SlideShare a Scribd company logo

ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses

M
MITRE ATT&CK

From ATT&CKcon 4.0 By Sajal Thomas and Vishnu Raju, Crowdstrike

Technology
1 of 30
Download to read offline
Sajal Thomas Vishnu Raju ATT&CK is the Best Defense Emulating Sophisticated Adversary Malware to Bolster Defenses
Sajal Thomas ▪ Adversary Tradecraft Research @ CrowdStrike ▪ Former red team operator turned researcher ▪ Connoisseur of the finest adversary tradecraft Introductions VishnuRaju ▪ Adversary Emulation@ CrowdStrike ▪ Ex-red teamoperator, Ex-threat hunter ▪ Livingthe security spectrum- Red, Blue, Purple ©2023CROWDSTRIKE, INC. ALL RIGHTSRESERVED.
Adversary Emulation is an intelligence-driven approach to research and execute tactics, techniques and procedures (TTPs) used by a real-world adversary known to target an organization. ▪ Killchains contain very specific tradecraft ▪ No hypothetical scenario like Adversary Simulation ▪ Validates defences against a specific adversary What is Adversary Emulation? ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
▪ Assessed with high confidence to be attributable to the Federal Security Service (FSB) of the Russian Federation ▪ Operating for nearly 2 decades ▪ Targets gov institutes that handle diplomatic efforts, interior, foreign services, etc ▪ Novel and sophisticated tradecraft Venomous Bear aka Turla ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
▪ LightNeuron is a backdoor installed on Exchange Servers ▪ Supports command-and-control entirely via incoming and outgoing emails ▪ Can intercept, block or modify emails going through the infected Exchange Server ▪ Can execute commands sent by emails in attachments that use steganography ▪ Difficult to remediate and remove LightNeuron/BLUEPRINT ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Our Approach to Emulation Gather intelligence Extract techniques Analyze & organize Develop tooling 2 Emulate 3 4 5 1 Research phase Improve Falcon 6 Fun part ! Address gaps ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Components: ▪ PowerShell script for installation ▪ Mail Transport Agent (DLL written in .NET) ▪ Companion DLL (DLL written in C++) ▪ Encrypted config file masquerading ▪ Rules file in XML Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Components: ▪ PowerShell script for installation Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Components: ▪ Mail Transport Agent Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Components: ▪ Companion DLL Tradecraft ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Components: ▪ Config file Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Components: ▪ Rules file in XML Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ATT&CK Techniques Based on Public & Private Reports ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MITRE’s ATT&CK Techniques ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Enter - Micro Emulation Plans ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Installation: ▪ Exchange Management Shell ▪ Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn ▪ Exchange Server PowerShell through WinRM ▪ Manually modifying agents.config Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
First generation Mail Transport Agent: ▪ read XML rules file from disk ▪ parsed the email ▪ if subject contained “alert”, subject changed to “external” Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
First generation companion DLL: ▪ used open-source AES library - crypto++ ▪ hardcoded AES key and IV ▪ accepted encrypted text as argument ▪ only performed decryption Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Second generation Mail Transport Agent: ▪ referenced the companion DLL export function ▪ read plain text attachment received via email ▪ passed it on to Companion DLL Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Second generation companion DLL: ▪ parsed attachment ▪ decrypted encrypted payload ▪ checked for prefix ▪ command execution via C++ “system” ▪ command execution via CreateProcess Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Third generation companion DLL: ▪ zipped sensitive files ▪ added base64 encoded zip to EML ▪ staged under Pickup folder ▪ exfiltration Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Emulation in Action ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Emulation in Action ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Emulation in Action ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
▪ Identify modifications to agents.config file ▪ Observe anomalous process behaviour and relationships: ▪ EdgeTransport.exe spawning cmd.exe/powershell.exe ▪ Automate sandbox submission for ‘interesting’ files dropped in ‘interesting’ file paths ▪ Examine all unsigned DLLs loaded by Exchange Server (EdgeTransport.exe) ▪ Supplement XDR with Email logs to create a timeline of events: ▪ Email arrives -> EdgeTransport spawns cmd.exe -> evil happens Detection and Response Strategy ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
▪ Highly sophisticated adversary ▪ Custom and complex malware toolkit ▪ Public intel reporting for Venomous Bear is malware-specific ▪ Few details on actual tradecraft used in intrusions ▪ Not easy to automate Challenges Faced ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Challenges Faced ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions? ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Thank You ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Recommended

MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
 
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom.LNK Tears of the Kingdom
.LNK Tears of the KingdomMITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
 
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseUpdates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseMITRE ATT&CK
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 

Recommended

MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
 
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom.LNK Tears of the Kingdom
.LNK Tears of the KingdomMITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
 
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseUpdates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseMITRE ATT&CK
 
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxMITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 

More Related Content

What's hot

One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxMITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 

What's hot (20)

One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 

Similar to ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses

ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfInsert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfStefano Maccaglia
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudZscaler
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerZscaler
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsAngelo Agatino Nicolosi
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!nettitude_labs
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud EnvironmentsContainers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud EnvironmentsLacework
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 

Similar to ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses (20)

ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfInsert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdf
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the CloudOvercoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the Cloud
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial InstitutionsA Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud EnvironmentsContainers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud Environments
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 

More from MITRE ATT&CK

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailMITRE ATT&CK
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureMITRE ATT&CK
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)MITRE ATT&CK
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataMITRE ATT&CK
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...MITRE ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
The case for quishing
The case for quishingThe case for quishing
The case for quishingMITRE ATT&CK
 
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataDiscussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataMITRE ATT&CK
 
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOThe art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOMITRE ATT&CK
 
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK
 
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsOr Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsMITRE ATT&CK
 
Adjectives for ATT&CK
Adjectives for ATT&CKAdjectives for ATT&CK
Adjectives for ATT&CKMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 

More from MITRE ATT&CK (18)

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
 
The case for quishing
The case for quishingThe case for quishing
The case for quishing
 
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataDiscussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber Data
 
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOThe art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFO
 
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: Software
 
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsOr Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
 
Adjectives for ATT&CK
Adjectives for ATT&CKAdjectives for ATT&CK
Adjectives for ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 

Recently uploaded

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Recently uploaded (20)

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses

  • 1. Sajal Thomas Vishnu Raju ATT&CK is the Best Defense Emulating Sophisticated Adversary Malware to Bolster Defenses
  • 2. Sajal Thomas ▪ Adversary Tradecraft Research @ CrowdStrike ▪ Former red team operator turned researcher ▪ Connoisseur of the finest adversary tradecraft Introductions VishnuRaju ▪ Adversary Emulation@ CrowdStrike ▪ Ex-red teamoperator, Ex-threat hunter ▪ Livingthe security spectrum- Red, Blue, Purple ©2023CROWDSTRIKE, INC. ALL RIGHTSRESERVED.
  • 3. Adversary Emulation is an intelligence-driven approach to research and execute tactics, techniques and procedures (TTPs) used by a real-world adversary known to target an organization. ▪ Killchains contain very specific tradecraft ▪ No hypothetical scenario like Adversary Simulation ▪ Validates defences against a specific adversary What is Adversary Emulation? ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 4. ▪ Assessed with high confidence to be attributable to the Federal Security Service (FSB) of the Russian Federation ▪ Operating for nearly 2 decades ▪ Targets gov institutes that handle diplomatic efforts, interior, foreign services, etc ▪ Novel and sophisticated tradecraft Venomous Bear aka Turla ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 5. ▪ LightNeuron is a backdoor installed on Exchange Servers ▪ Supports command-and-control entirely via incoming and outgoing emails ▪ Can intercept, block or modify emails going through the infected Exchange Server ▪ Can execute commands sent by emails in attachments that use steganography ▪ Difficult to remediate and remove LightNeuron/BLUEPRINT ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 6. Our Approach to Emulation Gather intelligence Extract techniques Analyze & organize Develop tooling 2 Emulate 3 4 5 1 Research phase Improve Falcon 6 Fun part ! Address gaps ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 7. Components: ▪ PowerShell script for installation ▪ Mail Transport Agent (DLL written in .NET) ▪ Companion DLL (DLL written in C++) ▪ Encrypted config file masquerading ▪ Rules file in XML Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 8. Components: ▪ PowerShell script for installation Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 9. Components: ▪ Mail Transport Agent Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 10. Components: ▪ Companion DLL Tradecraft ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 12. Components: ▪ Rules file in XML Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 13. ATT&CK Techniques Based on Public & Private Reports ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 14. MITRE’s ATT&CK Techniques ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 15. Enter - Micro Emulation Plans ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 16. Installation: ▪ Exchange Management Shell ▪ Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn ▪ Exchange Server PowerShell through WinRM ▪ Manually modifying agents.config Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 17. Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 18. First generation Mail Transport Agent: ▪ read XML rules file from disk ▪ parsed the email ▪ if subject contained “alert”, subject changed to “external” Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 19. First generation companion DLL: ▪ used open-source AES library - crypto++ ▪ hardcoded AES key and IV ▪ accepted encrypted text as argument ▪ only performed decryption Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 20. Second generation Mail Transport Agent: ▪ referenced the companion DLL export function ▪ read plain text attachment received via email ▪ passed it on to Companion DLL Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 21. Second generation companion DLL: ▪ parsed attachment ▪ decrypted encrypted payload ▪ checked for prefix ▪ command execution via C++ “system” ▪ command execution via CreateProcess Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 22. Third generation companion DLL: ▪ zipped sensitive files ▪ added base64 encoded zip to EML ▪ staged under Pickup folder ▪ exfiltration Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 23. Emulation in Action ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 24. Emulation in Action ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 25. Emulation in Action ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 26. ▪ Identify modifications to agents.config file ▪ Observe anomalous process behaviour and relationships: ▪ EdgeTransport.exe spawning cmd.exe/powershell.exe ▪ Automate sandbox submission for ‘interesting’ files dropped in ‘interesting’ file paths ▪ Examine all unsigned DLLs loaded by Exchange Server (EdgeTransport.exe) ▪ Supplement XDR with Email logs to create a timeline of events: ▪ Email arrives -> EdgeTransport spawns cmd.exe -> evil happens Detection and Response Strategy ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 27. ▪ Highly sophisticated adversary ▪ Custom and complex malware toolkit ▪ Public intel reporting for Venomous Bear is malware-specific ▪ Few details on actual tradecraft used in intrusions ▪ Not easy to automate Challenges Faced ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 28. Challenges Faced ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 29. Questions? ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  • 30. Thank You ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.