MITRE ATT&CKcon Power Hour - November

1. Welcome Follow the conversation on Slack @MITREattack attack.mitre.org

2. Allie Mellen Security Strategist, Office of the CSO Cybereason

3. Confidential Mapping the EventBot Mobile Banking Trojan with MITRE ATT&CK for Mobile Allie Mellen, Security Strategist, Office of the CSO

4. WHO AM I? ALLIE MELLEN Security Strategist Office of the CSO, Cybereason

5. ● Why MITRE ATT&CK? ● Cybereason Nocturnus Mobile Malware Research ● Aligning to MITRE ATT&CK For Mobile ● How This Drives Future Alignment AGENDA

6. ● Classification ● Purple Teaming ● Knowledge Sharing ○ Community ○ Internally ○ Partners ○ Customers ○ Business WHY MAP TO MITRE ATT&CK?

7. ● Innovative Approach ● Important Target ● Clarity ● Communicate Value WHY MAP TO MITRE ATT&CK FOR MOBILE?

8. THREAT TYPE Banking Trojan NOCTURNUS RESEARCH: EVENTBOT TARGET INDUSTRY Financial ATTACK GOAL User Data IMPACTED GEO USA & Europe

9. EVENTBOT TARGETS: RECOGNIZE ANY OF THESE?

10. INITIAL ACCESS PERSISTENCE DEFENSE EVASION CREDENTIAL ACCESS DISCOVERY COLLECTION EXFILTRATION C2 T1476: Deliver Malicious App via Other Means T1402: App Auto- Start at Device Boot T1444: Masquerade as Legitimate Application T1412: Capture SMS Messages T1418: Application Discovery T1056: Input Capture T1532: Data Encrypted T1521: Standard Cryptographic Protocol T1461: Lockscreen Bypass T1508: Suppress Application Icon T1417: Input Capture T1426: System Information Discovery T1413: Access Sensitive Data in Device Logs T1437: Standard Application Layer Protocol T1407: Download New Code at Runtime T1409: Access Stored Application Data T1516: Input Injection MITRE ATT&CK FOR MOBILE TECHNIQUES

11. NOCTURNUS RESEARCH: EVENTBOT Unsuspecting User Downloads Application Masquerading as Legitimate INITIAL ACCESS CONTROL Gets Control of Accessibility Features, Begins to Run in the Background Collects Reconnaissance Information Like Device Info and the Names of Android Packages DISCOVERY COLLECTION Tracks the Device PIN and Collects Financial Information, Personal Data, Keystrokes, and Passwords Exfiltrates Collected Data to its C2 Server EXFILTRATION BYPASS Steals SMS Messages to Bypass 2FA

12. WHAT DOES THE FUTURE LOOK LIKE?

13. THANK YOU. QUESTIONS? allie@cybereason.com @hackerxbella

14. Q&A Jamie Williams Lead Cyber Adversarial Engineer MITRE

15. Anthony Randazzo Global Response Lead Expel

17. © 2020 Expel, Inc. GetCallerIdentity ~ 1.5 years leading response @ Expel ▪ 12+ years of SecOps ▫ iSIGHT/FireEye ▫ Fortune 25 Detection & Response ▪ Disclaimer: not a cloud expert but frequent AWS D&R blog contributor ▪ Kids, LEGO, whiskey expel.io/blog

23. © 2020 Expel, Inc. We have to protect this control plane, right? ▪ Informs our detection strategy for this cloud attack surface ▪ What do we detect? Where do we even start? ▪ How many AWS APIs are available in this control plane? Almost 10,000, you say?

28. © 2020 Expel, Inc. More examples of hopping between matrices! ▪ AWS CLI access from multiple compromised keys > SSH access into EC2 ▪ boto3 SDK access of AWS SSM > sudo linux access (red team) ▪ SSRF exploitation > EC2 instance credential access to control plane ▪ RDS database ransom > used CloudTrail to identify when weak password change occured

30. © 2020 Expel, Inc. Takeaways ▪ With lots of attack surface in the cloud, understanding both cloud and enterprise ATT&CK will help. ▪ We need more information sharing! We don’t know nearly as much about attacks in the cloud than in an enterprise [Windows] environment. ▪ Cloud control planes are a target for automated attacks. This is the trend we’re observing today.

32. Matt Snyder Senior Threat Analytics Engineer VMWare

33. What’s a MITRE With Your Security? VMware’s Use of MITRE ATT&CK Matt Snyder November 2020

34. Sr. Threat Analytics Engineer • 15+ Years in IT/Security. • In 2013, I was on the Incident Response team during one the 1st major Credit Card breaches. • I’ve built many SecOps programs over the last 10 years. • I’ve been at VMware for 3+ years, and it’s a great place to work! Matt Snyder Speaker Introduction

35. Agenda Leveraging MITRE ATT&CK •What logs do you need for security monitoring? •How do you build balanced alerting? •Evaluating New Security Tools

36. Fundamental Flaw in Operationalizing Security Stuck in Survivor Bias mode… o Most companies’ security planning is done around breaches/incidents they or their peers in the industry have had. o This leads to target fixation and wasting resources. o Prevents proactive detection of new threats.

37. What logs do you need for Security Monitoring?

38. Log All The Things!!

39. Log All The Things!!

40. Now You Are Logging with Focus… By mapping our logging requirements with MITRE and CIS, we can articulate what we need, why we need it, and how to enable the proper level of logging. - Reduce the guess work - Minimize the impact on the service owners, no more back and forth or asking for more logs - Reduce gaps in logs that would allow and incident to go undetected - Help educate service owners to the threats out there

41. Typical Security Monitoring…

42. Building a Balanced Portfolio

43. Alerts with Meaning Allows you to see a clearer picture of what’s happening in your environment. - What tactics and techniques are being discovered - Able to better understand your risk profile and where compensating controls are needed - Test areas that no detections are being found - Gives you the freedom to do things like risk- based alerting, where you can take lower fidelity events and chain them together to see a much clearer picture of an attack.

44. Tracking Maturity and Growth Starting Out - Aligning with ATT&CK gives us targets to track against - Helps us set what is a priority and ensure that those priorities make sense - Allows you to see in one place where gaps exist.

45. Tracking Maturity and Growth Future Check-In - Over time, you can see your growth and evaluate how that matches your needs. - Help reduce scope creep in your alerting (ATT&CK are things that exist in the wild and not hypothetical) - Help track the work being done and ensure you aren’t stacking alerts in certain areas

46. Evaluating New SecurityTools As seen on tv…. - With ATT&CK, we can focus on specific deliverables that are measurable and based on real world attacks - Helps to identify those 1 hit wonder vendors that don’t offer a well-rounded portfolio

47. Questions? Thank you!

49. Jamie Williams Mike Hartley MITRE

50. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Mike Hartley @thecookiewanter PUTTING THE INTO ATT&CK Jamie Williams @jamieantisocial @MITREattack

51. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other Network Medium Data Destruction Gather Victim Host Information Compromise Accounts Replication Through Removable Media Windows Management Instrumentation Valid Accounts Network Sniffing Software Deployment Tools Data from Removable Media Fallback Channels Data Encrypted for Impact Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window Discovery Application Layer Protocol Scheduled Transfer Service Stop Gather Victim Network Information Develop Capabilities Trusted Relationship Software Deployment Tools Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through Removable Media Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network Configuration Discovery Data Staged Communication Through Removable Media Exfiltration Over C2 Channel Defacement Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or Information Two-Factor Authentication Interception Internal Spearphishing Screen Capture Firmware Corruption Search Closed Sources Exploit Public-Facing Application User Execution Boot or Logon Autostart Execution System Owner/User Discovery Use Alternate Authentication Material Email Collection Web Service Exfiltration Over Physical Medium Resource Hijacking Search Open Technical Databases Exploitation for Client Execution Account Manipulation Process Injection Exploitation for Credential Access Clipboard Data Multi-Stage Channels Network Denial of Service Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network Connections Discovery Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over Web Service Endpoint Denial of Service Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot Drive-by Compromise Command and Scripting Interpreter Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups Discovery Exploitation of Remote Services Video Capture Traffic Signaling Automated Exfiltration Account Access Removal Browser Extensions Exploitation for Privilege Escalation Indicator Removal on Host Credentials from Password Stores Man in the Browser Remote Access Software Exfiltration Over Alternative Protocol Disk Wipe Native API Traffic Signaling Modify Registry File and Directory Discovery Remote Service Session Hijacking Data from Information Repositories Dynamic Resolution Data Manipulation Inter-Process Communication BITS Jobs Trusted Developer Utilities Proxy Execution Steal or Forge Kerberos Tickets Non-Standard Port Transfer Data to Cloud AccountServer Software Component Peripheral Device Discovery Man-in-the-Middle Protocol Tunneling Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel Pre-OS Boot Signed Script Proxy Execution Steal Application Access Token Network Share Discovery Data from Network Shared Drive Non-Application Layer ProtocolCompromise Client Software Binary Password Policy Discovery Rogue Domain Controller Man-in-the-Middle Browser Bookmark Discovery Data from Cloud Storage ObjectImplant Container Image Indirect Command Execution Virtualization/Sandbox EvasionBITS Jobs XSL Script Processing Cloud Service Dashboard Template Injection Software Discovery File and Directory Permissions Modification Query Registry Remote System Discovery Virtualization/Sandbox Evasion Network Service Scanning Process Discovery Unused/Unsupported Cloud Regions System Information Discovery Use Alternate Authentication Material Account Discovery System Time Discovery Impair Defenses Domain Trust Discovery Hide Artifacts Cloud Service Discovery Masquerading Cloud Infrastructure Discovery Deobfuscate/Decode Files or Information Signed Binary Proxy Execution Exploitation for Defense Evasion Execution Guardrails Modify Cloud Compute Infrastructure Pre-OS Boot Subvert Trust Controls Source: http://gph.is/1cEuQWX

53. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. History of PRE-ATT&CK • Initially released in 2017 • Separate matrix w/ 17 Tactics • Adversary behaviors leading to compromise • Example use cases: • Are there signs that an adversary might be targeting you? • Prioritize open-source intelligence gathering / sharing

54. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. The Long Con • In 2018 (v2) the Launch and Compromise Tactics were refactored into Initial Access

55. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Final Merge • Deprecated PRE-ATT&CK matrix for PRE Enterprise platform • 2 new Tactics • Criteria for inclusion: 1. Technical 2. Visible to some defenders 3. Evidence of adversary use

56. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Reconnaissance • Actively or passively gathering information that can be used to support targeting. • 10 Techniques & 31 Sub-techniques • Split into what & how

57. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Resource Development • Building, buying, or compromising resources that can be used during targeting • Infrastructure • Accounts • Capabilities • 6 Techniques & 26 Sub-techniques

58. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Technique Metadata • New PRE platform • New Pre-compromise Mitigation • ex: This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on... • Data sources and Detections relevant to potential Enterprise artifacts Source: https://i.pinimg.com/originals/71/6a/5b/716a5b5b8847470b77dde4a4b67f2a2b.gif

59. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Why? • Promote more adoption and contributions • More integration across spectrum of adversary behaviors Source: https://gph.is/g/Z5K7bQE

60. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Gone But Not Forgotten Previous versions (< v8) will retain the full matrix as well as individual techniques

61. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. How Can You Help? • Feedback and contributions! • New techniques + scoping of existing techniques • Documentation of potential detections and mitigations • Reported instances of adversary procedure examples Source: http://gph.is/2colVQl

63. Join our next session on December 11 Register now! https://na.eventscloud.com/ATTACKcon-november

MITRE ATT&CKcon Power Hour - November

You are reading a preview.

Check these out next

MITRE ATT&CKcon Power Hour - November

More Related Content

Slideshows for you (20)

Similar to MITRE ATT&CKcon Power Hour - November (20)

More from MITRE - ATT&CKcon (19)

Recently uploaded (20)