Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

617 views

Published on

Talk about the evolution of security posture assessments, solving red team problems with ATT&CK-based Adversary Emulation Plans.

Conference: Art into Science - A Conference on Defense 2018

Published in: Science
  • Be the first to comment

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

  1. 1. Frank Duff Christopher Korban 1/31/2018 Evolution of Security Posture Assessments Approved for Public Release; Distribution Unlimited. Case Number 18-0179 ©2018 The MITRE Corporation. All Rights Reserved
  2. 2. Endpoint Detect and Respond Case Study  Convergence of cyber endpoint technologies offering varying combos of protect / detect / respond / contain / alert – Malware Detection, Behavioral Detection, Incident Response , DLP Technology, App Isolation Technologies, Deception for Detection  Capitalize on ATT&CK and post-exploit detection expertise to declutter the space for MITRE’s sponsors – To evaluate cyber defense, emulate cyber offense. •Cyber threat analysis •Research •Industry reports Adversary Behavior •Adversary model (APT3, APT29, etc.) •Post-compromise techniques ATT&CK •Data sources •Analytics •Prioritization FMX ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  3. 3. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  4. 4. Improved Offensive Testing Workflow Intel Gathering Protect/Defend Vulnerability Assessment Protect/Defend Target Acquisition Protect/Defend Exploitation Protect/Defend Privilege Escalation Protect/Defend Lateral Movement Protect/Defend Persistence Protect/Defend Exfiltration Protect/Defend Traditional Red Team Traditional Blue Team  After a traditional Red vs Blue event start blended retesting: Slide inspired by Chris Gates’ and Chris Nickerson’s presentation “Building a Successful Internal Adversarial Simulation Team”: https://goo.gl/R3yglm ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  5. 5. Need Common Criteria  Articulate – To vendors and US government customers  Repeat – To verify results and retest  Measure – Gauge improvement attack.mitre.org ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  6. 6. Bianco’s Pyramid of Pain Source: David Bianco https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  7. 7. Adversary Emulation Using ATT&CK  Create Emulation plans using ATT&CK  Helps focus testing on individual patterns of behavior – Identify if existing detection mechanisms, analytics, mitigations work – Gaps in visibility, data, tools, process, hardening discovered – Address gaps within defenses by improving system – Re-test regularly using varied behavior and objectives Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Folder Masquerading Web Service Scheduled Task Modify Registry Security Support Provider NTFS Extended Attributes Service File Permissions Weakness Obfuscated Files or Information Service Registry Permissions Weakness Process Hollowing Shortcut Modification Redundant Access Web Shell Rootkit Windows Management Instrumentation Event Subscription Rundll32 Winlogon Helper DLL Scripting Software Packing Timestomp©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  8. 8. Successful Adversary Emulation Make it real: Use the same techniques, tools, methods and goals of an attacker End-to-End: Don’t just look for holes or perform small attacks. Start from the initial compromise and go until objectives are accomplished Repeatable: Be repeatable, so that your detection and prevention improvement (or degradation) can be measured over time ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  9. 9.  Adversary Emulation Process: – Threat Intelligence Acquisition – Extract Actionable Techniques – Develop Tools and Analyze Adversary Modus Operandi – Setup Infrastructure and Emulate Adversary Constraining the Test Intel Technical Capability Time ATT&CK Techniques in Scope (Partial Matrix – APT3) ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  10. 10. APT Emulation Plan – Plan Phases ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  11. 11. Actionable Emulation Plan ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  12. 12. A Common Scorecard Grey - APT3 techniques not tested, Green - tested and detected, Yellow - tested and weren't detected but could have been Red - sensor gaps ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  13. 13. Frequency of Offensive Testing Time Atomic Testing Adversary Emulation Red Teaming Knowledge Base ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  14. 14. Automating where possible  Takes care of the simple to allow you to focus on the difficult.  Several options to actuate your plans: – Custom, roll-your-own methods – Automated Breach Simulation vendors:  AttackIQ, SafeBreach, Verodin, etc.. – MITRE CALDERA ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  15. 15. MITRE Adversary Emulation Resources  ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge, a knowledgebase and adversary behavioral model for describing how adversaries operate across their lifecycle  Adversary Emulation Playbooks – Open source threat intel and ATT&CK-based adversary group profiles that describe how to emulate a specific group  CALDERA – An automated adversary emulation system built off of ATT&CK that is useful for emulating pre-programed sets of behavior – Open source: https://github.com/mitre/caldera – Closed source research version available to sponsors LETS@MITRE.ORG – ATTACK@MITRE.ORG ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  16. 16.  Helps smaller shops run APT-style red-teams but, more importantly, paves the way for real-world, data-driven red teams  Highlight the type of intel we can use, e.g., move IR reports away from Indicators of Compromise and toward behaviors. – The intel would be immediately useful  Provides a good “sellable” back-story, especially if in an affected industry  Enables apples-to-apples comparisons  Lowers the bar to “offensive testing,” empowering blue teams with the ability to run checks themselves  Creating emulation plans identifies what is unavoidable when performing a certain TTPs and what is. – For what is avoidable, run the gamut for the different permutations and actuations of a TTP – For what is not avoidable, defenders should focus on the “pinch point” to quell all possibilities to the right, hamstringing the TTP category as a whole sometimes. Reasons to Release and Focus on Adversary Emulation Plans ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179

×