Professional Documents
Culture Documents
Threat Informed Defense With ATTCK
Threat Informed Defense With ATTCK
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
|2|
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
|3|
-Theodore Roosevelt
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
|4|
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
|5|
What is
?
A knowledge base of
adversary behavior
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
|6|
Mobile
ATT&CK
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
|8|
Initial Access ecution Persistence Privilege scalation Defense vasion Credential Access Discovery ateral ovement Collection Command And filtration Impact
Control
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
|9|
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 10 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 11 |
▪ Anastasios Pingios ▪ Eric Kuehn, Secure Ideas ▪ McAfee ▪ Romain Dumont, ESET
▪ Andrew Smith, @jakx_ ▪ Erye Hernandez, Palo Alto Networks ▪ Michael Cox ▪ Ryan Becwar
▪ Barry Shteiman, Exabeam ▪ Felipe Espósito, @Pr0teus ▪ Mike Kemmerer ▪ Ryan Benson, Exabeam
▪ Bartosz Jerzman ▪ FS-ISAC ▪ Milos Stojadinovic ▪ Scott Lundgren, @5twenty9, Carbon Black
▪ Carlos Borges, CIP ▪ Itamar Mizrahi ▪ Nick Carr, FireEye ▪ Sudhanshu Chauhan, @Sudhanshu_C
▪ Casey Smith ▪ Itzik Kotler, SafeBreach ▪ Nik Seetharaman, Palantir ▪ Sunny Neo
▪ Christiaan Beek, @ChristiaanBeek ▪ Jacob Wilkin, Trustwave, SpiderLabs ▪ Nishan Maharjan, @loki248 ▪ Sylvain Gil, Exabeam
▪ Cody Thomas, SpecterOps ▪ Jan Miller, CrowdStrike ▪ Oddvar Moe, @oddvarmoe ▪ Teodor Cimpoesu
▪ Daniel Oakley ▪ Jeremy Galloway ▪ Patrick Campbell, @pjcampbe11 ▪ Tom Ueltschi @c_APT_ure
▪ Darren Spruell ▪ John Lambert, Microsoft Threat Intelligence Center ▪ Paul Speulstra, AECOM Global Security Operations ▪ Tony Lambert, Red Canary
Center
▪ Dave Westgard ▪ John Strand ▪ Travis Smith, Tripwire
▪ Pedro Harrison
▪ David Ferguson, CyberSponse ▪ Josh Abraham ▪ Tristan Bennett, Seamless Intelligence
▪ Praetorian
▪ David Lu, Tripwire ▪ Justin Warner, ICEBRG ▪ Valerii Marchuk, Cybersecurity Help s.r.o.
▪ Rahmat Nurfauzi, @infosecn1nja, PT Xynexis
▪ David Routin ▪ Leo Loobeek, @leoloobeek International ▪ Veeral Patel
▪ Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT ▪ Mark Wee ▪ Ricardo Dias ▪ Ye Yint Min Thu Htut, Offensive Security Team, DBS
Centre Bank
▪ Matt Graeber, @mattifestation, SpecterOps ▪ Richard Gold, Digital Shadows
▪ Elia Florio, Microsoft ▪ Yonatan Gotlib, Deep Instinct
▪ Matt Kelly, @breakersall ▪ Richie Cyrus, SpecterOps
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 12 |
Application Deployment
Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Command-Line Automated Collection Automated Exfiltration Commonly Used Port
Software
Bypass User Account Application Window Exploitation of Communication Through
AppInit DLLs AppInit DLLs Credential Dumping Execution through API Clipboard Data Data Compressed
Control Discovery Vulnerability Removable Media
Bypass User Account File and Directory Custom Command and
Basic Input/Output System Code Signing Credential Manipulation Logon Scripts Graphical User Interface Data Staged Data Encrypted
Control Discovery Control Protocol
Local Network Custom Cryptographic
Bootkit DLL Injection Component Firmware Credentials in Files Pass the Hash PowerShell Data from Local System Data Transfer Size Limits
Configuration Discovery Protocol
Change Default File Exploitation of Local Network Connections Data from Network Shared Exfiltration Over
DLL Search Order Hijacking DLL Injection Pass the Ticket Process Hollowing Data Obfuscation
Handlers Vulnerability Discovery Drive Alternative Protocol
Exploitation of Data from Removable Exfiltration Over Command
Component Firmware DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Fallback Channels
Vulnerability Media and Control Channel
Peripheral Device Exfiltration Over Other
DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Remote File Copy Scheduled Task Email Collection Multi-Stage Channels
Discovery Network Medium
Two-Factor Authentication Permission Groups Exfiltration Over Physical
Hypervisor Local Port Monitor Disabling Security Tools Remote Services Service Execution Input Capture Multiband Communication
Interception Discovery Medium
Exploitation of Replication Through
Legitimate Credentials New Service Process Discovery Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption
Vulnerability Removable Media
Windows Management
Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Peer Connections
Instrumentation
Windows Remote
Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Remote File Copy
Management
Service File Permissions Security Software Standard Application Layer
Modify Existing Service Indicator Blocking on Host Windows Admin Shares
Weakness Discovery Protocol
Service Registry Indicator Removal from System Information Windows Remote Standard Cryptographic
New Service
Permissions Weakness Tools Discovery Management Protocol
System Owner/User Standard Non-Application
Path Interception Web Shell Indicator Removal on Host
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. Discovery Layer Protocol
Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port
– Detection
– Assessment and Engineering
– Threat Intelligence
– Adversary Emulation
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 14 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 15 |
Detection
▪ ook at others’ behavioral analytics and choose a few to implement
▪ Adapt them to your environment (tuning needed!)
▪ Check out these repositories to get started:
– Cyber Analytics Repository: https://car.mitre.org/
– Endgame EQL Analytics Library:
https://eqllib.readthedocs.io/en/latest/analytics.html
– Threat Hunter Playbook: https://github.com/Cyb3rWard0g/ThreatHunter-
Playbook
– Sigma: https://github.com/Neo23x0/sigma
– Atomic Threat Coverage: https://github.com/krakow2600/atomic-threat-
coverage
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 16 |
https://car.mitre.org/analytics/CAR-2013-03-001
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 17 |
Detection
▪ ook at what techniques you may be able to detect based on data you’re
already collecting
▪ Host-based data is useful, but consider network data too (e.g. Bro/Zeek)
▪ Example data sources associated with ATT&CK techniques:
– Windows registry
– Process monitoring
– Command-line parameters
– Network intrusion detection system
– and more…
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 18 |
Detection
▪ Choose one data source and write your own analytics
▪ Use our script help you pull the data sources from ATT&CK:
https://github.com/mitre-attack/attack-scripts/tree/master/scripts
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 19 |
Detection
▪ Assess your detection coverage across ATT&CK
– Consider starting with one tactic and expanding from there
– “ ” :
▪ 1-5 based on quality or number of detections
▪ Low, Medium, High based on confidence you would detect that behavior
▪ Remember you’ll never get to 100% or “perfect” coverage!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 20 |
Detection
Initial Access ecution Persistence Privilege scalation Defense vasion Credential Access Discovery ateral ovement Collection Command And filtration Impact
Control
ATT&CK Navigator
https://github.com/mitre-attack/attack-navigator
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 21 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 22 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 23 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 24 |
Spearphishing Attachment?
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 25 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 26 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 27 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 28 |
Threat Intelligence
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 29 |
Threat Intelligence
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 30 |
Threat Intelligence
▪ Map your threat intelligence to ATT&CK
– Start with one group or software sample
– Use an incident write-up or an intelligence report
▪ Consider how you can store the intel
– Excel, Threat Intelligence Platform, other?
▪ Start at the tactic level
▪ Use existing website examples
▪ Take it as a learning experience
▪ Work as a team
▪ Use it to make detection and mitigation recommendations to defenders
– Based on adversaries that have targeted you
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 31 |
Scripting (T1064)
Registry Run Keys / Startup Folder (T1060)
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 32 |
Threat Intelligence
▪ Map more of your own threat intelligence to ATT&CK
– Incident response data
– Threat intel subscriptions
– Real-time alerts
– Historic reporting
▪ Prioritize frequently used techniques
– Remember any ATT&CK-mapped data has biases:
https://www.slideshare.net/KatieNickels/first-cti-symposium-turning-intelligence-into-action-with-mitre-attck
APT28 Techniques*
Initial Privilege Defense Credential Lateral Command
Execution Persistence Escalation Evasion Access
Discovery
Movement
Collection Exfiltration
and Control
Access
Initial Access ecution Persistence Privilege scalation Defense vasion Credential Access Discovery ateral ovement Collection filtration Command And Control
APT29 Techniques
Initial Privilege Defense Credential Lateral Command
Execution Persistence Escalation Evasion Access
Discovery
Movement
Collection Exfiltration
and Control
Access
Initial Access ecution Persistence Privilege scalation Defense vasion Credential Access Discovery ateral ovement Collection filtration Command And Control
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 35 |
APT28
APT29
Both groups Prioritize!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 36 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 39 |
Adversary Emulation
▪ No red team? No problem!
▪ Defenders can try out red teaming tools to get your feet wet
– CALDERA: https://github.com/mitre/caldera
– Red Team Automation: https://github.com/endgameinc/RTA
– Metta: https://github.com/uber-common/metta
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 40 |
Adversary Emulation
Red Canary’s Atomic Red Team (https://atomicredteam.io/)
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 41 |
Adversary Emulation
▪ Use ATT&CK to mature what your red team is doing
– Have your team choose a different ATT&CK technique each week
– ’
– Bring in your threat intel analysts to talk about how adversaries are using it
– Communicate with your blue team in a common language
▪ Have your red team start emulating ATT&CK techniques themselves
– APT3 Adversary Emulation Plan:
https://attack.mitre.org/resources/adversary-emulation-plans/
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 42 |
Adversary Emulation
APT3 Adversary Emulation Field Manual
Category Built-in Windows Cobalt Strike Metasploit Description
Discovery
T1082 ver shell ver Get the Windows OS version that's
T1082 set get_env.rb
shell set Print all of the environment variables
Get current user information, SID,
T1033 whoami /all /fo list shell whoami /all /fo list getuid domain, groups the user belongs to,
net config workstation shell net config Get computer name, username, OS
T1082 net config server workstation software version, domain information,
ipconfig Get information about the domain,
T1016 ipconfig /all shell ipconfig post/windows/gather/en network adapters, DNS / WSUS
systeminfo [/s COMPNAME] systemprofiler tool if no Displays detailed configuration
[/u DOMAIN\user] [/p access yet (victim sysinfo, run winenum, information about a computer and its
T1082 password] browses to website) get_env.rb operating system, including
reg query shell reg query reg queryval -k
"HKEY_LOCAL_MACHINE\SY "HKEY_LOCAL_MACHIN "HKEY_LOCAL_MACH Check for the current registry value
STEM\CurrentControlSet\Contr E\SYSTEM\CurrentContro INE\SYSTEM\CurrentC for terminal services, if it's 0, then
ol\Terminal Server" /v lSet\Control\Terminal ontrolSet\Control\Termi terminal services are enabled. If it's
T1012 fDenyTSConnections Server" /v nal Server" -v 1, then they're disabled
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 43 |
Adversary Emulation
▪ Develop your own adversary emulation plan
▪ Choose an adversary that is important to you
▪ Use ATT&CK to communicate findings and drive defenders to improve
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 45 |
Takeaways
▪ ATT&CK can help you create a threat-informed defense,
no matter if you’re or
▪ Do what you can, with what you have, where you are:
– Detection
– Assessment and Engineering
– Threat Intelligence
– Adversary Emulation
▪ Choose a starting point that works for your team
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 46 |
https://attack.mitre.org
attack@mitre.org
@MITREattack
Michael Long
@michaellongii
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.