SlideShare a Scribd company logo

Threat-Based Adversary Emulation with MITRE ATT&CK

K
Katie Nickels

Katie and Cody from the MITRE ATT&CK team discuss how you can use ATT&CK to perform threat-based adversary emulation.

Technology
1 of 30
Download to read offline
©2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19. ATT&CKing the Status Quo: Threat- Based Adversary Emulation with MITRE ATT&CK™ Katie Nickels Cody Thomas SANS Threat Hunting & Incident Response Summit September 6, 2018 | 1 |
How we define threat hunting | 2 | “Human act of looking for badness that is not yet detected successfully.” -Sergio Caltagirone Problem: I need a threat to hunt for! Solution: Create one by emulating real adversaries. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Tough questions for defenders ▪ How do I organize threat hunting? ▪ How do I know that my hunting techniques will work? ▪ Do I have a chance at detecting APT28? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this *shiny new* product from vendor XYZ help my organization’s defenses? | 3 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
The difficult task of detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain | 4 | Also applies to red teamers! © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
| 5 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Zooming in on the Adversary Lifecycle | 6 | Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise Mobile ATT&CK © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Management Re-opened Applications Rc.common Trusted Developer Query Registry | 7 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control What is ATT&CK, really? Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures – Specific technique implementation © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Example Technique: New Service | 8 | Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Example Group: APT28 | 9 | Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group- 4127, TG-4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Connection Proxy 1 8 • Standard Application Layer Protocol 1 • Remote File Copy 8 9 • Rundll32 8 9 • Indicator Removal on Host 5 • Timestomp5 • Credential Dumping 10 • Screen Capture 10 11 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
How to use it: threat-informed defense, but for real Threat Intel Detection Adversary Emulation Hunting © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
What is adversary emulation? • AKA: Threat-based red teaming • Adversary emulation • Emulate the techniques of an adversary that’s most likely to target your environment • Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Step 1: Choose an adversary and gather threat intel ▪ Identify the adversary you want to emulate – Consider who’s targeting you and gaps you’re trying to assess ▪ Gather data about that adversary – Look for post-exploit information – Consider their tools, aliases, and campaigns – Think about the time frame Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 13 | Notional gaps in defenses © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 14 | APT29 techniques (based only on open source reporting) © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 15 | Purple = APT29 techniques that can test our gaps © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Step 2: Extract ATT&CK techniques from reports ▪ Look for behaviors ▪ Store the info in a structured way ▪ Have the threat intel originator do it ▪ Start at the tactic level ▪ Use ATT&CK website examples ▪ Work as a team Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
How to extract ATT&CK techniques © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19. https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1095 - Standard Non-Application Layer Protocol T1104 - Multi-Stage Channels
How to extract ATT&CK techniques https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Step 3: Analyze and organize techniques and intel ▪ stablish the adversary’s goal ▪ Consider adversary M.O. ▪ Think about the why, what, and how – In ATT&CK: Tactic, Technique, Procedure Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure Analyze intel for adversary M.O. https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Organize intel into technique flow ▪ Provide order to techniques – Not going to be perfect – Techniques have their own required ordering – Feeds the emulation plan | 21 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Organize technique flow into plan phases ▪ This is the hardest part of the puzzle ▪ No plan will be perfect, so approximate where needed ▪ This isn’t a replay of an incident - variation is OK © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
▪ What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools? – Can you extend or modify them? ▪ Do you need to develop something specific? – Delivery mechanisms, Command and Control, Capabilities ▪ Create payloads “inspired by” the adversary’s tradecraft – Modify IoCs and behaviors if possible – Obfuscate with purpose, NOT all the things – “over-o fuscation” is itself suspicious! Step 4: Develop tools to emulate behaviors Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
What is behavioral emulation for TTPs? ▪ Performing adversary techniques with variations – dversary created “C:aos.exe” for Priv Esc via path interception ▪ You intercept any service path that runs under higher privileges – dversary used “PSExec” for ateral ovement ▪ ou do it manually with “sc.exe” or via ower hell – dversary runs “whoami” for iscovery ▪ You do it with environment variables “% E %% E E%” © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Defining your toolset ▪ Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc ▪ Do stay within the behavior boundaries © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Create an Adversary Emulation Field Manual ▪ Provides multiple implementations across toolsets ▪ Provides offensive command-line examples ▪ Create this as you go, and use for reference later T1069 - Permission Groups Discovery net localgroup net group /domain wmic group [and more…] © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Step 5: Emulate the adversary ▪ Set up infrastructure and test – Set up C2 servers & redirector, buy domains, test, install ▪ Emulate the adversary! – Follow the adversary M.O. – “ omain dmin” most likely isn’t your goal – eep the “speed of the adversary” in mind ▪ Low and slow vs smash and grab Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
In summary… ▪ Test your hunting capabilities with adversary emulation ▪ Use threat intelligence to drive your emulation ▪ Move toward a threat-based defense | 28 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
Links ▪ ATT&CK – https://attack.mitre.org – github.com/mitre/cti – cti-taxii.mitre.org ▪ ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/ ▪ Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans ▪ CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera ▪ Cyber Analytic Repository (CAR) – https://car.mitre.org © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
| 30 | @likethecoins attack.mitre.org attack@mitre.org @MITREattack Katie Nickels Cody Thomas @its_a_feature_ © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

Recommended

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 

Recommended

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 

More Related Content

What's hot

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 

What's hot (20)

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 

Similar to Threat-Based Adversary Emulation with MITRE ATT&CK

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfAisyiFree
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...Priyanka Aash
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamAdam Pennington
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
CrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deckCrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deckCrowdSec
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Erik Van Buggenhout
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceJames581435
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellJamieWilliams130
 

Similar to Threat-Based Adversary Emulation with MITRE ATT&CK (20)

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
CrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deckCrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deck
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Repost _Healthcare
Repost _HealthcareRepost _Healthcare
Repost _Healthcare
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
 

Recently uploaded

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Threat-Based Adversary Emulation with MITRE ATT&CK

  • 1. ©2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19. ATT&CKing the Status Quo: Threat- Based Adversary Emulation with MITRE ATT&CK™ Katie Nickels Cody Thomas SANS Threat Hunting & Incident Response Summit September 6, 2018 | 1 |
  • 2. How we define threat hunting | 2 | “Human act of looking for badness that is not yet detected successfully.” -Sergio Caltagirone Problem: I need a threat to hunt for! Solution: Create one by emulating real adversaries. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 3. Tough questions for defenders ▪ How do I organize threat hunting? ▪ How do I know that my hunting techniques will work? ▪ Do I have a chance at detecting APT28? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this *shiny new* product from vendor XYZ help my organization’s defenses? | 3 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 4. The difficult task of detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain | 4 | Also applies to red teamers! © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 5. | 5 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 6. Zooming in on the Adversary Lifecycle | 6 | Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise Mobile ATT&CK © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 7. Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Management Re-opened Applications Rc.common Trusted Developer Query Registry | 7 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control What is ATT&CK, really? Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures – Specific technique implementation © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 8. Example Technique: New Service | 8 | Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 9. Example Group: APT28 | 9 | Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group- 4127, TG-4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Connection Proxy 1 8 • Standard Application Layer Protocol 1 • Remote File Copy 8 9 • Rundll32 8 9 • Indicator Removal on Host 5 • Timestomp5 • Credential Dumping 10 • Screen Capture 10 11 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 10. How to use it: threat-informed defense, but for real Threat Intel Detection Adversary Emulation Hunting © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 11. What is adversary emulation? • AKA: Threat-based red teaming • Adversary emulation • Emulate the techniques of an adversary that’s most likely to target your environment • Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 12. Step 1: Choose an adversary and gather threat intel ▪ Identify the adversary you want to emulate – Consider who’s targeting you and gaps you’re trying to assess ▪ Gather data about that adversary – Look for post-exploit information – Consider their tools, aliases, and campaigns – Think about the time frame Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 13. Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 13 | Notional gaps in defenses © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 14. Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 14 | APT29 techniques (based only on open source reporting) © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 15. Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 15 | Purple = APT29 techniques that can test our gaps © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 16. Step 2: Extract ATT&CK techniques from reports ▪ Look for behaviors ▪ Store the info in a structured way ▪ Have the threat intel originator do it ▪ Start at the tactic level ▪ Use ATT&CK website examples ▪ Work as a team Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 17. How to extract ATT&CK techniques © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19. https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1095 - Standard Non-Application Layer Protocol T1104 - Multi-Stage Channels
  • 18. How to extract ATT&CK techniques https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 19. Step 3: Analyze and organize techniques and intel ▪ stablish the adversary’s goal ▪ Consider adversary M.O. ▪ Think about the why, what, and how – In ATT&CK: Tactic, Technique, Procedure Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 20. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure Analyze intel for adversary M.O. https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 21. Organize intel into technique flow ▪ Provide order to techniques – Not going to be perfect – Techniques have their own required ordering – Feeds the emulation plan | 21 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 22. Organize technique flow into plan phases ▪ This is the hardest part of the puzzle ▪ No plan will be perfect, so approximate where needed ▪ This isn’t a replay of an incident - variation is OK © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 23. ▪ What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools? – Can you extend or modify them? ▪ Do you need to develop something specific? – Delivery mechanisms, Command and Control, Capabilities ▪ Create payloads “inspired by” the adversary’s tradecraft – Modify IoCs and behaviors if possible – Obfuscate with purpose, NOT all the things – “over-o fuscation” is itself suspicious! Step 4: Develop tools to emulate behaviors Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 24. What is behavioral emulation for TTPs? ▪ Performing adversary techniques with variations – dversary created “C:aos.exe” for Priv Esc via path interception ▪ You intercept any service path that runs under higher privileges – dversary used “PSExec” for ateral ovement ▪ ou do it manually with “sc.exe” or via ower hell – dversary runs “whoami” for iscovery ▪ You do it with environment variables “% E %% E E%” © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 25. Defining your toolset ▪ Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc ▪ Do stay within the behavior boundaries © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 26. Create an Adversary Emulation Field Manual ▪ Provides multiple implementations across toolsets ▪ Provides offensive command-line examples ▪ Create this as you go, and use for reference later T1069 - Permission Groups Discovery net localgroup net group /domain wmic group [and more…] © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 27. Step 5: Emulate the adversary ▪ Set up infrastructure and test – Set up C2 servers & redirector, buy domains, test, install ▪ Emulate the adversary! – Follow the adversary M.O. – “ omain dmin” most likely isn’t your goal – eep the “speed of the adversary” in mind ▪ Low and slow vs smash and grab Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 28. In summary… ▪ Test your hunting capabilities with adversary emulation ▪ Use threat intelligence to drive your emulation ▪ Move toward a threat-based defense | 28 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 29. Links ▪ ATT&CK – https://attack.mitre.org – github.com/mitre/cti – cti-taxii.mitre.org ▪ ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/ ▪ Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans ▪ CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera ▪ Cyber Analytic Repository (CAR) – https://car.mitre.org © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.
  • 30. | 30 | @likethecoins attack.mitre.org attack@mitre.org @MITREattack Katie Nickels Cody Thomas @its_a_feature_ © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.