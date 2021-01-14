Successfully reported this slideshow.
State of...
MITRE AT...
+ =
ATT&CKco...
ATT&CKco...
ATT&CKco...
Looking ...
Impact D...
Reconnai...
| 10 | W...
| 11 | C...
| 12 | N...
| 13 | N...
| 14 | S...
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
The PRE ...
Reconnai...
Resource...
PRE ATT&...
ATT&CK f...
ATT&CK f...
ICS Matr...
What's C...
What's C...
ATT&CK f...
ATT&CK f...
ATT&CK f...
ATT&CK f...
Adding m...
ATT&CK f...
Data Sou...
ATT&CK f...
Cloud Ex...
ATT&CK f...
ATT&CK f...
ATT&CK f...
ATT&CK W...
ATT&CK f...
Thank yo...
attack@m...
State of the ATT&CK - ATT&CKcon Power Hour

Presentation summarizing ATT&CKcon power hour and talking about ATT&CK in 2020 and 2021

State of the ATT&CK - ATT&CKcon Power Hour

  State of the ATT&CK® Adam Pennington ATT&CK Lead @_whatshisface
  MITRE ATT&CK Remains Strong • Backed by 39 MITRE staff and a growing community Enterprise Cloud Network Devices ICS Mobile CAR Infrastructure Threat Intel Outreach
  + =
  ATT&CKcon Power Hour by the Numbers • CFP open three weeks in August • 46% of submissions on the last day, 73% in the last four • 28% acceptance rate – Judged blind by 6 person PC • 4 90-minute sessions over 4 months • 20 talks
  ATT&CKcon Power Hour Themes likethecoins Cloud Mobile Threats ATT&CK Meme by @savvyspoon
  ATT&CKcon 2021
  Looking Back on 2020 http://gunshowcomic.com/648
  8. 8. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation © 2019 The MITRE Corporation. All rights reserved. Matrix current as of May 2019. Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email | 10 | Why Sub-Techniques? • Abstraction imbalance across knowledge base • Some techniques broad: Masquerading • Some techniques narrow: Rundll32 • Most common complaint over the past couple of years • Techniques have a lot of depth to them • Some don't read beyond the name • An analytic per technique may not make coverage "green" • Technique overload • "Too many techniques!" • "The matrix is too big!" | 11 | Credential Access Brute Force Forced Authentication Input Capture OS Credential Dumping Unsecured Credentials … OS Credential Dumping Sub-Techniques Security Accounts Manager LSA Secrets Cached Domain Credentials Proc Filesystem … Sub-Technique Example | 12 | New Technique Page | 13 | New Sub-Technique | 14 | Sub-Techniques are Here! • Released March 31st in beta • Became ATT&CK on July 8th • Website • STIX/TAXII • ATT&CK Navigator • Crosswalks from pre sub- techniques to sub-techniques • Design & Philosophy paper
  9. 9. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other Network Medium Data Destruction Gather Victim Host Information Compromise Accounts Replication Through Removable Media Windows Management Instrumentation Valid Accounts Network Sniffing Software Deployment Tools Data from Removable Media Fallback Channels Data Encrypted for Impact Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window Discovery Application Layer Protocol Scheduled Transfer Service Stop Gather Victim Network Information Develop Capabilities Trusted Relationship Software Deployment Tools Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through Removable Media Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network Configuration Discovery Data Staged Communication Through Removable Media Exfiltration Over C2 Channel Defacement Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or Information Two-Factor Authentication Interception Internal Spearphishing Screen Capture Firmware Corruption Search Closed Sources Exploit Public-Facing Application User Execution Boot or Logon Autostart Execution System Owner/User Discovery Use Alternate Authentication Material Email Collection Web Service Exfiltration Over Physical Medium Resource Hijacking Search Open Technical Databases Exploitation for Client Execution Account Manipulation Process Injection Exploitation for Credential Access Clipboard Data Multi-Stage Channels Network Denial of Service Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network Connections Discovery Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over Web Service Endpoint Denial of Service Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot Drive-by Compromise Command and Scripting Interpreter Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups Discovery Exploitation of Remote Services Video Capture Traffic Signaling Automated Exfiltration Account Access Removal Browser Extensions Exploitation for Privilege Escalation Indicator Removal on Host Credentials from Password Stores Man in the Browser Remote Access Software Exfiltration Over Alternative Protocol Disk Wipe Native API Traffic Signaling Modify Registry File and Directory Discovery Remote Service Session Hijacking Data from Information Repositories Dynamic Resolution Data Manipulation Inter-Process Communication BITS Jobs Trusted Developer Utilities Proxy Execution Steal or Forge Kerberos Tickets Non-Standard Port Transfer Data to Cloud AccountServer Software Component Peripheral Device Discovery Man-in-the-Middle Protocol Tunneling Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel Pre-OS Boot Signed Script Proxy Execution Steal Application Access Token Network Share Discovery Data from Network Shared Drive Non-Application Layer ProtocolCompromise Client Software Binary Password Policy Discovery Rogue Domain Controller Man-in-the-Middle Browser Bookmark Discovery Data from Cloud Storage ObjectImplant Container Image Indirect Command Execution Virtualization/Sandbox EvasionBITS Jobs XSL Script Processing Cloud Service Dashboard Template Injection Software Discovery File and Directory Permissions Modification Query Registry Remote System Discovery Virtualization/Sandbox Evasion Network Service Scanning Process Discovery Unused/Unsupported Cloud Regions System Information Discovery Use Alternate Authentication Material Account Discovery System Time Discovery Impair Defenses Domain Trust Discovery Hide Artifacts Cloud Service Discovery Masquerading Cloud Infrastructure Discovery Deobfuscate/Decode Files or Information Signed Binary Proxy Execution Exploitation for Defense Evasion Execution Guardrails Modify Cloud Compute Infrastructure Pre-OS Boot Subvert Trust Controls Enterprise ATT&CK as of January 2021
  The PRE Merge • Deprecated PRE-ATT&CK matrix for PRE Enterprise platform • 2 new Tactics • Criteria for inclusion: 1. Technical 2. Visible to some defenders 3. Evidence of adversary use
  Reconnaissance • Actively or passively gathering information that can be used to support targeting. • 10 Techniques & 31 Sub-techniques • Split into what & how
  Resource Development • Building, buying, or compromising resources that can be used during targeting • Infrastructure • Accounts • Capabilities • 6 Techniques & 26 Sub-techniques
  PRE ATT&CK Merge Check out Mike and Jamie's presentation from November's ATT&CKcon Power Hour
  14. 14. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 14 | Sub-Techniques are Here! • Released March 31st in beta • Became ATT&CK on July 8th • Website • STIX/TAXII • ATT&CK Navigator • Crosswalks from pre sub- techniques to sub-techniques • Design & Philosophy paper
  15. 15. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
  16. 16. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 The PRE Merge • Deprecated PRE-ATT&CK matrix for PRE Enterprise platform • 2 new Tactics • Criteria for inclusion: 1. Technical 2. Visible to some defenders 3. Evidence of adversary use
  17. 17. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Reconnaissance • Actively or passively gathering information that can be used to support targeting. • 10 Techniques & 31 Sub-techniques • Split into what & how
  18. 18. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Resource Development • Building, buying, or compromising resources that can be used during targeting • Infrastructure • Accounts • Capabilities • 6 Techniques & 26 Sub-techniques
  19. 19. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 PRE ATT&CK Merge Check out Mike and Jamie’s presentation from November’s ATT&CKcon Power Hour https://youtu.be/M_uG_hlmTcA
  20. 20. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Network Devices • New platform in Enterprise • Techniques against network infrastructure devices • 13 techniques and 15 sub- techniques added or modified
  21. 21. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for ICS | 21 | Unique Adversary Goals Technology Differences Different Defenses
  22. 22. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ICS Matrix Released in Jan 2020
  23. 23. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for ICS Check out Otis’s presentation from December’s ATT&CKcon Power Hour https://youtu.be/_GZwY-9QyFk
  24. 24. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 What’s Coming in 2021? Photo by Adam Pennington
  25. 25. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise • A period of stability • No changes as big as PRE or subs on our roadmap • Major releases currently planned in April and October Windows Mac Linux Cloud PRE Network Devices
  26. 26. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (v8.2) • Several new/updated techniques in reporting around the SolarWinds supply chain injection/UNC2452 • Preview of techniques we’ve spotted, will add in v8.2 • http://bit.ly/ATTACKPRVW • Repo listing related reports with behaviors • http://bit.ly/ATTACKRPTS Both resources are being regularly updated
  27. 27. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Mac/Linux) • Ongoing effort to improve and expand coverage • Much less focus historically than Windows techniques • macOS updates targeted for April release • Linux updates targeted for October release
  28. 28. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Data Sources) • Currently a list of text strings • No details beyond the name • No descriptions behind them
  29. 29. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Adding metadata to ATT&CK data sources Process Sysmon 1 Process Creation Sysmon 3 Network Connection Sysmon 8 Create Remote Thread Sysmon 10 Process Access Security 4688 Process Created Security 5156 Connection Permitted ProcessProcess Created ProcessUser Created IpProcess Connected To IpUser Connected To ProcessProcess Wrote To ProcessProcess Opened Process Network Connection Process Creation Process Modification Process Access Data Sources Components Relationships Event Logs
  30. 30. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Data Sources) For a deeper dive on data sources, check out Jose’s Data Sources posts on our blog https://medium.com/mitre-attack
  31. 31. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Data Sources as an Object • Slated for Enterprise in April ATT&CK release • Should flow to other parts of ATT&CK over time • Will dramatically improve ATT&CK data sources
  32. 32. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Cloud) Current Future SaaS IaaS Additional SaaS platforms…. Additional SaaS platforms…. Additional SaaS platforms…. SaaS
  33. 33. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Cloud Example Data Source Instance Data Source Data Component Events (API) Instance Creation Instance Modification Instance Deletion Instance Metadata Instance Enumeration Instance Start Instance Stop AWS: ListInstances AWS: ModifyInstanceAttribute AWS: TerminateInstances AWS: DescribeInstances AWS: RunInstances AWS: StartInstances AWS: StopInstances
  34. 34. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Cloud) Check out Jen’s presentation from October’s ATT&CKcon Power Hour https://youtu.be/a-xs5VqlcKI
  35. 35. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Containers) Microsoft’s ATT&CK-like “Threat Matrix for Kubernetes”
  36. 36. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Containers) Check out Jen’s ATT&CK for Containers post on https://medium.com/mitre-engenuity • Investigating adversary behaviors in containers • May be added to ATT&CK if enough intel exists • Please contribute!
  37. 37. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK Workbench • Tool allowing users to explore, create, annotate and share extensions of ATT&CK • Planned to become ATT&CK team’s content creation tool • Slated for release later in 2021
  38. 38. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Mobile & ICS Mobile ATT&CK Enterprise ATT&CK ICS ATT&CK It’s just • Working towards feature equity with Enterprise • ICS – Otis Alexander’s talk https://youtu.be/_GZwY-9QyFk • Mobile – Watch for upcoming blog posts
  39. 39. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.   40. 40. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 attack@mitre.org @MITREattack Adam Pennington @_whatshisface

