From ATT&CKcon 4.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how the linux-malware repo came to take shape and how we've used it to inform our view on adversarial behaviour over the last couple of years. Since the original reason for staring this project was to look at Linux coverage in ATT&CK, we'll play back some of the interesting points and reflect on how they've affected ATT&CK itself.
3. The ATT&CK framework has undoubtably
been a huge success
• For MITRE
• Anecdotally, one of their most successful projects
• For the community
• Something to be studied, learnt from and often mimic’d
• Just look at the people, companies, projects and communities represented
here today
• For someone like me
• Many projects have built on it
• Threat-crank – extracts threat profiles from ATT&CK
• Ftd-attack-mapper – maps Cisco Firepower log events to ATT&CK
• Linux-malware – tracksadvances in Linux offensive and defensive capability
4. Some reflections on the nature of that
success
• What other technologies could be
considered?
• Collaboration?
• Applications?
• End user applications
• Enterprise applications
• Mainframes and enterprise UNIX?
• What about other non-ATT&CK matrices?
• What do more theoretical frameworks like FiGHT
and ATLAS offer?
• How might the incorporation of new matrices
impact users?
• How are other verticals best represented?
• We already have things like matrices such as
FiGHT and ATT&CK ICS but what about others
such as Finance
• What are the ”golden” protocols
• How could we map dependencies?
• Technique Command and Scripting Interpreter
begets Setuid and Setgid
• Are there better ways to think about
detection?
• Techniques > Data sources > Procedures > (…) >
Indicators
• Should attacker motivation and business
impact be considered?
• Beyond the scope of ATT&CK based matrices?
• Verizon’s DBIR might hold some clues
5. Why these questions are interesting
• Just as others here have done, I wanted to bring my passion and knowledge
to ATT&CK
• The threat landscape is changing
• FastCash – 31st December 2018
• UNC1945 – 2nd November 2020
• LightBasin/UNC1945 – 19th October 2021
• BPFDoor – 8th May 2022
• Symbiote – 9th June 2022
• CiscoTools – 13th May 2022
• Syslogk – 13th June 2022
• ProcessTreeSpoofingBindMountProc – 2nd May 2023
• FreeDownloadManager – 12th September 2023
6. A brief summary of the threat landscape
1. Botnets and bitcoins... Mostly target exposed IoT
2. Access brokers... Your Linux-based VPN provides a foothold into the org
3. Ransomware... Wherever they can get to in the enterprise, on Linux,
likely to target compute especially commercial hypervisors
4. Cloud/supply chain enthusiasts... Often but not always linked to 1 but
taking a path of deployment artefact compromise to reach their goal.
Haven't really seen them do this for 2, 3, 5 yet
5. Specialists... Likely to target specific protocols for commercial/political
value through collection (e.g. packets), these folks will probably only be
interested in you if you run a "golden" protocol e.g. payments,
communications or industrial control
7. The origins
of the linux-
malware
repository
May 2020
ATT&CK Community 5: All
of the threats -
Intelligence, modelling,
simulation and hunting
through an ATT&CKers
lens
July 2021
https://github.com/timb-
machine/linux-malware
October 2021
ATT&CK Community 8:
The UNIX malware
landscape - Reviewing the
goods at
MALWAREbazaar
Mar. 2022
ATT&CKcon 3.0 Threat
Modelling - It's not just
for developers
June 2022
ATT&CK Community 9:
Auditd for the newly
threatened
8. 3 working hypotheses
• H1: Attackers are using our tools to target UNIX environments
• H2: Attackers are using techniques from ATT&CK to target UNIX
environments
• H3: ATT&CK is not representative of the TTPs that we find success
with
9. How it started…
• Gonna build me a honey pot, gonna
catch me some malware
• VPS instances
• Pcap all the things
• Containerised popular services
• Added default accounts
• Customised auditd policies
• Generic rules
• Bespoke rule generator
• Auditd based canaries
• Leverage MALWAREbazaar
• Free to use*
• Run your own hunts
• You can add Yara rules that fire on new
uploads
• You can build hunting rules based on
existing analytics
• You can browse, search for and download
samples
• Exposes APIs and statistics
• wget
• Python
• https://github.com/cocaman/malwar
e-bazaar
• Roll your own
* abuse.ch is a non-profit and benefits from donations and those who pay for
the API-based push functionality (vs email)
10. What I really want is UNIX malware (tag:elf et
al)
• Most is common garden IOT malware
• It would be super nice to grab just the unclassified stuff
• Not something I’ve got around to
11. H2: Attackers are using techniques from
ATT&CK to target UNIX environments
• Lazarus Group/HIDDEN COBRA: Probably the second best public UNIX breach report I’ve read
• https://github.com/fboldewin/FastCashMalwareDissected/
• https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash
• Attacked AIX systems running payment software (SmartVista which is used for processing ATM transactions)
• UNC1945/LightBasin: A more recent example and my new favourite public UNIX breach report
• https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/
• Attacked Solaris and Linux systems running mobile telco functions
• Unknown (high-end) adversary currently being investigated by Mandiant, Yoroi, CrowdStrike
• Binaries recently shared on VX Underground
• Targetting Solaris this time
• https://www.mandiant.com/resources/live-off-the-land-an-overview-of-unc1945
• https://twitter.com/timb_machine/status/1450595881732947968:
• The adversary is using a tool almost identical to an open source code from ~2001
• Had anyone spotted this?
• Perfect for a retro hunt
• This one is still being mapped… so many tools!
13. Mapping reports with analytics (think
TRAM)…
Score reports’ word frequency
Compare reports word usage to
ATT&CK TTPs
Label reports
Identify artefacts documented but
missed in same or other report
•Title
•Content
•Industry references
•If report word matches ATT&CK TTP word
•Add word frequency score to label score
•If label score > threshold
•Propose label
•Known artefacts
•Similar scoring approach
•Different thresholds
•Again propose label
15. Could a similar approach be
applied to other aspects of
ATT&CK?
Does it appeal to MITRE and the wider community?
16. We’d love to see more contributions to
ATT&CK for Linux
• Join the community
• Slack
• Contribute to linux-malware?
• Help create and update technique
ideas
• We can take hypotheses where MITRE
can’t
• Have we missed things?
• Ideas
• Help us build the pipeline?
• Integrate with the wider OSS security
community?
• Develop ATT&CK aligned SOC/DFIR
training for Linux?
• If you’re working for an intel or
response team?
• Ensure your reporting is retrievable
• Ensure you annotate your reporting
with ATT&CK
• Include your hashes
• Open a ticket?
17. Thanks! Too many to list them all L
• @r3c0nst
• MITRE ATT&CK crew,
@coolestcatiknow and
@jamieantisocial
• @abuse_ch, @vxunderground,
@virustotal
• @mandiant, @yoroisecurity
• @intezerlabs
• @_darrenmartyn
• @unixfreakjp and
@malwaremustd1e
• @crowdstrike
• @craighrowland
• Cisco Talos and CX APT crews