Management Instrumentation Event
Subscription
Regsvcs/RegasmRegsvr32Rootkit
Winlogon Helper DLL Rundll32Scripting
Software PackingTimestomp
Legend50APT 28
Deep Panda 2917Both
© 2019 The MITRE Corporation. All rights reserved.
Sounds great, but how do I do this?
Remote Desktop Protocol
Disabling Security ToolsCreate Accounts
© 2019 The MITRE Corporation. All rights reserved.
Example from industry – Unit 42 Adversary Playbook
© 2019 The MITRE Corporation. All rights reserved.
| 21 |
Use Case: Detection and Analytics
© 2019 The MITRE Corporation. All rights reserved.
Analytics vs. Indicators
AnalyticsIndicators
Known malicious behaviorFewer false positives
More atomicHigher quantity
Suspicious behaviorMore false positives
BroaderLower quantity
© 2019 The MITRE Corporation. All rights reserved.
How do analytics work?
• Analytics look for observable events and artifacts that indicate adversary behavior
• E.g., if an adversary uses RDP, Windows Event Logs will show a Login with type=RemoteInteractive
• The trick: distinguishing the good from the badAlmost everything in ATT&CK
Our goal: place event in one circle
Evidence
© 2019 The MITRE Corporation. All rights reserved.
Example: Detecting UAC Bypass
index=__your sysmon stuff__ IntegrityLevel=High |
search (
ParentImage=c:\\windows\\system32\\fodhelper.exe
ORCommandLine="*.exe\”*cleanmgr.exe /autoclean*"
OR ... |
eval PossibleTechniques=case(
like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", ...
)
FOR ILLUSTRATIVE PURPOSES ONLY - INCOMPLETE
© 2019 The MITRE Corporation. All rights reserved.
Developing an Analytic
• Read the ATT&CK page and understand the attack• Look at references for who’s using it and how• Think from an adversary perspective• Try to mentally separate legitimate usage from malicious usage
• Try it• Carry out the attacks via your own testing or pre-written scripts• What does it look like in the logs?
• Write and iterate• Write your first search, narrow down false positives, and iterate• Keep testing – make sure you check for a variety of ways it can be used, not just
the easiest
| 26 |
• H-ISAC Working group,
led by Bill Barnes/Pfizer
• Healthcare companies
• Security vendors
• Dept. of Health & Human Services
(HHS)
• MITRE
H-ISACWorking Group: Building out and
sharing analytics to
cover techniques in
the ATT&CK™
matrix
ATT&CK Analytics Development: Don’t go it alone!
© 2019 The MITRE Corporation. All rights reserved.
| 27 |
Use Case: Adversary Emulation
© 2019 The MITRE Corporation. All rights reserved.
Adversary Emulation
• AKA: Threat-based Red Teaming• Adversary Emulation
• Emulate the techniques of an adversary that’s most likely to target your environment
• Focus on the behaviors of those techniques instead of specific implementations
https://giphy.com/explore/hackerman h5ps://tenor.com/view/hackerman-transforma:on-kung-fury-kung-fury-gif-7263543
© 2019 The MITRE Corporation. All rights reserved.
| 29 |
• Common threat model used by both sides• Test individual patterns of behavior focusing on defense effectiveness
• Identify detection data sources, analytics, mitigations work
• Identify gaps in visibility, defensive tools, process
• Address gaps with defenders
• Re-test with varied behavior over time
Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery LateralMovement Execution Collection Exfiltration CommandandControl
AccessibilityFeatures AccessibilityFeatures BinaryPadding BruteForce AccountDiscoveryApplicationDeploymentSoftware
Command-Line AutomatedCollection AutomatedExfiltration CommonlyUsedPort
AppInitDLLs AppInitDLLsBypassUserAccountControl
CredentialDumpingApplicationWindowDiscovery
ExploitationofVulnerability
ExecutionthroughAPI ClipboardData DataCompressedCommunicationThroughRemovableMedia
BasicInput/OutputSystemBypassUserAccountControl
CodeSigning CredentialManipulationFileandDirectoryDiscovery
LogonScripts GraphicalUserInterface DataStaged DataEncryptedCustomCommandandControlProtocol
Bootkit DLLInjection ComponentFirmware CredentialsinFilesLocalNetworkConfigurationDiscovery
PasstheHash PowerShell DatafromLocalSystem DataTransferSizeLimitsCustomCryptographicProtocol
ChangeDefaultFileHandlers
DLLSearchOrderHijacking DLLInjectionExploitationofVulnerability
LocalNetworkConnectionsDiscovery
PasstheTicket ProcessHollowingDatafromNetworkSharedDrive
ExfiltrationOverAlternativeProtocol
DataObfuscation
ComponentFirmwareExploitationofVulnerability
DLLSearchOrderHijacking InputCapture NetworkServiceScanning RemoteDesktopProtocol Rundll32DatafromRemovableMedia
ExfiltrationOverCommandandControlChannel
FallbackChannels
DLLSearchOrderHijacking LegitimateCredentials DLLSide-Loading NetworkSniffingPeripheralDeviceDiscovery
RemoteFileCopy ScheduledTask EmailCollectionExfiltrationOverOtherNetworkMedium
Multi-StageChannels
Hypervisor LocalPortMonitor DisablingSecurityToolsTwo-FactorAuthenticationInterception
PermissionGroupsDiscovery
RemoteServices ServiceExecution InputCaptureExfiltrationOverPhysicalMedium
MultibandCommunication
LegitimateCredentials NewServiceExploitationofVulnerability
ProcessDiscoveryReplicationThroughRemovableMedia
Third-partySoftware ScreenCapture ScheduledTransfer MultilayerEncryption
LocalPortMonitor PathInterception FileDeletion QueryRegistry SharedWebrootWindowsManagementInstrumentation
PeerConnections
LogonScripts ScheduledTask FileSystemLogicalOffsets RemoteSystemDiscovery TaintSharedContentWindowsRemoteManagement
RemoteFileCopy
ModifyExistingServiceServiceFilePermissionsWeakness
IndicatorBlockingonHostSecuritySoftwareDiscovery
WindowsAdminSharesStandardApplicationLayerProtocol
NewServiceServiceRegistryPermissionsWeakness
IndicatorRemovalfromTools
SystemInformationDiscovery
WindowsRemoteManagement
StandardCryptographicProtocol
PathInterception WebShell IndicatorRemovalonHostSystemOwner/UserDiscovery
StandardNon-ApplicationLayerProtocol
RedundantAccess LegitimateCredentials SystemServiceDiscovery UncommonlyUsedPort
RegistryRunKeys/StartFolder
Masquerading WebService
ScheduledTask ModifyRegistry
SecuritySupportProvider NTFSExtendedAttributes
ServiceFilePermissionsWeakness
ObfuscatedFilesorInformation
ServiceRegistryPermissionsWeakness
ProcessHollowing
ShortcutModification RedundantAccess
WebShell RootkitWindowsManagementInstrumentationEventSubscription
Rundll32
WinlogonHelperDLL Scripting
SoftwarePacking
Timestomp
Red and Blue Working Together
© 2019 The MITRE Corporation. All rights reserved.
How to start doing adversary emulation?
• Identify an adversary you want to emulate• Consider the target you’re going up against
• Defense Contractor
• Financial Sector
• Health Care
• E-Commerce
• Etc.
• Adversaries change accordingly
• Country Specific (APT3, APT28, APT29, APT34, ….)
• Financially Motivated (FIN6, FIN7, …)
© 2019 The MITRE Corporation. All rights reserved.
Adversary Emulation and Plan Development
Threat Intelligence Acquisition
Extract Actionable Techniques and Analyze
M.O.
Develop Tools Set up Infrastructure
Emulate Adversary
Analyze Reporting:-Adversary Reports (APTX)-Reports on Adversary’s toolsets (APTX uses A,B,C)-Aliases (APTX i.e. ThreatGroup ###, adjective-animal)-Toolset aliases (A i.e. Trojan.malwareName)-Associated Campaigns (OperationZ)-Keep time of reports in mind
-Look for adversary behaviors-Look for tool functionality-Establish the adversary’s goal-Think about the what, why, and how
In ATT&CK -Technique, Tactic, Procedure
-What are the COTS /Open Source tools available?-Can you exhibit the right behaviors with these tools?--Can you extend them?--Can you modify them?-Do you need to develop something specific?--Delivery mechanisms--Command & Control
CapabiliYes
-Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks-Create Payloads ”inspired by” the adversary’s tradecraft--Modify IoCs and behaviors if possible--Obfuscate with purpose, NOT all the things
-Follow the M.O. of your target adversary-“Domain Admin” most likely isn’t your goal-Keep the ‘speed of the adversary’ in mind--Low and slow vs smash and grab
© 2019 The MITRE Corporation. All rights reserved.
Adversary Emulation with ATT&CK: A starting point for Red/Blue Teams
Prototype APT3 emulation plan on attack.mitre.org
§ To kickstart the process for Red/Blue teams everywhere, MITRE is providing a prototype APT3 emulation plan.• All based on open-source intelligence• Breakdowns of APT tools and
capabilities mapped to ATT&CK• Descriptions of how these techniques
are implemented• Potential operator flows during
emulations• Cheat Sheets of commands across
o Live off the Land binaries/scriptso Open source toolso Commercial toolkits
© 2019 The MITRE Corporation. All rights reserved.
| 33 |
Bringing it all together…
Future Vision: Threat-Informed Defense (but for real)
CTI in ATT&CK
Intelligence-Driven Adversary Emulation An ever-improving and well-validated defense
Realistic Threat Model
© 2019 The MITRE Corporation. All rights reserved.health.mitre.org
MITRE is transforming data into insights to improve the
health system and reinvent the healthcare experience.
P I O N E E R I N G A H E A L T H I E R F U T U R E
Join us to advance the nation's progress toward an integrated health system with improved access and quality at a sustainable cost.
attack.mitre.org
[email protected]: @MITREattack
| 35 |