examples of dlp rules for of mitre techniques detection

13.12.2020 CMA Project PSOW # 20081214

Solution Review Document:

Examples of DLP rules for

MITRE techniques detection

Version:

001 draft

Customer:

Generic

Prepared by: Steen Pedersen, Principal Architect, CISSP - McAfee

Cover Page

Notices

Trademarks

This document may make reference to other software and hardware products by name. In most if

not all cases, the companies that manufacture these other products claim these product names as

trademarks. It is not the intention of McAfee to claim these names or trademarks as its own.

Disclaimer

The information contained in this document is subject to change without notice.

McAfee MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL,

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. McAfee shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance,

or use of this material.

McAfee reserves the right to add, subtract or modify features or functionality, or modify the

product, at its sole discretion, without notice.

McAfee makes no commitment, implied or otherwise, to support any functionality or technology

discussed or referenced in this document.

Examples of DLP rules for of MITRE techniques detection

Table of Contents:

1 Overview __________________________________________________________________ 1

1.1 Main objectives ________________________________________________________________ 1

1.2 Reference to additional DLP recommendations _______________________________________ 1

1.3 Notes ________________________________________________________________________ 1

2 DLP Policy __________________________________________________________________ 2

3 Classifications _______________________________________________________________ 2

4 Definitions _________________________________________________________________ 9

4.1.1 File Information ________________________________________________________________________ 9

4.1.2 Application Template ___________________________________________________________________ 9

4.1.3 Network Share _______________________________________________________________________ 10

4.1.4 Network addresses ____________________________________________________________________ 10

5 DLP Detection policy ________________________________________________________ 10

5.1 The individual rules ____________________________________________________________ 12

6 DLP Protection policy ________________________________________________________ 22

7 Acronyms and Terms ________________________________________________________ 24


Change History Log:

V

No

Release

Date Updated by Summary of Changes Accepted by

001 20201211 Steen Pedersen Draft version 001

1 Overview

This document is created to provide examples and inspirations for Data Loss Prevention for Endpoint (DLPE)

policies/rules which can be used for detection and possible prevention of some of the MITRE techniques on

the endpoints.

This document provides the description of different DLP classifications and rules which can be implemented

in McAfee DLP for endpoints. The different rules are not covering all the different MITRE techniques, and

should be used in conjunction with McAfee Endpoint Security, Adaptive Threat Prevention and Endpoint

Detection and Remediation (ENS, ATP and EDR)

Additional DLP capabilities can be increased by using the MVSION Cloud and McAfee Client Proxy and redirect

traffic through McAfee Web Gateway.

1.1 Main objectives

The main objectives for the examples are listed here:

- Provide DLP classifications for sensitive data

- Detection Policy – nonintrusive silent monitoring

o Provide examples DLP Policies contain DLP rules using the classifications for detection of the

MITRE techniques

- Prevention Policy – Block

o Contain the same DLP rules as for Detection with Block as reaction

1.2 Reference to additional DLP recommendations

The McAfee Expert Center – DLP section:

https://community.mcafee.com/t5/EC-Data-Loss-Prevention-DLP/bd-p/data-loss-prevention-expert-center

Test

1.3 Notes

The classification and rules have been created in DLPE version 11.6 and can also be created in 11.4 and 11.5.

https://community.mcafee.com/t5/EC-Data-Loss-Prevention-DLP/bd-p/data-loss-prevention-expert-center


Generic – Examples of DLP rules for of MITRE techniques detection Page 2 of 25

2 DLP Policy

There are two DLP Policies. One for detection and one for prevention. The two policies have the

same rules with a few exceptions.

IMPORTANT

Do not import the DLP policy backup before you have made a backup of your current DLP policy! The DLP policy import will overwrite every DLP classification, Definition and rule on the ePO server where it is imported. Recommend that the policy is imported on a test ePO server to verify the DLP configuration. Procedure for DLP Policy import

- ePO menu - DLP Settings

o Backup & Restore o Restore from file

3 Classifications

Classifications are important for DLP rules to trigger in the right data. The classifications can be used to

identify the sensitive data and classification of data which should be excluded – the exceptions are also

important. This section contains the list of classifications used in these example DLP rules.

List of the Classifications:



Classification Description

_Any Office and PDF file True File Type classification of Office and PDF documents. This is detecting

the file type based on the content and not the file extensions.

_Any True Type file Any file identified with True File Type – all True File Type selected

_Any executable Detect the executable files using True File Type

_Certificate files based on

extension

Detection of common extensions for certificate files. Using the definition

for File Extensions.

_Compressed True File Type classification compressed files. This is detecting the file type

based on the content and not the file extensions.



_Encrypted Detect the unsupported encrypted or password protected files

_Exclude windows

assembly

Used for exclusion of some executable files

_From_Share Location content fingerprinting which can be used to track “Any” files from

sensitive file shares. It is important to list the servers to monitor in the

Network Share definition – “Servers to monitor”



_Location_fingerprint Test for identification of local shares Location content fingerprinting

_Originated_from_Outlook Identify any files arriving by Outlook using Application content

fingerprinting

_Other documents TXT Using True Type to identify Text files



_PEM file Classify files which contain certificate sections, like .PEM and .CER

_PEM file (keywords) Using Keywords to identify the certificate files – different methods then the

Proximity in the “_PEM file” classification



_Procdump Specific to identify procdump file.

_XML file Classifying XML based on the content using True Type



_invoke-mini Classify the invoke-mini.ps1 file which can be used in attacks.

_machine.config Identify the machine.config used by PowerShell, used for exceptions in DLP

rules.

_pstools Classification of PS Tools from Microsoft/SysInternal often used in

information gathering activities which can be an indicator of malicious

activity.



4 Definitions

The classifications are using different definitions which is listed in the classification section.

4.1.1 File Information

File Information

MITRE exclude .ni.dll.aux

MITRE exclude Sysmain.sdb

MITRE invoke-mini.ps1

MITRE machine.config

MITRE procdump

MITRE psexec.exe

MITRE psexesvc.exe

MITRE pstools.zip

4.1.2 Application Template

Application Template

.McAfee ENS Path

.MITRE extraction tools

.MITRE Outlook

.MITRE PowerShell

Any application

BT file transfer application



Encryption A

ENS – VSE

4.1.3 Network Share

Network Share

Servers to monitor

Local folder

4.1.4 Network addresses

4.1.4 Network addresses

Common Private Ranges

LAB range Example

5 DLP Detection policy

There are two DLP Policies. One for detection and one for prevention. The two policies have the same rules

with a few exceptions.

Note that the Rules are mainly created to detect background activity not initiated by the end-user. So there

are not email or Web protection rules included.

The DLPE can generate detections with multiple rules and it is the rule with the highest severity and most

restrictive reaction which will be used.

The example Rule Set has been created: 802 MITRE PT2020.12

State Rule Severity Data Users Protection

Disabled 801 Monitor ALL Network Shares and ALL files

Info any data any user

Network Share Protection



Disabled 803 Monitor PowerShell file access (AD User)

Info _Compressed,_Encrypted,_Any True Type file,_Any Office and PDF file,_Originated_from_Outlook

any user

Application File Access Protection

Enabled 804 Monitor PowerShell file access (Local user)

Info _Compressed,_Encrypted,_Any True Type file,_Any Office and PDF file,_Any executable,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension

any local user


Enabled 804 Monitor PowerShell file access to PII (Local user)

Warning PCI,US PII any local user


Enabled 807 Monitor Office access to files from Outlook

Warning _Any Office and PDF file,_Originated_from_Outlook,_Originated_from_Outlook,_Other documents TXT

any local user


Enabled 820 Monitor Screen capture Info _Compressed,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Certificate files based on extension

any user

Screen Capture Protection

Enabled 830 Monitor any port in LAN in and out

Info _Compressed,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Exclude windows assembly,_Originated_from_Outlook

any user

Network Communication Protection

Enabled 830 Monitor any port in LAN out Info PCI,US PII,Top Secret,_Compressed,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Exclude windows assembly,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension

any user


Enabled 830 Monitor any port in LAN out PII and PCI

Warning PCI,US PII any user


Enabled T1021.002 Remote Services SMB/Windows Admin Share - Cloud storage

Warning _Compressed,_Encrypted,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension

any user

Cloud Protection

Enabled T1021.002 Remote Services SMB/Windows Admin Share (802)

Warning _Compressed,_From_Share,_Encrypted,_Location_fingerprint,_Any Office and PDF file,_Any executable,_Originated_from_Outlook

any user


Enabled T1021.003 Remote Services SMB/Windows Admin Share (802)

Major PCI,US PII,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension

any user


Enabled T1027 Obfuscated Files or Information

Major _Compressed,_Encrypted any user


Enabled T1055 Defense evasion - Monitor Unknown application access to files (806)

Major PCI,US PII,_Compressed,_From_Share,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension

any user




Enabled T1074 Data Staged - Monitor file access (803)

Warning _Compressed,_Encrypted,_Any Office and PDF file,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Certificate files based on extension

any user


Disabled T1082 System Information Discovery - Monitor PowerShell file access (803)

Major _machine.config any user


Enabled T1086 Data Staged - Monitor PowerShell file access (803)

Major _Compressed,_Encrypted,_PEM file,_PEM file (keywords),_Certificate files based on extension

any user


Enabled T1086 T1003 Data Staged and Credential Dumping by PowerShell file access (803)

Critical _Procdump,_pstools,_invoke-mini any user


5.1 The individual rules

Rule

801 Monitor ALL Network Shares and ALL files

This is a “flight recorder rule” which is only to be used to capture information about all files being copied to network shares. Disabled by default.

No exceptions Reaction Report Incident is selected

803 Monitor PowerShell file access (AD User)

This is a “flight recorder rule” which is only to be used to capture information about all files being accessed by PowerShell. Disabled by default.



Exceptions Do not track executables and Windows assembly files.

Exclude Local users

Reaction Report Incident is selected

804 Monitor PowerShell file access (Local user)

This is a “flight recorder rule” which is used to capture information about all files being accessed by PowerShell running as local user.



Exceptions


804 Monitor PowerShell file access to PII (Local user)

Detect if PowerShell is accessing any sensitive information. In this example it is PCI and US PII classified material which is monitored. This can be extended to monitor different sensitive information.

Exceptions




807 Monitor Office access to files from Outlook

This is a “flight recorder rule” which is used to capture information about all files being accessed by Office Application running as local user and include information about if these files originate from Outlook.

Exceptions None is enabled Reaction Report Incident is selected

820 Monitor Screen capture This is a “flight recorder rule” which is used to monitor Screen Captures being performed.


830 Monitor any port in LAN in and out This is a “flight recorder rule” which is used to capture information about all files being transmitted over network in common private ranges.




830 Monitor any port in LAN out This is a “flight recorder rule” which is used to capture information about all files being transmitted outbound on Lab environment. This is also covering PCI and US PII classified files.


830 Monitor any port in LAN out PII and PCI This is a “flight recorder rule” which is used to capture information about all files being transmitted outbound on Lab environment. This is only covering PCI and US PII classified files.




T1021.002 Remote Services SMB/Windows Admin Share - Cloud storage

This is a “flight recorder rule” which is monitoring potential sensitive files and encrypted, or compressed files placed in the Cloud storage synchronization folders.


T1021.002 Remote Services SMB/Windows Admin Share (802)

This is a “flight recorder rule” which is monitoring fingerprinted files, encrypted, or compressed files copied the any network share.




T1021.003 Remote Services SMB/Windows Admin Share (802)

This is a “flight recorder rule” which is monitoring potential sensitive files PCI, PII files copied in the any network share. There can be added any other relevant classifications to monitor, and the severity is increased to major.


T1027 Obfuscated Files or Information Monitor list of extraction tools (.MITRE extraction tools) or PowerShell access compressed or encrypted files.



Exclusions Executables and Windows assembly files + Local non domain users


T1055 Defense evasion - Monitor Unknown application access to files (806)

This rule can provide valuable information if unknown applications are touching any files and identify id these files contain sensitive information (PCI and PII)




T1074 Data Staged - Monitor file access (803)

Monitor list of extraction tools (.MITRE extraction tools) or PowerShell access sensitive files, compressed or encrypted files.



T1082 System Information Discovery - Monitor PowerShell file access (803)

Monitor when PowerShell access machine.config file





T1086 Data Staged - Monitor PowerShell file access (803)

Monitor PowerShell access sensitive files, compressed or encrypted files.





T1086 T1003 Data Staged and Credential Dumping by PowerShell file access (803)

Monitor sensitive tools been access by PowerShell and generate an incident with critical severity.


6 DLP Protection policy

This policy is very much like the Detection Policy. The Rule set has been duplicated and the reaction has been

changed to Block or require justification (related to Network Protection rules) where the Block reaction is

not available. The rules are not listed here as they are all covered in the DLP Detection policy section.



IMPORTANT Enabling the blocking rule can cause issue in an environment. It must be running in Detection/Monitor for some days and tuning of the rules must performed befor enabling the Protection DLP Policy.



7 Acronyms and Terms

Acronyms and Terms v2012

Acronym Description

Admin ePO administrator or network administrator (previously Global Admin)

Agent McAfee software used to manage point products on endpoint machines

AH Agent Handler: Component of ePO used to communicate with agents installed on endpoints

AR Active Response

ASCI Agent-server communication interval

ASSC Agent-to-server secure communication

ATD Advanced Threat Defense

ATP Adaptive Threat Protection

CEE Complete Protection Enterprise Suite

DAC Dynamic Application Containment

DLPE Data Loss Prevention for Endpoints (previously known as HDLP)

DR Disaster Recovery

DXL Data Exchange Layer (used by TIE and AR)

EDR Endpoint Detection and Remedication

EEDK ePO Endpoint Deployment Kit

EEFF McAfee Endpoint Encryption for Files and Folders (now named FRP)

EEPC Endpoint Encryption for PC (now named MDE)

EERM Endpoint Encryption for Removable Media (now named FRP)

ENS Endpoint Security

ePO ePolicy Orchestrator

EPP Endpoint Protection

ESM Enterprise Security Management (SIEM)

FIM File Integrity Monitor (Solidcore)

FRP McAfee File and Removable Media Protection (previously known as EEFF)

GTI Global Threat Intelligence

GUID: Globally Unique Identifier; random 64-bit value used specifically by ePO

HA High Availability

HDLP Host Data Loss Prevention (now named DLPE)

HIPS Host Intrusion Prevention

MA McAfee Agent

MAC McAfee Application Control (Solidcore)

MCC McAfee Change Control (Solidcore)

MDE McAfee Device Encryption (previously known as EEPC)

MOVE Management for Optimized Virtual Environments



MVM McAfee Vulnerability Manager

NDLP Network Data Loss Prevention

NSP Network Security Platform

NTBA Network Threat Behavior Analyses

PA Policy Auditor

Policy Settings and configurations applied to point-products on endpoint machines

RA Risk Advisor

Repository Collection of the software used to deploy and update point-products on endpoint machines

RP Real Protect

RSD/Sensor Rogue System Detection Sensor

SA McAfee SuperAgent

SAR McAfee SuperAgent Repository

SAE Site Advisor Enterprise

SIEM Security Information and Event Management – McAfee ESM

TIE Threat Intelligence Exchange

VSE McAfee VirusScan Enterprise

VSES McAfee VirusScan Enterprise for Storage

examples of dlp rules for of mitre techniques detection

Documents