Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

1,949 views

Published on

Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.

Published in: Technology
  • Be the first to comment

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

  1. 1. ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15. ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK™ Katie Nickels John Wunder August 7, 2018 | 1 |
  2. 2. The Plan for Today ▪ Define the challenges we’re facing ▪ Explain what ATT&CK is ▪ Show how to use it for: – Threat intelligence – Detection and analytics ▪ Tell you what’s next for ATT&CK ▪ Chat as a community | 2 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  3. 3. Tough Questions for Defenders ▪ How effective are my defenses? ▪ Do I have a chance at detecting APT28? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this *shiny new* product from vendor XYZ help my organization’s defenses? | 3 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  4. 4. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain | 4 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  5. 5. | 5 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  6. 6. Zooming in on the Adversary Lifecycle | 6 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Recon Weaponize Deliver Exploit Control Execute Maintain Priority Definition • Planning, Direction Target Selection Information Gathering • Technical, People, Organizational Weakness Identification • Technical, People, Organizational Adversary OpSec Establish & Maintain Infrastructure Persona Development Build Capabilities Test Capabilities Stage Capabilities Enterprise ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  7. 7. Spanning Multiple Technology Domains | 7 | Enterprise: Windows, Linux, macOS Mobile: Android, iOS ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  8. 8. Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Management Re-opened Applications Rc.common Trusted Developer Query Registry | 8 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control What is ATT&CK, really? Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures – Specific technique implementation ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  9. 9. Example Technique: New Service | 9 | Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016. ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  10. 10. Example Group: APT28 | 10 | Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group- 4127, TG-4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Connection Proxy 1 8 • Standard Application Layer Protocol 1 • Remote File Copy 8 9 • Rundll32 8 9 • Indicator Removal on Host 5 • Timestomp5 • Credential Dumping 10 • Screen Capture 10 11 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  11. 11. Example Software: CHOPSTICK | 11 | Description: CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. 1 2 3 Aliases: CHOPSTICK, SPLM, Xagent, X-Agent, webhp Techniques: Input Capture - CHOPSTICK is capable of performing keylogging. 5 2 Command-Line Interface - CHOPSTICK is capable of performing remote command execution.5 Fallback Channels - CHOPSTICK can switch to a new C2 channel if the current one is broken. 2 Connection Proxy - CHOPSTICK used a proxy server between victims and the C2 server. 2 and more… Groups: APT28 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  12. 12. How can I actually *use* it? | 12 | Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Adversary Emulation Assessment and Engineering ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  13. 13. All the ATT&CK Things! | 13 | Public ATT&CK Knowledge Base attack.mitre.org ATT&CK Navigator Structured Content github.com/mitre/cti cti-taxii.mitre.org Adversary Emulation Plans mitre.github.io/attack-navigator attack.mitre.org/wiki/Adversary_Emulation_Plans Cyber Analytic Repository car.mitre.org ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  14. 14. ATT&CK for Threat Intelligence | 14 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  15. 15. The Status Quo in Threat Intelligence | 15 | Reliance on indicators So. Many. Reports! Tough to apply intel to defense ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  16. 16. So what can we do? Structure threat intelligence using ATT&CK! Here’s how… | 16 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  17. 17. “Extracting” ATT&CK techniques from a threat report | 17 | https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1095 - Standard Non-Application Layer Protocol T1104 - Multi-Stage Channels ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  18. 18. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control APT28 techniques* | 18 | *from open source reporting we’ve mapped Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  19. 19. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control APT29 techniques | 19 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  20. 20. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control Comparing APT28 and APT29 | 20 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Overlay known gaps APT28 APT29 Both groups ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  21. 21. Example from industry – Unit 42 Adversary Playbook https://pan-unit42.github.io/playbook_viewer/ ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  22. 22. Implementation Tips ▪ Tailor your existing threat intel repository – Threat Intelligence Platforms are starting to support ATT&CK (MISP, ThreatQ, others) ▪ Have the threat intel originator do it ▪ Start at the tactic level ▪ Use existing website examples ▪ Work as a team ▪ Remember it’s still human analysis ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  23. 23. So what does this get us? ▪ Plus!  Gives us a common language to communicate  Allows us to compare groups Status Quo ATT&CKing threat intel So. Many. Reports! Structures threat intel so it’s easier to consume a lot of it Tough to apply intel to defenses Provides a way to directly compare intel to defenses Reliance on indicators Moves to TTPs and behaviors ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  24. 24. Detection and Analytics ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  25. 25. Analytics vs. Indicators AnalyticsIndicators Known malicious behavior Fewer false positives More atomic Higher quantity Suspicious behavior More false positives Broader Lower quantity ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  26. 26. How do analytics work? ▪ Analytics look for observable events and artifacts that indicate adversary behavior – E.g., if an adversary uses RDP, Windows Event Logs will show a Login with type=RemoteInteractive ▪ The trick: distinguishing the good from the bad Almost everything in ATT&CK Our goal: place event in one circle Evidence Good Bad Good Bad ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  27. 27. Example: Detecting UAC Bypass index=__your sysmon stuff__ IntegrityLevel=High | search ( ParentImage=c:windowssystem32fodhelper.exe OR CommandLine="*.exe”*cleanmgr.exe /autoclean*" OR ... | eval PossibleTechniques=case( like(lower(ParentImage),"c:windowssystem32fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe"%cleanmgr.exe /autoclean%"), "UACME #34", ... ) FOR ILLUSTRATIVE PURPOSES ONLY - INCOMPLETE ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  28. 28. Developing an Analytic ▪ Read the ATT&CK page and understand the attack – ’ – Think from an adversary perspective – Try to mentally separate legitimate usage from malicious usage ▪ Try it – Carry out the attacks via your own testing or pre-written scripts – What does it look like in the logs? ▪ Write and iterate – Write your first search, narrow down false positives, and iterate – Keep testing – make sure you check for a variety of ways it can be used, not just the easiest ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  29. 29. Measuring Defense: what can you cover? Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Legitimate Credentials Credential Dumping Application Window Discovery Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment Software Command-Line Data Staged Data Encrypted AppInit DLLs Code Signing Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware Exploitation of Vulnerability Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command and Control Channel Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Hash Process Hollowing Data Obfuscation File System Permissions Weakness File System Logical Offsets Two-Factor Authentication Interception Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium Multi-Stage Channels Web Shell Indicator Blocking Peripheral Device Discovery Remote File Copy Rundll32 Screen Capture Multiband Communication Basic Input/Output System Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical MediumBypass User Account Control Permission Groups Discovery Replication Through Removable Media Scripting Video Capture Multilayer Encryption Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections Change Default File Association Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation Remote File Copy Indicator Removal from Tools Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild Hypervisor Indicator Removal on Host Security Software Discovery Execution through Module Load Standard Cryptographic Protocol Logon Scripts Modify Existing Service InstallUtil System Information Discovery Standard Non-Application Layer ProtocolRedundant Access Masquerading Registry Run Keys / Start Folder Modify Registry System Owner/User Discovery Uncommonly Used Port NTFS Extended Attributes Web Service Security Support Provider Obfuscated Files or Information System Service Discovery Data Encoding Shortcut Modification System Time Discovery Windows Management Instrumentation Event Subscription Process Hollowing Redundant Access Regsvcs/Regasm Winlogon Helper DLL Regsvr32 Netsh Helper DLL Rootkit Authentication Package Rundll32 External Remote Services Scripting Software Packing Timestomp MSBuild Network Share Removal Install Root Certificate ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  30. 30. Prioritizing techniques Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Legitimate Credentials Credential Dumping Application Window Discovery Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment Software Command-Line Data Staged Data Encrypted AppInit DLLs Code Signing Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware Exploitation of Vulnerability Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command and Control Channel Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Hash Process Hollowing Data Obfuscation File System Permissions Weakness File System Logical Offsets Two-Factor Authentication Interception Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium Multi-Stage Channels Web Shell Indicator Blocking Peripheral Device Discovery Remote File Copy Rundll32 Screen Capture Multiband Communication Basic Input/Output System Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical MediumBypass User Account Control Permission Groups Discovery Replication Through Removable Media Scripting Video Capture Multilayer Encryption Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections Change Default File Association Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation Remote File Copy Indicator Removal from Tools Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild Hypervisor Indicator Removal on Host Security Software Discovery Execution through Module Load Standard Cryptographic Protocol Logon Scripts Modify Existing Service InstallUtil System Information Discovery Standard Non-Application Layer ProtocolRedundant Access Masquerading Registry Run Keys / Start Folder Modify Registry System Owner/User Discovery Uncommonly Used Port NTFS Extended Attributes Web Service Security Support Provider Obfuscated Files or Information System Service Discovery Data Encoding Shortcut Modification System Time Discovery Windows Management Instrumentation Event Subscription Process Hollowing Redundant Access Regsvcs/Regasm Winlogon Helper DLL Regsvr32 Netsh Helper DLL Rootkit Authentication Package Rundll32 External Remote Services Scripting Software Packing Timestomp MSBuild Network Share Removal Install Root Certificate Legend Moderate Confidence of Detection High Confidence of Detection Low Confidence of Detection IOC Coverage Prioritized Adversary Techniques Define your threat model Assess your coverage Identify gaps Fill gaps ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  31. 31. Working together Filling the gaps is hard, time-consuming, and expensive. • There are a lot of prevalent techniques • Adversary practices are always evolving • Techniques have a wide set of procedures • We all have limited resources • Requires in-depth expertise of system internals But you’re not alone. • Work with your red-team • Work with others in your industry • Talk on Twitter or Slack • Contribute to open source • Read blogs and blog yourself! ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  32. 32. Challenge area: being realistic about coverage ▪ ATT&CK coverage heatmaps are great – Easy to understand – From a defender perspective “ ” straightforward ▪ BUT: Understanding coverage this way is often deceiving and doesn’t align with how attacks are actually detected 1. ATT&CK techniques can be executed and detected in many ways 2. Detecting single ATT&CK techniques is usually not the right level of abstraction ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  33. 33. Challenge area: handling false positives ▪ We think we need to develop comprehensive coverage, but is it realistic with current FP rates and current approaches to detection? – Analytics are noisy, and more coverage means more false positives – Waste of analyst time, alert fatigue, etc. Novel Approaches Detecting event graphs Machine-Learning Tighten the feedback loop Target detections ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  34. 34. Challenge area: getting and searching data ▪ Analytics require increasing amounts of data – , “ ” markers become less useful – Data often needs to come from endpoint + network + infrastructure Collection ▪ Can collection be targeted? ▪ Can collection be agile? ▪ Can collection be decentralized? Search ▪ How can graph-based search scale? ▪ How can you make effective use of your resources? ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  35. 35. Getting started on your own ▪ Take a look at Detection Lab – https://github.com/clong/DetectionLab – https://medium.com/@clong/introducing-detection-lab-61db34bed6ae ▪ Be bad! – Atomic Red Team has a lot of commands to try: https://atomicredteam.io/ ▪ See what bad looks like, write some detections. – https://github.com/Cyb3rWard0g/ThreatHunter-Playbook is a good place for inspiration ▪ Share! ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  36. 36. Bringing it all together… ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  37. 37. Threat-informed defense, but for real Structured Threat Intel An ever-improving & validated defenseIntel-Driven Adversary Emulation ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  38. 38. What’s next for ATT&CK? | 38 | Create a new website and infrastructure that makes ATT&CK easier to use Continue to expand the ATT&CK community Open up the development and governance of ATT&CK Improve and add to ATT&CK content: • Sub-techniques • Impacts • New technology domains ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  39. 39. et’s Chat! ▪ Any questions for us? ▪ How have you tackled the challenges we discussed? ▪ If this is new to you… – How do you think you could use ATT&CK? – What could we do to help you start? ▪ If you’re already familiar with ATT&CK… – How are you using it? – What could we do to help you do that better? ▪ What is missing from ATT&CK? | 39 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  40. 40. | 40 | @likethecoins attack.mitre.org attack@mitre.org @MITREattack Katie Nickels John Wunder @jwunder ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.

×