Professional Documents
Culture Documents
samenvattingH4ThreatIntelligence
samenvattingH4ThreatIntelligence
samenvattingH4ThreatIntelligence
2 Threat intelligence
Actionable threat intelligence
o threat intelligence that can be readily used: proper support of visibility and context,
useful indicators for prioritizing, integrated with the security solutions used by the
organization, and with a clear path to remediation
1
5 Bianco’s pyramid of pain and indicators of compromise
Indicators of compromise
o are old fashioned threat intelligence if they are only low level
o pyramid of pain extends this to higher levels (up to TTPs)
Bianco’s pyramid of pain
o Hash values
SHA1, MD5 or other similar hashes that correspond to specific suspicious or
malicious files
o IP addresses
It's, um, an IP address. Or maybe a netblock
o Domain names
This could be either a domain name itself (e.g., "evil.net") or maybe even a
sub- or sub-sub-domain (e.g., "this.is.sooooo.evil.net")
o Network artifacts
Observables caused by adversary activities on your network
o Host artifacts
Observables caused by adversary activities on one or more of your hosts
o Tools
Software used by the adversary to accomplish their mission
o Tactics, techniques and procedures (TTPs)
How the adversary goes about accomplishing their mission, from
reconnaissance all the way through data exfiltration and at every step in
between
The pyramid defines the pain it will cause the adversary when you are able to deny those
indicators to them
indicator-led threat intelligence
o The most common indicators of compromise are still low level technical (signature
type) indicators that most people feel should not be labelled “intelligence” or should
be labelled “technical threat intelligence”
2
6 Cyber kill chain
Lockheed Martin kill chain
o important model, and it also helps you to describe the goal of the attack and how he
entered
o look at an incident from an attacker’s perspective
o helps to identify the threats and risks, and the COA (Courses of Action) matrix helps
to decide on technical measures based on this model
OA matrix is part of the defence perspective
For each phase of the kill chain
o white diamond indicates relevant, but passive, detections were in place at the
time of that month’s intrusion attempt
o a black diamond indicates relevant mitigations were in place
o empty cell indicates no relevant capabilities were available
3
Diamond Model’s atomic element event
o event describes the four core features present in every malicious event that for every
intrusion event there exists an adversary taking a step towards an intended goal by
using a capability over infrastructure against a victim producing a result
o the core features
adversary, infrastructure, capability and victim
o every core feature connected with every other core feature
except for adversary and victim that have no direct relationship
o Infrastructure
infrastructure used by the adversary to attack the victim, not the
infrastructure under attack
o relationship/vertices between features are based on analytic pivoting
Diamond expanded by 2 additional meta-features
o which define the technology and social-political meta-features
technology meta-feature
o connects the infrastructure and capability and describes the technology enabling the
infrastructure and capabilities to interact effectively
social-political meta-feature
o describes the always existing, and sometimes enduring, relationship between
adversary and victim
Concept further extended into the centered approaches
o six approaches, from the four core features of the Diamond plus the technological
and social-political meta-features, enumerate all of the potential methods to discover
cyber threats
4
11 Activity thread
Once activity is discovered and events have been characterized and analysed, they are
ordered by the phases of malicious activity and linked by their causal relationship into
threads
Attack trees = attack graphs
Activity-attack graph
o Taking into account intelligence of adversary operations during planning not only to
deduce existing operations paths, but also to potentially predict future paths based
on adversary preference
Activity groups
o Groups of common/similar malicious events, adversary processes, and threads
o Further organized into activity group families
Horizontal correlation
o The analytic process of causally linking events between vertical threads across
adversary-victim pairs, identifying common knowledge gaps between threads, and
using knowledge from one thread to fill knowledge gaps in another
Vertical correlation
o The analytic process of identifying knowledge gaps, filling those gaps with new
knowledge, and establishing causal relationships (and associated arc labels) within a
single vertical adversary-victim activity thread
5
Cyberwarfare context C3 command, control and communication
More offensive acronym C4ISR
o Command, Control, Communications, Computers, Intelligence, Surveillance and
Reconnaissance
6
TARA
o method combining threat modelling and risk assessment
o uses a catalogue that contains data from CAPEC, CVE and ATT&CK
o from MITRE
MAEC
o Does malware characterization
o Used during incident analysis
o helps to identify specific software using e.g., hashes, but also describing behaviour
and capabilities of malware
o a vocabulary to describe malware
The most important information consists of the attack patterns collected in CAPEC
And TTPS collected in ATT&CK
Tactics in ATT&CK
o High level categories (lateral movement)
Techniques in ATT&CK
o detailed techniques that fit into a category, e.g., stealing credentials in a specific way
Procedures
o are the actual implementation of a technique, but these are not described in ATT&CK
PRE-ATT&CK
o preparation phases of the attack
o TTPs are less detailed and are also not platform specific
o making your organization prepared for all of this, so it is typically threat hunting
o CAR and SIGMA
a repository of analytics
o SIGMA
Standard format for SIEM tools and traces back to CAR and ATT&CK
Other formats
o YARA analyzing files
o Snort/Surricata/Zeek analysing network traffic
Caldera tool for adversary emulation where the attack scenarios are linked to ATT&CK
Atomic Red Team
o Library (managed by Red Canary) of simple tests that execute one ATT&CK technique
with the purpose of checking your detection capabilities
Cascade
o a tool for (not a database) automated threat hunting
MISP
o Threat sharing platform
o Tool
FIRST
o groups several incident response sources and also provides a MISP instance
Unfetter
o is a threat reporting and analytics tool linked to CAR, STIX , AT&CK and others
Engage
o considers the active defence activities that can be done against the ATT&CK TTP’s
Atlas
7
o is the result of applying the ATT&CK model to the specific context of machine
learning-based AI systems
D3FEND
o lists the (passive defence) countermeasures and links them to ATT&CK TTP’s and CAR
STIX and TAXII
o standards for the specification of the details related to the information mentioned
here (typically the yellow boxes), and for the standardized interchange of them
Cybox (today called SCO)
o concentrates on the observables
SCAP
o Security Content Automation Protocol
8
16 MITRE ATT&CK matrix
Reconnaissance
o consists of techniques that involve adversaries actively or passively gathering
information that can be used to support targeting
Resource Development
o consists of techniques that involve adversaries creating, purchasing, or
compromising/stealing resources that can be used to support targeting
Initial access
o consists of techniques that use various entry vectors to gain their initial foothold
within a network
Execution
o consists of techniques that result in adversary-controlled code running on a local or
remote system
Persistence
o consists of techniques that adversaries use to keep access to systems across restarts,
changed credentials, and other interruptions that could cut off their access
Privilege escalation
o consists of techniques that adversaries use to gain higher-level permissions on a
system or network
Defence evasion
o consists of techniques that adversaries use to avoid detection throughout their
compromise
Credential access
o consists of techniques for stealing credentials like account names and passwords
Discovery
o consists of techniques an adversary may use to gain knowledge about the system and
internal network
Lateral movement
o consists of techniques that adversaries use to enter and control remote systems on a
network
Collection
o consists of techniques adversaries may use to gather information and the sources
information is collected from that are relevant to following through on the
adversary's objectives
Command and control
o consists of techniques that adversaries may use to communicate with systems under
their control within a victim network
Exfiltration
o consists of techniques that adversaries may use to steal data from your network
Impact
o consists of techniques that adversaries use to disrupt availability or compromise
integrity by manipulating business and operational processes
the ATT&CK tactics (and also the techniques of course) are part of the final stages of the
cyber kill chain
9
17 Defence based on ATT&CK top 8
that even without sector specific intelligence, you come up with other defence mechanisms
than you would decide on in a traditional way
20 MITRE PRE-ATT&CK
PRE-ATT&CK and ATT&CK have several fundamental differences
o ATT&CK is tightly coupled to a specific enterprise network (e.g., Microsoft Windows,
Linux, or mobility environment) and therefore provides detailed technical
information relative to the adversary actions and defender mitigations for each
technique
o PRE-ATT&CK is agnostic to these differences since the adversary can operate across
any of these environments for their pre-compromise preparation activities
o The mitigations in ATT&CK can be very specific and effective
o PRE-ATT&CK mitigations are under development and will encompass technical and
policy-based mitigations
o While many of the ATT&CK mitigations required increased end point monitoring, PRE-
ATT&CK largely requires additional data sources to obtain information about
adversarial objectives and activities
21 Engage
Take as an example the ATT&CK technique “Remote System Discovery”
o when adversaries interact with the environment for this technique, they are
vulnerable to collect, observe or manipulate system artifacts that may cause them to
reveal behaviours
o The adversary engagement activity “Decoy artifacts and systems” satisfies this need
Engage complements the ATT&CK viewpoint with a defender perspective
Adversary Engagement
o is a combination of cyber denial and deception activities to interact with cyber
adversaries to achieve the defender’s goals
o Planting decoy credentials and monitoring for their use is an example
Cyber denial
o is the ability to prevent or otherwise impair the adversary’s ability to conduct their
operations
Cyber Deception
o intentionally reveals deceptive facts and fictions to mislead the adversary, while
concealing critical facts and fictions to prevent the adversary from forming correct
estimations or taking appropriate actions
10
Engagement goals
o Prepare, Expose, Affect, Elicit, Understand
o expose adversaries by using deceptive activities to provide high fidelity alerts
Engagement approaches
o plan, collect, detect, prevent, direct, disrupt, reassure, motivate, analyse
Pocket litter
o artifacts are placed on a system to reinforce the legitimacy of the system and/or user
Lures
o are systems and artifacts intended to serve as decoys, breadcrumbs, or bait to elicit a
specific response from the adversary
22 Atlas
created, a specific knowledge base of the attacker behaviour related to attacking machine
learning based systems, ATLAS stands for Adversarial Threat Landscape for Artificial-
Intelligence Systems
Adversarial examples
o are crafted for the replicated model, that are then transferred to the production
model
23 ATT&CK vs CAPEC
CAPEC
o Focus on application security
o Enumerates exploits against vulnerable systems
o Includes social engineering / supply chain
o Associated with Common Weakness Enumeration (CWE)
ATT&CK
o Focus on network defence
o Based on threat intelligence and red team research
o Provides contextual understanding of malicious behaviour throughout the adversary
campaign
o Supports testing and analysis of defence options
Comparing ATT&CK, Diamond, Lockheed martin and CAPEC
o The Lockheed Martin Cyber Kill Chain and other kill chains seeks to track adversary
movement, the Diamond Model seeks to correlate threat data into cohesive events,
the MITRE ATT&CK model seeks to define and predict specific behaviours, CAPEC
focuses on exploitations of weaknesses. The kill chain phases are similar to ATT&CK
tactics but ATT&CK does not prescribe the sequencing of the techniques
ENGAGE
o lists techniques that are not just meant to defend in general, but that are purposely
meant as the set of techniques that can be used to win against these adversaries
D3FEND
o lists the more typical passive defence countermeasures
CAR
o is related to ways of detecting the adversary executing the technique
11
24 ICS and ATT&CK
Some tactics are specific for ICS. The threat motivations are also different
Adversary motivations are different in ICS context
Operator evasion is combined with defence evasion as one tactic
25 D3FEND
deals with the problem of linking countermeasures and ATT&CK techniques
27 CAPEC example
A similar (but rare) link exists between some CAPEC entries and some ATT&CK entries
28 STIX2.1 architecture
Structured Threat Information Expression (STIX™)
o is a language and serialization format used to exchange cyber threat intelligence (CTI)
12
31 CVSS scoring system
to quantify the severity of a particular vulnerability (CVE)
captures the principal technical characteristics of software, hardware and firmware
vulnerabilities
Its outputs include numerical scores indicating the severity of a vulnerability relative to other
vulnerabilities
three metric groups
o Base
o Temporal
o Environmental
Base metric group
o represents the intrinsic characteristics of a vulnerability that are constant over time
and across user environments
o Exploitability metric
reflect the ease and technical means by which the vulnerability can be
exploited
o Impact metrics
reflect the direct consequence of a successful exploit and represent the
consequence to the thing that suffers the impact, which we refer to formally
as the impacted component
Temporal metric group
o reflects the characteristics of a vulnerability that may change over time but not
across user environments
Environmental metric group
o represents the characteristics of a vulnerability that are relevant and unique to a
particular user’s environment
32 VERIS
organize incident data and to identify trends
33 OWASP
Open Web Application Security Project
is limited to web applications but provides important details in this area and is considered an
authoritative source to check when deploying your web application
13
Insecure design
o Insecure design is a broad category representing different weaknesses, expressed as
“missing or ineffective control design.”
Security misconfiguration
o most commonly seen issue
o This is commonly a result of insecure default configurations, incomplete or ad hoc
configurations, open cloud storage, misconfigured HTTP headers, and verbose error
messages containing sensitive information
Vulnerable and outdated components
o Components, such as libraries, frameworks, and other software modules, run with
the same privileges as the application
Identification and authentication failures
o Application functions related to authentication and session management are often
implemented incorrectly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other users’
identities temporarily or permanently
Software and data integrity failures
o This focuses on making assumptions related to software updates, critical data, and
CI/CD pipelines without verifying integrity
Security logging and monitoring failures
o Insufficient logging and monitoring, coupled with missing or ineffective integration
with incident response, allows attackers to further attack systems, maintain
persistence, pivot to more systems, and tamper, extract, or destroy data
Server-side request forgery (SSRF)
o SSRF flaws occur whenever a web application is fetching a remote resource without
validating the user-supplied URL
35 Adversary emulation
Caldera
o can be used to test endpoint security solutions and assess a network’s security
posture against the common post-compromise adversarial techniques contained in
the ATT&CK model
Micro emulation plans
o are smaller, more specific combinations of techniques rather than modelling full-
scope breach scenarios
The goal of adversary emulation is different from pentesting
o Pentesting tests prevention capabilities and not so much detection
o Adversary emulation primarily tests detection capabilities
14
37 AMITT (ADVERSARIAL MISINFORMATION AND
INFLUENCE TACTICS AND TECHNIQUES) FRAMEWORK
aims to describe disinformation incidents
15