Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MITRE AttACK framework it is time you took notice_v1.0


Published on

Mitre ATT&CK is for all of us, and it is time to pay attention to it.
Malware Archaeology

Published in: Technology
  • Be the first to comment

MITRE AttACK framework it is time you took notice_v1.0

  1. 1. Mitre ATT&CK is for all of us, and it is time to pay attention to it Michael Gough – Co-Founder
  2. 2. Whoami • Blue Team Defender Ninja, Incident Responder, Logaholic • Creator of all those “Windows Logging Cheat Sheets” and the Malware Management Framework • Including LOG-MD and Windows Logging ATT&CK cheat sheets • Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool • Co-Host – “Brakeing Down Incident Response”
  3. 3. HOMEWORK
  4. 4. There is more than this talk • But we only have 50 minutes • Brakeing Down Incident Response Podcast – Episode 007 – ir-podcast-episode-007 • SANS Threat Hunting and Incident Response Summit New Orleans 2018 – My talk and many others covered ATT&CK, find the PDF’s and videos as SANS releases them • MITRE ATT&CKcon is this week !!! – I was invited, but I am here educating my peeps
  5. 5. Why do we care? • People ask me all the time • “How do you know what to look for”? – Experience – Because Hacker Hurricane said so ;-) – The Malware Management Framework • Reports that show what the bad guys actually did • So how or what do we map our defenses to? – PCI? – OWASP? – Compliance XYZ? – Because InfoSec or WebAppSec says so?
  6. 6. Why do we care? • If you can identify your gaps • Whether a consultant or an employee • You can define potential budget needs • You may have to admit a tool is not mapping well, so an opportunity to recommend a replacement that has better coverage • Budget re-allocation is always a bonus • The goal is to IMPROVE your security posture
  7. 7. Why do we care? • ATT&CK is your new baseline • You heard me • We FINALLY have a goal of what to achieve • Map to ATT&CK and you WILL pass or exceed any and all compliance requirements if you are doing them! • Forget the Cyber Kill Chain – us/capabilities/cyber/cyber-kill-chain.html • ATT&CK is more detailed at what you should detect… along the Cyber Kill Chain
  8. 8. What is ATT&CK ?
  9. 9. MITRE ATT&CK • MITRE’s Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. • ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.
  10. 10. ATT&CK Tactics and Techniques • 11 Tactics • 283 Techniques • Covers the following Operating Systems – Windows – MAC OS – Linux 11
  11. 11. Why care about ATT&CK • It is HUGE… extensive information of what the adversaries actually do to YOUR systems
  12. 12. ATT&CK requires some ‘Back to Basics’ to achieve “Totality”
  13. 13. Achieve Totality Coverage - Asset Management • Can you see every host? • Do you have ghost assets? • Remote systems (Road Warriors) • Powered down VM’s/Systems • IP Scan all devices and identify the OS Completeness - Deployment • Are your agent(s) installed and running properly Configuration – System Settings • Are the systems configured correctly • Enable all that you want and expect Coverage Completeness Configuration
  14. 14. 80/20 rule • A VERY important point is we need to ignore or not worry about the 20% that you don’t, or can’t cover. • Don’t get hung up on the 20% or you will continue to flounder • Worry about the 80% you CAN or COULD do • You have to learn to walk before you worry about trying to be, or cover 100% (run) • Being good at 80% should be a goal • You will improve over time as you get better • It’s really more 74%-26% – You must accept more false positives to reach 80% or higher (Devon Kerr EndGame)
  15. 15. Let’s Look at an Example
  16. 16. Credential Access • Tactic - Credential Access – Guessing – Cred Dump – Keystroke logging – Off the wire
  17. 17. Technique – Brute Force • Technique ID – T1110 • Tactic – Credential Access • Lists Platforms • Shows Data Sources
  18. 18. Examples – More Data • Groups that used it • Tools or kits • Good for background information • Read the reports (aka Malware Management) and on the actors campaign(s)
  19. 19. ATT&CK Provides Guidance • Mitigation examples • Detection examples • References • You must translate them into what Processes, Procedures, Products you have
  20. 20. What about APPSEC? How does this apply to us?
  21. 21. Map your capabilities to ATT&CK • Map the tools you have to the ATT&CK Matrix • This will give you a place to start and a way to track and rate your activities
  22. 22. Sample of ATT&CK and Applications
  23. 23. Mitre Att@ck • This is a good place to start and map all your detection, prevention, and hunt activities to • Not enough details as to how – You will need to map them – Or find someone that has, maybe a product(s) • Add your Web Proxy • Add your WAF • Add your IPS • Add Network tools • Add code scanners • Fill any other gaps • Of course…. ADD YOUR LOGGING !!!
  24. 24. Mitre Att@ck - Logging Let’s look at Windows Logging, my personal favorite • Most Techniques can be mapped to logging • Add Log Management • Add some Sysmon or WLS to the logs for more details • Add LOG-MD-Pro, and other tools or script(s) • Add a solution to query the OS ( I love BigFix) • Add Network tools • Fill other gaps • See the previous slide for application stuff
  25. 25. Map your capabilities to ATT&CK • The Windows ATT&CK Logging Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs
  26. 26. Map your capabilities to ATT&CK • The Windows LOG-MD ATT&CK Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs, LOG-MD, and Sysmon
  27. 27. Find your Gaps, and Strengths • By filling out the ATT&CK matrix to YOUR capabilities, you begin to understand what you CAN and CAN NOT do against the actual tactics and techniques the bad guys use against you • I was shocked, I mean SHOCKED at how much I do in Windows logging mapped to actual tactics and techniques • But then again I have been practicing Malware Management since I created it over 6 years ago
  28. 28. Example Suspicious PowerShell Hunt
  29. 29. How do I Hunt for PS? • Without Log Management? • Or with it, we consume LOG-MD-Pro logs into Log Management too
  30. 30. TOOLS
  31. 31. What is available to you • MITRE ATT&CK Navigator • You select items you have, select colors and export it
  32. 32. ATT&CK Navigator • ATT&CK Navigator – Https:// • Mobile too – • Pre-ATT&CK –
  33. 33. SOCPrime
  34. 34. SOCPrime • TDM – Threat Detection Marketplace • SIGMA Rules – Generic Signature Format for SIEM Systems • ATT&CK mappings • Lots of log solution options • Convert from one platform to another • SIGMA rule convertor • Subscription service to gain access • Some free SIGMA based rules
  35. 35. Tools • Unfetter – – • Tanium – the-mitre-attack-framework-improving-detection- capabilities/ • SIGMA – –
  36. 36. API • MITRE has an API for ATT&CK – • Cyb3rWarD0g – Invoke-ATTACKAPI – • Mitre Pre-ATT&CK Mappings • ft/ATT%26CK-Stuff • Blog on Brute Force example with ATT&CK – case.html
  38. 38. HUNT ! • Some say create a hypothesis • I say start by eliminating things you CAN hunt for and know you do NOT have • Then build more hypothesis • Map your capabilities to ATT&CK • For Windows logging and LOG-MD there are 2 Cheat Sheets mapped to ATT&CK –
  39. 39. Conclusion • MITRE ATT&CK is GREAT stuff • It gives you a way to measure what you have and can detect, based on what your adversaries ACTUALLY do, not what compliance, an auditor or consultant says • You don’t have to get very detailed at first • Use simple coloring at first – Green (good), Yellow (needs work), Red (poor), no color (we got nuttin) • Expand it once you map it • Then expand as you rate your capabilities • But get to know this framework!
  40. 40. Additional Reading This Is the Fastest Way to Hunt Windows Endpoints – fastestwaytohuntonwindowsv101 – SANS will post the video at some point SANS THIR 2018 PDF’s and videos Most of the talks had ATT&CK involved Quantify your hunt not your parents red teaming Devon Kerr – Quantify Your Hunt: Not Your Parents' Red Team– Devon and Roberto – 1536351477.pdf Finding Related ATT&CK Techniques – f1a4e8dfe2b6
  41. 41. Questions • You can find us on the Twitters – @HackerHurricane • • • Preso will be on SlideShare and linked on • Listen to the PodCast to hear the rest of this topic –