Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MITRE AttACK framework it is time you took notice_v1.0

139 views

Published on

Mitre ATT&CK is for all of us, and it is time to pay attention to it.
LOG-MD.com
LOG-MD
MalwareArchaeology.com
Malware Archaeology

Published in: Technology
  • Be the first to comment

  • Be the first to like this

MITRE AttACK framework it is time you took notice_v1.0

  1. 1. Mitre ATT&CK is for all of us, and it is time to pay attention to it Michael Gough – Co-Founder IMFSecurity.com LOG-MD.com
  2. 2. Whoami • Blue Team Defender Ninja, Incident Responder, Logaholic • Creator of all those “Windows Logging Cheat Sheets” and the Malware Management Framework • Including LOG-MD and Windows Logging ATT&CK cheat sheets • Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool • Co-Host – “Brakeing Down Incident Response” LOG-MD.com
  3. 3. HOMEWORK LOG-MD.com
  4. 4. There is more than this talk • But we only have 50 minutes • Brakeing Down Incident Response Podcast – Episode 007 BDIRPodcast.com – https://www.imfsecurity.com/podcasts/2018/9/16/bd ir-podcast-episode-007 • SANS Threat Hunting and Incident Response Summit New Orleans 2018 – My talk and many others covered ATT&CK, find the PDF’s and videos as SANS releases them • MITRE ATT&CKcon is this week !!! – I was invited, but I am here educating my peeps LOG-MD.com
  5. 5. Why do we care? • People ask me all the time • “How do you know what to look for”? – Experience – Because Hacker Hurricane said so ;-) – The Malware Management Framework • Reports that show what the bad guys actually did • So how or what do we map our defenses to? – PCI? – OWASP? – Compliance XYZ? – Because InfoSec or WebAppSec says so? LOG-MD.com
  6. 6. Why do we care? • If you can identify your gaps • Whether a consultant or an employee • You can define potential budget needs • You may have to admit a tool is not mapping well, so an opportunity to recommend a replacement that has better coverage • Budget re-allocation is always a bonus • The goal is to IMPROVE your security posture LOG-MD.com
  7. 7. Why do we care? • ATT&CK is your new baseline • You heard me • We FINALLY have a goal of what to achieve • Map to ATT&CK and you WILL pass or exceed any and all compliance requirements if you are doing them! • Forget the Cyber Kill Chain – https://www.lockheedmartin.com/en- us/capabilities/cyber/cyber-kill-chain.html • ATT&CK is more detailed at what you should detect… along the Cyber Kill Chain LOG-MD.com
  8. 8. What is ATT&CK ? LOG-MD.com
  9. 9. MITRE ATT&CK • MITRE’s Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. • ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected. LOG-MD.com
  10. 10. ATT&CK Tactics and Techniques • 11 Tactics • 283 Techniques • Covers the following Operating Systems – Windows – MAC OS – Linux LOG-MD.com 11
  11. 11. Why care about ATT&CK • It is HUGE… extensive information of what the adversaries actually do to YOUR systems LOG-MD.com
  12. 12. ATT&CK requires some ‘Back to Basics’ to achieve “Totality” MalwareArchaeology.com
  13. 13. Achieve Totality Coverage - Asset Management • Can you see every host? • Do you have ghost assets? • Remote systems (Road Warriors) • Powered down VM’s/Systems • IP Scan all devices and identify the OS Completeness - Deployment • Are your agent(s) installed and running properly Configuration – System Settings • Are the systems configured correctly • Enable all that you want and expect MalwareArchaeology.com Coverage Completeness Configuration
  14. 14. 80/20 rule • A VERY important point is we need to ignore or not worry about the 20% that you don’t, or can’t cover. • Don’t get hung up on the 20% or you will continue to flounder • Worry about the 80% you CAN or COULD do • You have to learn to walk before you worry about trying to be, or cover 100% (run) • Being good at 80% should be a goal • You will improve over time as you get better • It’s really more 74%-26% – You must accept more false positives to reach 80% or higher (Devon Kerr EndGame) MalwareArchaeology.com
  15. 15. Let’s Look at an Example MalwareArchaeology.com
  16. 16. Credential Access • Tactic - Credential Access – Guessing – Cred Dump – Keystroke logging – Off the wire LOG-MD.com
  17. 17. Technique – Brute Force • Technique ID – T1110 • Tactic – Credential Access • Lists Platforms • Shows Data Sources LOG-MD.com
  18. 18. Examples – More Data • Groups that used it • Tools or kits • Good for background information • Read the reports (aka Malware Management) and on the actors campaign(s) LOG-MD.com
  19. 19. ATT&CK Provides Guidance • Mitigation examples • Detection examples • References • You must translate them into what Processes, Procedures, Products you have LOG-MD.com
  20. 20. What about APPSEC? How does this apply to us? MalwareArchaeology.com
  21. 21. Map your capabilities to ATT&CK • Map the tools you have to the ATT&CK Matrix • This will give you a place to start and a way to track and rate your activities MalwareArchaeology.com
  22. 22. Sample of ATT&CK and Applications LOG-MD.com
  23. 23. Mitre Att@ck • This is a good place to start and map all your detection, prevention, and hunt activities to • Not enough details as to how – You will need to map them – Or find someone that has, maybe a product(s) • Add your Web Proxy • Add your WAF • Add your IPS • Add Network tools • Add code scanners • Fill any other gaps • Of course…. ADD YOUR LOGGING !!! MalwareArchaeology.com
  24. 24. Mitre Att@ck - Logging Let’s look at Windows Logging, my personal favorite • Most Techniques can be mapped to logging • Add Log Management • Add some Sysmon or WLS to the logs for more details • Add LOG-MD-Pro, and other tools or script(s) • Add a solution to query the OS ( I love BigFix) • Add Network tools • Fill other gaps • See the previous slide for application stuff MalwareArchaeology.com
  25. 25. Map your capabilities to ATT&CK • The Windows ATT&CK Logging Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs MalwareArchaeology.com
  26. 26. Map your capabilities to ATT&CK • The Windows LOG-MD ATT&CK Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs, LOG-MD, and Sysmon MalwareArchaeology.com
  27. 27. Find your Gaps, and Strengths • By filling out the ATT&CK matrix to YOUR capabilities, you begin to understand what you CAN and CAN NOT do against the actual tactics and techniques the bad guys use against you • I was shocked, I mean SHOCKED at how much I do in Windows logging mapped to actual tactics and techniques • But then again I have been practicing Malware Management since I created it over 6 years ago LOG-MD.com
  28. 28. Example Suspicious PowerShell Hunt MalwareArchaeology.com
  29. 29. How do I Hunt for PS? • Without Log Management? • Or with it, we consume LOG-MD-Pro logs into Log Management too MalwareArchaeology.com
  30. 30. TOOLS LOG-MD.com
  31. 31. What is available to you • MITRE ATT&CK Navigator • You select items you have, select colors and export it LOG-MD.com
  32. 32. ATT&CK Navigator • ATT&CK Navigator – Https://mitre.github.io/attack-navigator/enterprise/ • Mobile too – https://mitre.github.io/attack-navigator/mobile/ • Pre-ATT&CK – https://attack.mitre.org/pre-attack/index.php/Main_Page LOG-MD.com
  33. 33. SOCPrime LOG-MD.com
  34. 34. SOCPrime • TDM – Threat Detection Marketplace • SIGMA Rules – Generic Signature Format for SIEM Systems • ATT&CK mappings • Lots of log solution options • Convert from one platform to another • SIGMA rule convertor • Subscription service to gain access • Some free SIGMA based rules LOG-MD.com
  35. 35. Tools • Unfetter – https://nsacyber.github.io/unfetter/ – https://mitre.github.io/unfetter/getting-started/ • Tanium – https://www.tanium.com/blog/getting-started-with- the-mitre-attack-framework-improving-detection- capabilities/ • SIGMA – https://github.com/Neo23x0/sigma – https://github.com/Neo23x0/sigma/wiki/Specification LOG-MD.com
  36. 36. API • MITRE has an API for ATT&CK – https://attack.mitre.org/wiki/Using_the_API • Cyb3rWarD0g – Invoke-ATTACKAPI – https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI • https://github.com/annamcabee/Mitre-Attack-API Mitre Pre-ATT&CK Mappings • https://github.com/rmusser01/Infosec_Reference/tree/master/Dra ft/ATT%26CK-Stuff • Blog on Brute Force example with ATT&CK – https://thehackerwhorolls.blogspot.com/2018/10/home-lab-att-use- case.html LOG-MD.com
  37. 37. RECOMMENDATIONS LOG-MD.com
  38. 38. HUNT ! • Some say create a hypothesis • I say start by eliminating things you CAN hunt for and know you do NOT have • Then build more hypothesis • Map your capabilities to ATT&CK • For Windows logging and LOG-MD there are 2 Cheat Sheets mapped to ATT&CK – MalwareArchaeology.com/cheat-sheets LOG-MD.com
  39. 39. Conclusion • MITRE ATT&CK is GREAT stuff • It gives you a way to measure what you have and can detect, based on what your adversaries ACTUALLY do, not what compliance, an auditor or consultant says • You don’t have to get very detailed at first • Use simple coloring at first – Green (good), Yellow (needs work), Red (poor), no color (we got nuttin) • Expand it once you map it • Then expand as you rate your capabilities • But get to know this framework! LOG-MD.com
  40. 40. Additional Reading This Is the Fastest Way to Hunt Windows Endpoints – https://www.slideshare.net/Hackerhurricane/mwarch- fastestwaytohuntonwindowsv101 – SANS will post the video at some point SANS THIR 2018 PDF’s and videos Most of the talks had ATT&CK involved Quantify your hunt not your parents red teaming Devon Kerr – https://www.youtube.com/watch?v=w_kByDwB6J0 Quantify Your Hunt: Not Your Parents' Red Team– Devon and Roberto – https://www.sans.org/summit-archives/file/summit-archive- 1536351477.pdf Finding Related ATT&CK Techniques – https://medium.com/mitre-attack/finding-related-att-ck-techniques- f1a4e8dfe2b6 LOG-MD.com
  41. 41. Questions • You can find us on the Twitters – @HackerHurricane • LOG-MD.com • MalwareArchaeology.com • Preso will be on SlideShare and linked on MalwareArchaeology.com • Listen to the PodCast to hear the rest of this topic – BDIRPodcast.com LOG-MD.com

×