examples of dlp rules for of mitre techniques detection
TRANSCRIPT
13.12.2020 CMA Project PSOW # 20081214
Solution Review Document:
Examples of DLP rules for
MITRE techniques detection
Version:
001 draft
Customer:
Generic
Prepared by: Steen Pedersen, Principal Architect, CISSP - McAfee
Cover Page
Notices
Trademarks
This document may make reference to other software and hardware products by name. In most if
not all cases, the companies that manufacture these other products claim these product names as
trademarks. It is not the intention of McAfee to claim these names or trademarks as its own.
Disclaimer
The information contained in this document is subject to change without notice.
McAfee MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. McAfee shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance,
or use of this material.
McAfee reserves the right to add, subtract or modify features or functionality, or modify the
product, at its sole discretion, without notice.
McAfee makes no commitment, implied or otherwise, to support any functionality or technology
discussed or referenced in this document.
Examples of DLP rules for of MITRE techniques detection
Table of Contents:
1 Overview __________________________________________________________________ 1
1.1 Main objectives ________________________________________________________________ 1
1.2 Reference to additional DLP recommendations _______________________________________ 1
1.3 Notes ________________________________________________________________________ 1
2 DLP Policy __________________________________________________________________ 2
3 Classifications _______________________________________________________________ 2
4 Definitions _________________________________________________________________ 9
4.1.1 File Information ________________________________________________________________________ 9
4.1.2 Application Template ___________________________________________________________________ 9
4.1.3 Network Share _______________________________________________________________________ 10
4.1.4 Network addresses ____________________________________________________________________ 10
5 DLP Detection policy ________________________________________________________ 10
5.1 The individual rules ____________________________________________________________ 12
6 DLP Protection policy ________________________________________________________ 22
7 Acronyms and Terms ________________________________________________________ 24
Examples of DLP rules for of MITRE techniques detection
Change History Log:
V
No
Release
Date Updated by Summary of Changes Accepted by
001 20201211 Steen Pedersen Draft version 001
1 Overview
This document is created to provide examples and inspirations for Data Loss Prevention for Endpoint (DLPE)
policies/rules which can be used for detection and possible prevention of some of the MITRE techniques on
the endpoints.
This document provides the description of different DLP classifications and rules which can be implemented
in McAfee DLP for endpoints. The different rules are not covering all the different MITRE techniques, and
should be used in conjunction with McAfee Endpoint Security, Adaptive Threat Prevention and Endpoint
Detection and Remediation (ENS, ATP and EDR)
Additional DLP capabilities can be increased by using the MVSION Cloud and McAfee Client Proxy and redirect
traffic through McAfee Web Gateway.
1.1 Main objectives
The main objectives for the examples are listed here:
- Provide DLP classifications for sensitive data
- Detection Policy – nonintrusive silent monitoring
o Provide examples DLP Policies contain DLP rules using the classifications for detection of the
MITRE techniques
- Prevention Policy – Block
o Contain the same DLP rules as for Detection with Block as reaction
1.2 Reference to additional DLP recommendations
The McAfee Expert Center – DLP section:
https://community.mcafee.com/t5/EC-Data-Loss-Prevention-DLP/bd-p/data-loss-prevention-expert-center
Test
1.3 Notes
The classification and rules have been created in DLPE version 11.6 and can also be created in 11.4 and 11.5.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 2 of 25
2 DLP Policy
There are two DLP Policies. One for detection and one for prevention. The two policies have the
same rules with a few exceptions.
IMPORTANT
Do not import the DLP policy backup before you have made a backup of your current DLP policy! The DLP policy import will overwrite every DLP classification, Definition and rule on the ePO server where it is imported. Recommend that the policy is imported on a test ePO server to verify the DLP configuration. Procedure for DLP Policy import
- ePO menu - DLP Settings
o Backup & Restore o Restore from file
3 Classifications
Classifications are important for DLP rules to trigger in the right data. The classifications can be used to
identify the sensitive data and classification of data which should be excluded – the exceptions are also
important. This section contains the list of classifications used in these example DLP rules.
List of the Classifications:
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 3 of 25
Classification Description
_Any Office and PDF file True File Type classification of Office and PDF documents. This is detecting
the file type based on the content and not the file extensions.
_Any True Type file Any file identified with True File Type – all True File Type selected
_Any executable Detect the executable files using True File Type
_Certificate files based on
extension
Detection of common extensions for certificate files. Using the definition
for File Extensions.
_Compressed True File Type classification compressed files. This is detecting the file type
based on the content and not the file extensions.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 4 of 25
_Encrypted Detect the unsupported encrypted or password protected files
_Exclude windows
assembly
Used for exclusion of some executable files
_From_Share Location content fingerprinting which can be used to track “Any” files from
sensitive file shares. It is important to list the servers to monitor in the
Network Share definition – “Servers to monitor”
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 5 of 25
_Location_fingerprint Test for identification of local shares Location content fingerprinting
_Originated_from_Outlook Identify any files arriving by Outlook using Application content
fingerprinting
_Other documents TXT Using True Type to identify Text files
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 6 of 25
_PEM file Classify files which contain certificate sections, like .PEM and .CER
_PEM file (keywords) Using Keywords to identify the certificate files – different methods then the
Proximity in the “_PEM file” classification
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 7 of 25
_Procdump Specific to identify procdump file.
_XML file Classifying XML based on the content using True Type
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 8 of 25
_invoke-mini Classify the invoke-mini.ps1 file which can be used in attacks.
_machine.config Identify the machine.config used by PowerShell, used for exceptions in DLP
rules.
_pstools Classification of PS Tools from Microsoft/SysInternal often used in
information gathering activities which can be an indicator of malicious
activity.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 9 of 25
4 Definitions
The classifications are using different definitions which is listed in the classification section.
4.1.1 File Information
File Information
MITRE exclude .ni.dll.aux
MITRE exclude Sysmain.sdb
MITRE invoke-mini.ps1
MITRE machine.config
MITRE procdump
MITRE psexec.exe
MITRE psexesvc.exe
MITRE pstools.zip
4.1.2 Application Template
Application Template
.McAfee ENS Path
.MITRE extraction tools
.MITRE Outlook
.MITRE PowerShell
Any application
BT file transfer application
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 10 of 25
Encryption A
ENS – VSE
4.1.3 Network Share
Network Share
Servers to monitor
Local folder
4.1.4 Network addresses
4.1.4 Network addresses
Common Private Ranges
LAB range Example
5 DLP Detection policy
There are two DLP Policies. One for detection and one for prevention. The two policies have the same rules
with a few exceptions.
Note that the Rules are mainly created to detect background activity not initiated by the end-user. So there
are not email or Web protection rules included.
The DLPE can generate detections with multiple rules and it is the rule with the highest severity and most
restrictive reaction which will be used.
The example Rule Set has been created: 802 MITRE PT2020.12
State Rule Severity Data Users Protection
Disabled 801 Monitor ALL Network Shares and ALL files
Info any data any user
Network Share Protection
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 11 of 25
Disabled 803 Monitor PowerShell file access (AD User)
Info _Compressed,_Encrypted,_Any True Type file,_Any Office and PDF file,_Originated_from_Outlook
any user
Application File Access Protection
Enabled 804 Monitor PowerShell file access (Local user)
Info _Compressed,_Encrypted,_Any True Type file,_Any Office and PDF file,_Any executable,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension
any local user
Application File Access Protection
Enabled 804 Monitor PowerShell file access to PII (Local user)
Warning PCI,US PII any local user
Application File Access Protection
Enabled 807 Monitor Office access to files from Outlook
Warning _Any Office and PDF file,_Originated_from_Outlook,_Originated_from_Outlook,_Other documents TXT
any local user
Application File Access Protection
Enabled 820 Monitor Screen capture Info _Compressed,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Certificate files based on extension
any user
Screen Capture Protection
Enabled 830 Monitor any port in LAN in and out
Info _Compressed,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Exclude windows assembly,_Originated_from_Outlook
any user
Network Communication Protection
Enabled 830 Monitor any port in LAN out Info PCI,US PII,Top Secret,_Compressed,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Exclude windows assembly,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension
any user
Network Communication Protection
Enabled 830 Monitor any port in LAN out PII and PCI
Warning PCI,US PII any user
Network Communication Protection
Enabled T1021.002 Remote Services SMB/Windows Admin Share - Cloud storage
Warning _Compressed,_Encrypted,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension
any user
Cloud Protection
Enabled T1021.002 Remote Services SMB/Windows Admin Share (802)
Warning _Compressed,_From_Share,_Encrypted,_Location_fingerprint,_Any Office and PDF file,_Any executable,_Originated_from_Outlook
any user
Network Share Protection
Enabled T1021.003 Remote Services SMB/Windows Admin Share (802)
Major PCI,US PII,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension
any user
Network Share Protection
Enabled T1027 Obfuscated Files or Information
Major _Compressed,_Encrypted any user
Application File Access Protection
Enabled T1055 Defense evasion - Monitor Unknown application access to files (806)
Major PCI,US PII,_Compressed,_From_Share,_Encrypted,_Location_fingerprint,_Any True Type file,_Any Office and PDF file,_Any executable,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Procdump,_pstools,_invoke-mini,_Certificate files based on extension
any user
Application File Access Protection
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 12 of 25
Enabled T1074 Data Staged - Monitor file access (803)
Warning _Compressed,_Encrypted,_Any Office and PDF file,_Originated_from_Outlook,_PEM file,_PEM file (keywords),_Certificate files based on extension
any user
Application File Access Protection
Disabled T1082 System Information Discovery - Monitor PowerShell file access (803)
Major _machine.config any user
Application File Access Protection
Enabled T1086 Data Staged - Monitor PowerShell file access (803)
Major _Compressed,_Encrypted,_PEM file,_PEM file (keywords),_Certificate files based on extension
any user
Application File Access Protection
Enabled T1086 T1003 Data Staged and Credential Dumping by PowerShell file access (803)
Critical _Procdump,_pstools,_invoke-mini any user
Application File Access Protection
5.1 The individual rules
Rule
801 Monitor ALL Network Shares and ALL files
This is a “flight recorder rule” which is only to be used to capture information about all files being copied to network shares. Disabled by default.
No exceptions Reaction Report Incident is selected
803 Monitor PowerShell file access (AD User)
This is a “flight recorder rule” which is only to be used to capture information about all files being accessed by PowerShell. Disabled by default.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 13 of 25
Exceptions Do not track executables and Windows assembly files.
Exclude Local users
Reaction Report Incident is selected
804 Monitor PowerShell file access (Local user)
This is a “flight recorder rule” which is used to capture information about all files being accessed by PowerShell running as local user.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 14 of 25
Exceptions
Reaction Report Incident is selected
804 Monitor PowerShell file access to PII (Local user)
Detect if PowerShell is accessing any sensitive information. In this example it is PCI and US PII classified material which is monitored. This can be extended to monitor different sensitive information.
Exceptions
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 15 of 25
Reaction Report Incident is selected
807 Monitor Office access to files from Outlook
This is a “flight recorder rule” which is used to capture information about all files being accessed by Office Application running as local user and include information about if these files originate from Outlook.
Exceptions None is enabled Reaction Report Incident is selected
820 Monitor Screen capture This is a “flight recorder rule” which is used to monitor Screen Captures being performed.
Exceptions None is enabled Reaction Report Incident is selected
830 Monitor any port in LAN in and out This is a “flight recorder rule” which is used to capture information about all files being transmitted over network in common private ranges.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 16 of 25
Exceptions None is enabled Reaction Report Incident is selected
830 Monitor any port in LAN out This is a “flight recorder rule” which is used to capture information about all files being transmitted outbound on Lab environment. This is also covering PCI and US PII classified files.
Exceptions None is enabled Reaction Report Incident is selected
830 Monitor any port in LAN out PII and PCI This is a “flight recorder rule” which is used to capture information about all files being transmitted outbound on Lab environment. This is only covering PCI and US PII classified files.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 17 of 25
Exceptions None is enabled Reaction Report Incident is selected
T1021.002 Remote Services SMB/Windows Admin Share - Cloud storage
This is a “flight recorder rule” which is monitoring potential sensitive files and encrypted, or compressed files placed in the Cloud storage synchronization folders.
Exceptions None is enabled Reaction Report Incident is selected
T1021.002 Remote Services SMB/Windows Admin Share (802)
This is a “flight recorder rule” which is monitoring fingerprinted files, encrypted, or compressed files copied the any network share.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 18 of 25
Exceptions None is enabled Reaction Report Incident is selected
T1021.003 Remote Services SMB/Windows Admin Share (802)
This is a “flight recorder rule” which is monitoring potential sensitive files PCI, PII files copied in the any network share. There can be added any other relevant classifications to monitor, and the severity is increased to major.
Exceptions None is enabled Reaction Report Incident is selected
T1027 Obfuscated Files or Information Monitor list of extraction tools (.MITRE extraction tools) or PowerShell access compressed or encrypted files.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 19 of 25
Exclusions Executables and Windows assembly files + Local non domain users
Reaction Report Incident is selected
T1055 Defense evasion - Monitor Unknown application access to files (806)
This rule can provide valuable information if unknown applications are touching any files and identify id these files contain sensitive information (PCI and PII)
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 20 of 25
Exceptions None is enabled Reaction Report Incident is selected
T1074 Data Staged - Monitor file access (803)
Monitor list of extraction tools (.MITRE extraction tools) or PowerShell access sensitive files, compressed or encrypted files.
Exclusions Executables and Windows assembly files + Local non domain users
Reaction Report Incident is selected
T1082 System Information Discovery - Monitor PowerShell file access (803)
Monitor when PowerShell access machine.config file
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 21 of 25
Exclusions Executables and Windows assembly files + Local non domain users
Reaction Report Incident is selected
T1086 Data Staged - Monitor PowerShell file access (803)
Monitor PowerShell access sensitive files, compressed or encrypted files.
Exclusions Executables and Windows assembly files + Local non domain users
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 22 of 25
Reaction Report Incident is selected
T1086 T1003 Data Staged and Credential Dumping by PowerShell file access (803)
Monitor sensitive tools been access by PowerShell and generate an incident with critical severity.
Exceptions None is enabled Reaction Report Incident is selected
6 DLP Protection policy
This policy is very much like the Detection Policy. The Rule set has been duplicated and the reaction has been
changed to Block or require justification (related to Network Protection rules) where the Block reaction is
not available. The rules are not listed here as they are all covered in the DLP Detection policy section.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 23 of 25
IMPORTANT Enabling the blocking rule can cause issue in an environment. It must be running in Detection/Monitor for some days and tuning of the rules must performed befor enabling the Protection DLP Policy.
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 24 of 25
7 Acronyms and Terms
Acronyms and Terms v2012
Acronym Description
Admin ePO administrator or network administrator (previously Global Admin)
Agent McAfee software used to manage point products on endpoint machines
AH Agent Handler: Component of ePO used to communicate with agents installed on endpoints
AR Active Response
ASCI Agent-server communication interval
ASSC Agent-to-server secure communication
ATD Advanced Threat Defense
ATP Adaptive Threat Protection
CEE Complete Protection Enterprise Suite
DAC Dynamic Application Containment
DLPE Data Loss Prevention for Endpoints (previously known as HDLP)
DR Disaster Recovery
DXL Data Exchange Layer (used by TIE and AR)
EDR Endpoint Detection and Remedication
EEDK ePO Endpoint Deployment Kit
EEFF McAfee Endpoint Encryption for Files and Folders (now named FRP)
EEPC Endpoint Encryption for PC (now named MDE)
EERM Endpoint Encryption for Removable Media (now named FRP)
ENS Endpoint Security
ePO ePolicy Orchestrator
EPP Endpoint Protection
ESM Enterprise Security Management (SIEM)
FIM File Integrity Monitor (Solidcore)
FRP McAfee File and Removable Media Protection (previously known as EEFF)
GTI Global Threat Intelligence
GUID: Globally Unique Identifier; random 64-bit value used specifically by ePO
HA High Availability
HDLP Host Data Loss Prevention (now named DLPE)
HIPS Host Intrusion Prevention
MA McAfee Agent
MAC McAfee Application Control (Solidcore)
MCC McAfee Change Control (Solidcore)
MDE McAfee Device Encryption (previously known as EEPC)
MOVE Management for Optimized Virtual Environments
Examples of DLP rules for of MITRE techniques detection
Generic – Examples of DLP rules for of MITRE techniques detection Page 25 of 25
MVM McAfee Vulnerability Manager
NDLP Network Data Loss Prevention
NSP Network Security Platform
NTBA Network Threat Behavior Analyses
PA Policy Auditor
Policy Settings and configurations applied to point-products on endpoint machines
RA Risk Advisor
Repository Collection of the software used to deploy and update point-products on endpoint machines
RP Real Protect
RSD/Sensor Rogue System Detection Sensor
SA McAfee SuperAgent
SAR McAfee SuperAgent Repository
SAE Site Advisor Enterprise
SIEM Security Information and Event Management – McAfee ESM
TIE Threat Intelligence Exchange
VSE McAfee VirusScan Enterprise
VSES McAfee VirusScan Enterprise for Storage