Axa Assurance Maroc - Insurer Innovation Award 2024
Upgrade your attack model: finding and stopping fileless attacks with MITRE ATT&CK
1. Presenter: Patrick Tierney
Date: June 24, 2020
Upgrade Your Attack Model: Finding and
Stopping Fileless Attacks with MITRE
ATT&CK
2. About Me
Patrick Tierney
Principal Solutions Architect
patrick.tierney@elastic.co
▪ 20 years in the security industry in IT
operations and sales
▪ Internet Security Systems/IBM 1998 and
Endgame/Elastic (2010
▪ Nerd credentials: I have 1500 comic
books next to my desk right now
4. Attack Models capture information used to think like an attacker:
threat modeling, abuse case development and refinement, data
classification, and technology-specific attack patterns.
Building Security In Maturity Model
https://www.bsimm.com/about.html
6. Diamond Security Model
● Looks simplistic, but can
still be used to define
complex attacks
● Includes the motivational
factor of the attacker.
● Fully defined in a
whitepaper here:
https://www.activeresponse.org/wp-c
ontent/uploads/2013/07/diamond.pdf
8. Cyber Attack Lifecycle
● Developed by Mandiant
● Defines the cycle involved in
dwell time
● Defines a completed mission,
but I don’t think an attacker
thinks that way
10. Cyber Kill Chain™
● Developed by Lockheed
● Defines 7 steps of an attack
● Probably the most common attack
definition
11. NIST Security
Framework
● 5 columns (or Simon
buttons, in the newer
version)
● Created in response to
Obama executive order
● Really more of a risk
guideline framework than a
model
● Only model to identify a
recovery step
13. MITRE ATT&CK
A More Complete Model for Today’s Threats
● Adversarial Tactics, Techniques & Common Knowledge
● Federally funded, non-profit organization
● Open source framework
● Over 300 attacker techniques identified
● Multiple OS coverage
● Malware is only part of the story
● Tests enterprise solutions
● Evaluate the raw test data for yourself:
https://www.elastic.co/blog/visualizing-mitre-round-2-evaluation-results-Kibana
14.
15. If You Don’t Know What You’re Looking For,
How Will You Ever Find It?
18. T1193 Spearphishing Attachment
Phishing message with malicious document delivered through
email
T1036 Masquerading
Masquerading as a legitimate Windows process
T1053 Scheduled Task
Persistence via scheduled task
T1064 Scripting
Malicious script execution from scheduled task
T1055 Process Injection
Process injection to gain code execution
T1094 Custom Command and Control
Command and control using Cobalt Strike
ATT&CK
MAPPING
Techniques used in APT32
attack
19. Technique ID
T1193 Spearphishing
Attachment
Phishing message with
malicious document
delivered through email.
20. Technique ID
T1193 Spearphishing
Attachment
The attacker is counting on
the end user to enable
content for the document.
And they often do.
21. Technique ID
T1036 Masquerading
The first stage of the attack
is to drop some files in
c:ProgramData. But
ying.exe is actually
wscript.exe.
23. Technique ID
T1064 Scripting From A
Scheduled Task.
The ying.exe loads an
in-memory .NET binaries
loader.dll and scrobj.dll
24. Technique ID
T1055 Process Injection
The ying.exe process
injects code into its own
process (which is really
wscript) to insert
instructions for contacting
the command and control
server.
25. Technique ID
T1094 Custom
Command and Control
And now that it has its
instructions, YING.exe
reaches out to it’s control
server, in this case to
download a Cobalt Strike
payload.
26. T1193 Spearphishing Attachment
Phishing message with malicious document delivered through
email
T1036 Masquerading
Masquerading as a legitimate Windows process
T1053 Scheduled Task
Persistence via scheduled task
T1064 Scripting
Malicious script execution from scheduled task
T1055 Process Injection
Process injection to gain code execution
T1094 Custom Command and Control
Command and control using Cobalt Strike
ATT&CK
MAPPING
Techniques used in APT32
attack
31. Security how it
should be: open
Elastic Security integrates
endpoint security and SIEM to
give you prevention, collection,
detection, and response
capabilities for unified protection
across your infrastructure.
ELASTIC SECURITY