The document discusses the integration of red and blue team efforts to enhance threat detection and response using the MITRE ATT&CK framework. It highlights the importance of community collaboration in curating analytics, reducing false positives, and improving the validation of security measures. The presentation introduces the SnapAttack community platform, aiming to provide open access to threat intelligence while fostering community contributions and better analytic robustness.

1. Attacking the Red vs Blue Divide
MITRE ATT&CKcon 3.0
March 30, 2022

2. Copyright © 2021 Threatology, Inc
#whoami
Fred Frey
CTO/Co-founder - SnapAttack
20+ years of red team
+ threat hunt
ffrey@snapattack.com
@fryguy2600
Jonathan Mulholland
AI Director - SnapAttack
15 years experience in data analysis and
scientific research
jmulholland@snapattack.com

3. Agenda
Talk Topics
• Our approach: red and blue
• Threat & analytics library
• What is measured, gets improved!
• Curating analytics
• Better ATT&CK coverage estimates
• Analytic robustness measures
• SnapAttack Community Release
Goals and Motivations
Support community threat research efforts by:
• Combining multiple red and blue community
efforts together
• Measuring and identifying community
detection gaps
• Empower searching and filtering
attacks/analytics in a purpose-built platform

4. Community Threat Research
Security
Content
Analytics
Sentinel
Use Cases
Red Team Communities Blue Team Communities
… wouldn't it be cool
if we could combine and
independently validate
these efforts?
Sigma

5. Red ↔ Blue: Particle Collider
Particle Collider
Propels charged particles at high speeds that smash against other particles.
By studying these collisions, physicists are able to probe the world of the infinitely small.

6. Red ↔ Blue: Particle Collider
Atomic Red
T1059 ->
T1218 ->
T1047 ->
T1003 ->
T1105 ->
T1055 ->
<- T1059
<- T1218
<- T1047
<- T1003
<- T1105
<- T1055
Sigma
Logs
EDR, syslogs, application logs, PCAP / Zeek
SnapAttack
Propels malicious attacks at high speeds that smash against behavioral detection analytics.
By studying these collisions, threat researchers are able to probe the world of the hackers.

7. Empowering Threat Research
What can we measure with red and blue data?
False Positives – Throw out overly false positive analytics and/or improve filtering
True Positives Validation – Ensure it detects what you expect it to
MITRE ATT&CK Coverage – Detect across the board, validate community labels
Analytic Similarities – Find duplicate analytics, pick the best
1
2
3
4

8. Into the Platform

9. Threat and Analytic Library
Video of
Attack
Attack
Description
Analytic Hit
Details
Analytic
Timeline
Memorialize attacks – share with the community

10. Threat and Analytic Library
Validate "All the Things"
CONFIDENTLY DEPLOY
BLUE TEAM
Creates analytics
to detect
RED TEAM
Emulates / captures
threat to validate
Signature Metadata
• Title / description / notes
• MITRE ATT&CK mapping
• Validation status
• Confidence ranking
• Exclusion filters
• Link to true positive logs
Threat Metadata
• Title / description / notes
• MITRE ATT&CK mapping
• Security event logs
• Threat intel report link
• Labeled threats (ATT&CK +
timestamp)
ANALYTIC LIBRARY
THREAT LIBRARY
Undetected
Attack Logs
VALIDATED
True Positive
Untested
Signatures

11. FALSE POSITIVE
(Noise)
TRUE POSITIVE
(Validated hit)
FALSE NEGATIVE
(Undetected hit)
Label Data
Validation Criteria
Blue and red marker must match either:
• The same event log, or
• +/- 5 seconds with the same ATT&CK
technique or process ID
Attack timeline with overlayed detection hits

12. Curating Analytics:
False Positive Reduction

13. Curating Analytics
ATOMIC SESSIONS
• 1,840 Sigma queries
• 322 distinct ATT&CK tags
Sigma Community Analytics • 847 Atomic Red scripts
• 379 attacks emulated in our lab
• 182 distinct ATT&CK tags
Atomic Red Scripts
• Techniques: 188
• Sub-techniques: 379
ATT&CK Techniques
Finding Quality Community Detections
ATOMIC SESSIONS
SIGMA QUERIES

14. Curating Analytics
• Filter out noise
• Identify the events of interest
• This experiment is environment sensitive
Our Particle Traces
Collision!
ATOMIC SESSIONS
SIGMA QUERIES
QUERY HIT

15. False Positives Removed
• Analytic must have 1 - 20 connections on the graph
• Analytics that miss are discarded
Noise Filters
• Results can't be obtained manually
• Analytic that miss form a red team backlog
(need to create a true positive attack example)
Notes
ATOMIC SESSIONS
SIGMA QUERIES
QUERY HIT

16. Reducing False Positives
Example: Change Powershell
Policies to an Unsecure Level
• Hits every single Atomic Red session
• Author's level and false positive entries
are unreliable
• Behavior is environment dependent,
manual curation is impossible
CommandLine: powershell.exe -ExecutionPolicy Bypass -File
C:Program FilesAmazonEc2ConfigServiceScriptsDiscoverConsolePort.ps1
detection:
option:
CommandLine|contains: '-executionpolicy'
level:
CommandLine|contains:
- 'Unrestricted'
- 'bypass'
- 'RemoteSigned'
condition: option and level
falsepositives:
- Administrator script
level: high
Unanticipated query behavior
False Positive Log Hit:

17. CRITICAL
HIGH
MEDIUM
LOW
0.0 0.2 0.4 0.6 0.8 1.0
QUALITY SCORE
Criticality Level Can't Be Trusted!
• Is not based on your data
• Author expertise is unknown
Sigma Author's Assessment
Conclusion
• Risk = Probability x Severity
• Sigma level field does not include probability
• Probability can be obtained from real data or
estimated using community data
DISTRIBUTION OF ANALYTIC QUALITY FOR EACH CRITICALITY LEVEL
Quality Score
• The fraction of hits by a Sigma query
that are validated (1.0 means all hits
from an analytic were validated)
coin flip whether the
analytic is reliable
Criticality vs. Analytic Quality

18. Curating Analytics:
Analytic Validation

19. Analytic Validation
• False positive reduction
• Analytic must have a validated hit
(true positive)
Analytic Filters
Winners!
ATOMIC SESSIONS
SIGMA QUERIES
QUERY HIT
Validation Criteria
• Analytic hit and attack marker match the exact same event log, or
• Analytic hit must be near (+/- 5 seconds) an attack marker and share a
MITRE ATT&CK tag or process ID

20. Validated Analytics
Atomic Sessions
Dump LSASS.exe Memory using ProcDump
Dump LSASS.exe Memory using comsvcs.dll
Dump LSASS.exe Memory using direct system calls and API unhooking
Create Mini Dump of LSASS.exe using ProcDump
Dump LSASS.exe Memory using Out-Minidump.ps1
Cred Dump Tools Dropped Files
LSASS Memory Dump File Creation
LSASS Memory Dumping
Procdump Usage
Suspicious Use of Procdump
LSASS Memory Dump
Suspicious Use of Procdump on LSASS
Lsass Memory Dump via Comsvcs DLL
Dumpert Process Dumper
LSASS Process Memory Dump Files
Dumpert Process Dumper
Process Dump via Comsvcs DLL
Credentials Dumping Tools Accessing LSASS Memory
Generic Password Dumper Activity on LSASS
Accessing WinAPI in PowerShell for Credentials Dumping
Sigma Queries
ATOMIC SESSIONS SIGMA QUERIES QUERY HIT
T1003.001: OS Credential Dumping: LSASS Memory

21. MITRE ATT&CK
Coverage Estimate

22. False Positives Filter Validation Filter
Unfiltered
Sigma Queries: 129
Atomic Sessions: 127
Sigma Queries: 221
Atomic Sessions: 214
Sigma Queries: 1840
Atomic Sessions: 379
SIGMA
322
ATT&CK
TECHNIQUES
567
Realistic ATT&CK Coverage
ATT&CK
TECHNIQUES
567
SIGMA
130
ATT&CK
TECHNIQUES
567
SIGMA
115
Query / Session Counts
ATT&CK Technique Coverage

23. Analytic Similarity

24. Analytic Similarity
• Nerds: Projection of the bipartite network
onto a single mode using hyperbolic weighting
• Everyone Else: Finding similar/duplicate
analytics
Analytic Similarity Applications of Similarity Calculation
• Deduplication
• Auto labeling
• Defense-in-depth
Use unvalidated data to
calculate correlations
Disjoint of sets of most
correlated analytics
Projection showing Sigma query
connectivity based on similar
Atomic Red hits
Leveraging Graph Data

25. Analytic Similarity
Analytic Similarity
• Nearly identical analytic
• ATT&CK tag error
Mavinject Inject DLL Into Running Process
T1055.001 Process Injection: Dynamic-link Library Execution
T1056.004 Inject Capture: Credential Hooking
detection:
selection:
CommandLine|contains|all:
- ' /INJECTRUNNING'
- '.dll'
OriginalFileName|contains: mavinject
condition: selection
Mavinject Process Injection
T1055.001 Process Injection: Dynamic-link Library Execution
T1218. Signed Binary Process Execution
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING '
condition: selection
Example #1 – Result: Merge to improve

26. Analytic Similarity
Analytic Similarity
Suspicious Rundll32
Script in CommandLine
T1218.011 Signed Binary Proxy
Execution: Rundll32
detection:
selection_run:
CommandLine|contains|all:
- rundll32
- 'mshtml,RunHTMLApplication'
selection_script:
CommandLine|contains:
- 'javascript:'
- 'vbscript:'
condition: all of selection_*
logsource:
category: process_creation
product: windows
Example #2 – Result: Keep Both for robustness
• Similar analytic and same tag
• Defense-in-depth
• Process logs
• Network logs
• Auto-labeling potential
Rundll32 Internet Connection
T1218.011 Signed Binary Proxy
Execution: Rundll32
detection:
selection:
Image|endswith: 'rundll32.exe'
Initiated: 'true'
filter:
- DestinationIp|startswith:
- '10.'
- '192.168.'
- '172.16.'
...
filter_microsoft:
DestinationIp|startswith:
- '51.124.'
condition: selection and not 1 of filter*
logsource:
category: network_connection
product: windows

27. Research Wrap-up
CONFIDENTLY DEPLOY
ANALYTIC LIBRARY
THREAT LIBRARY
Undetected
Attack Logs
VALIDATED
True Positive
Untested
Signatures
Collision Experiments Results
• Curated set of validated analytics
• Backlog of undetected Atomic Red sessions
• Realistic MITRE ATT&CK coverage
• Graph theory analytic similarity
Released Today in
SnapAttack Community
Platform
ATT&CK
TECHNIQUES
567
SIGMA
115

28. SnapAttack – Community Platform
• Forever free and open to the community
• Access to all community content (including all Sigma analytics
and Atomic Red attacks mentioned today)
• Request contributor beta access (general availability in the next
~3-4 months)
• Analytic IDE for creating and testing detections
• Capture and share your own attacks
Register Today or Request Contributor Beta Access
https://www.snapattack.com/community
We are launching our community edition today