ATT&CKing with Threat Intelligence

1. © 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas HOPE - July 2018 ATT&CKing with Threat Intelligence Approved for public release. Distribution unlimited 18-0944-10

2. | 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – ATT&CKing for the past 5+ years – Creates Adversary Emulation Plans – @ckorban  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_ Approved for public release. Distribution unlimited 18-0944-10

3. | 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-10

4. | 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg Approved for public release. Distribution unlimited 18-0944-10

5. | 5 | © 2018 The MITRE Corporation. All rights reserved. How do these outcomes progress?  Blue signatures Red tool (MD5=4de587ac29…) – Red changes tool slightly (new hash)  Blue signatures Red tool (string=“mimikatz”) – Red changes tool slightly (string=“mimidogz”)  Blue stops single red instantiation (psexec) – Red modifies implementation (psexec manually)  …  This isn’t really helping blue or red Approved for public release. Distribution unlimited 18-0944-10

7. | 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for TTPs  What do we need from this common language? – Communicate and articulate what happened in a test, and results – Do so at a level that’s specific enough that it’s repeatable – Enable us to create metrics that make sense  What do we use for this? – MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Approved for public release. Distribution unlimited 18-0944-10

8. | 8 | ATT&CK™ is increasingly being used by the community as a common way to describe adversary behavior. ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations. attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10

9. | 9 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Matrix Format Tactic: Adversary’s technical goal, the “Why” Technique: Adversary’s action to achieves the goal, the “What” Approved for public release. Distribution unlimited 18-0944-10

10. | 10 | © 2018 The MITRE Corporation. All rights reserved. Example of Technique: New Service  Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools.  Platform: Windows  Permissions required: Administrator, SYSTEM  Effective permissions: SYSTEM  Detection: – Monitor service creation through changes in the Registry and common utilities using command- line invocation – Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at persistence – Monitor processes and command-line arguments for actions that could create services  Mitigation: – Limit privileges of user accounts and remediate Privilege Escalation vectors – Identify and block unnecessary system utilities or potentially malicious software that may be used to create services  Data Sources: Windows Registry, process monitoring, command-line parameters  Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … Approved for public release. Distribution unlimited 18-0944-10

11. | 11 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Spans Multiple Tech Domains PRE-ATT&CK: left of exploit behaviors Enterprise: Windows, Linux, Mac Mobile: Android, iOS Approved for public release. Distribution unlimited 18-0944-10

12. | 12 | © 2018 The MITRE Corporation. All rights reserved. Key ATT&CK use cases:  Guide threat hunting campaigns  Leverage threat intelligence to prioritize technique detection  Remediate gaps by mapping solutions back to ATT&CK techniques  Emulate adversaries to measure defenses against relevant threats Approved for public release. Distribution unlimited 18-0944-10

13. | 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 Approved for public release. Distribution unlimited 18-0944-10

14. | 14 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10

15. | 15 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation?  Identify an adversary you want to emulate – Consider the target you’re going up against  Defense Contractor  Financial Sector  Health Care  E-Commerce  Etc. – Adversaries change accordingly  Country Specific (APT3, APT28, APT29, APT34, ….)  Financially Motivated (FIN6, FIN7, …) Approved for public release. Distribution unlimited 18-0944-10

16. | 16 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 1. Threat Intelligence Acquisition – Analyze Reporting:  Adversary Reports (APTX)  Reports on Adversary’s toolsets (APTX uses A,B,C)  Aliases (APTX i.e. ThreatGroup ###, adjective-animal)  Toolset aliases (A i.e. Trojan.malwareName)  Associated Campaigns (OperationZ)  Keep time of reports in mind Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10

17. | 17 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Follow the Leads https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Aliases, Aliases, Aliases everywhere! Approved for public release. Distribution unlimited 18-0944-10

18. | 18 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 2. Extract Actionable Techniques and M.O. – Look for adversary behaviors – Look for tool functionality – Establish the adversary’s goal – Think about the what, why, and how  In ATT&CK - Technique, Tactic, Procedure Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10

19. | 19 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - What does it really say? https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1094 - Custom Command and Control Protocol Approved for public release. Distribution unlimited 18-0944-10

20. | 20 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binary Strings https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1059 - Command-Line Interface T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception? Approved for public release. Distribution unlimited 18-0944-10

21. | 21 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binaries T1056 - Input Capture T1027 - Obfuscated Files or Information T1016 - System Network Configuration Discovery T1077 - Windows Admin Shares T1035 - Service Execution T1003 - Credential Dumping T1055 - Process Injection https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Approved for public release. Distribution unlimited 18-0944-10

22. | 22 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Adversary M.O. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11- identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. Approved for public release. Distribution unlimited 18-0944-10

23. | 23 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan  This is the hardest part of the puzzle  No plan will be perfect, so approximate where needed  This isn’t a replay of an incident - variation is OK Approved for public release. Distribution unlimited 18-0944-10

24. | 24 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 3. Develop Tools if needed to emulate behaviors – What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools?  Can you extend them?  Can you modify them? – Do you need to develop something specific?  Delivery mechanisms  Command and Control  Capabilities Approved for public release. Distribution unlimited 18-0944-10

25. | 25 | © 2018 The MITRE Corporation. All rights reserved. What is behavior emulation for TTPs?  Performing adversary techniques with variations – Adversary created “C:aos.exe” for Priv Esc via path interception  You intercept any service path that runs under higher privileges – Adversary used “PSExec” for Lateral Movement  You do it manually with “sc.exe” or via PowerShell – Adversary runs “whoami” for Discovery  You do it with environment variables “%USERDOMAIN%%USERNAME%”  Thinking about what you’re trying to accomplish – Technique in ATT&CK – And Why you’re trying to accomplish it  Tactic in ATT&CK Approved for public release. Distribution unlimited 18-0944-10

26. | 26 | © 2018 The MITRE Corporation. All rights reserved. Defining Your Toolset  Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc  Do stay within the behavior boundaries Approved for public release. Distribution unlimited 18-0944-10

27. | 27 | © 2018 The MITRE Corporation. All rights reserved. Create an Adversary Emulation Field Manual Discovery T1069 - Permission Groups Discovery net localgroup net group /domain dsquery group T1087 - Account Discovery net user /domain wmic user dsquery user  Provides multiple implementations across toolsets  Provides offensive command-line examples  Create this as you go, and use for reference later Approved for public release. Distribution unlimited 18-0944-10

28. | 28 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 4. Set up offensive infrastructure – Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks – Create Payloads ”inspired by” the adversary’s tradecraft  Modify IoCs and behaviors if possible  Obfuscate with purpose, NOT all the things – Over obfuscation is itself suspicious Approved for public release. Distribution unlimited 18-0944-10

29. | 29 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan 5. Emulate the Adversary – Follow the M.O. of your target adversary – “Domain Admin” most likely isn’t your goal – Keep the ‘speed of the adversary’ in mind  Low and slow vs smash and grab Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated- Adversary-Emulation-System-CALDERA.jpg Approved for public release. Distribution unlimited 18-0944-10

30. | 30 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-10

31. | 31 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans  CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera Approved for public release. Distribution unlimited 18-0944-10

32. | 32 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org

ATT&CKing with Threat Intelligence

You are reading a preview.

ATT&CKing with Threat Intelligence

Editor's Notes

Editor's Notes

More Related Content

Slideshows for you

Similar to ATT&CKing with Threat Intelligence

Featured

Related Books

Related Audiobooks

ATT&CKing with Threat Intelligence

You are reading a preview.

ATT&CKing with Threat Intelligence

Editor's Notes

Editor's Notes

More Related Content

Slideshows for you

Similar to ATT&CKing with Threat Intelligence

Featured

Related Books

Related Audiobooks

Just for you: FREE 60-day trial to the world’s largest digital library.