SlideShare a Scribd company logo
© 2018 The MITRE Corporation. All rights reserved.
| 1 |
Christopher Korban
Cody Thomas
HOPE - July 2018
ATT&CKing with Threat
Intelligence
Approved for public release. Distribution unlimited 18-0944-10
| 2 |
© 2018 The MITRE Corporation. All rights reserved.
ATT&CK T1033 – User Discovery
 Christopher Korban
– Lead Cyber Security Engineer
– ATT&CKing for the past 5+ years
– Creates Adversary Emulation Plans
– @ckorban
 Cody Thomas
– Senior Cyber Security Engineer
– Created Mac/Linux ATT&CK
– Red Teamer and Tool Developer
– @its_a_feature_
Approved for public release. Distribution unlimited 18-0944-10
| 3 |
© 2018 The MITRE Corporation. All rights reserved.
Traditional Offensive Testing Workflow
Intel
Gathering
Vulnerability
Assessment
Target
Acquisition
Exploitation
Privilege
Escalation
Lateral
Movement
Persistence Exfiltration
Report
Findings
Collect Protect Detect Triage Investigate Coordinate Remediate
 Typical Red vs Blue event flow
Approved for public release. Distribution unlimited 18-0944-10
| 4 |
© 2018 The MITRE Corporation. All rights reserved.
Traditional Outcomes
 Red
– Creates report of offensive techniques and IoCs for what they did
– Wants to make sure they ‘win’ again next time
– Leaves for a year
 Blue
– Deciphers Red’s report
– Continues to deal with daily incident reports
– Creates static detections for Red’s tools and IoCs
– Might try to characterize malicious behavior
 Typically has small sample size
 No good way to keep testing
https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg
Approved for public release. Distribution unlimited 18-0944-10
| 5 |
© 2018 The MITRE Corporation. All rights reserved.
How do these outcomes progress?
 Blue signatures Red tool (MD5=4de587ac29…)
– Red changes tool slightly (new hash)
 Blue signatures Red tool (string=“mimikatz”)
– Red changes tool slightly (string=“mimidogz”)
 Blue stops single red instantiation (psexec)
– Red modifies implementation (psexec manually)
 …
 This isn’t really helping blue or red
Approved for public release. Distribution unlimited 18-0944-10
| 6 |
© 2018 The MITRE Corporation. All rights reserved.
Change the game, even for Red
David Bianco’s Pyramid of Pain
Approved for public release. Distribution unlimited 18-0944-10
| 7 |
© 2018 The MITRE Corporation. All rights reserved.
Need Common Language for TTPs
 What do we need from this common language?
– Communicate and articulate what happened in a test, and results
– Do so at a level that’s specific enough that it’s repeatable
– Enable us to create metrics that make sense
 What do we use for this?
– MITRE’s Adversarial Tactics, Techniques, and Common Knowledge
Approved for public release. Distribution unlimited 18-0944-10
| 8 |
ATT&CK™ is increasingly
being used by the community
as a common way to describe
adversary behavior.
ATT&CK™ is a globally-accessible
knowledge base of adversary tactics
and techniques, developed by
MITRE based on real-world
observations of adversaries’
operations.
attack.mitre.org
Approved for public release. Distribution unlimited 18-0944-10
| 9 |
© 2018 The MITRE Corporation. All rights reserved.
ATT&CK Matrix Format
Tactic: Adversary’s technical goal, the “Why”
Technique: Adversary’s action to achieves the goal, the “What”
Approved for public release. Distribution unlimited 18-0944-10
| 10 |
© 2018 The MITRE Corporation. All rights reserved.
Example of Technique: New Service
 Description: When operating systems boot up, they can start programs or applications called
services that perform background system functions. … Adversaries may install a new service
which will be executed at startup by directly modifying the registry or by using tools.
 Platform: Windows
 Permissions required: Administrator, SYSTEM
 Effective permissions: SYSTEM
 Detection:
– Monitor service creation through changes in the Registry and common utilities using command-
line invocation
– Tools such as Sysinternals Autoruns may be used to detect system changes that could be
attempts at persistence
– Monitor processes and command-line arguments for actions that could create services
 Mitigation:
– Limit privileges of user accounts and remediate Privilege Escalation vectors
– Identify and block unnecessary system utilities or potentially malicious software that may be used
to create services
 Data Sources: Windows Registry, process monitoring, command-line parameters
 Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …
Approved for public release. Distribution unlimited 18-0944-10
| 11 |
© 2018 The MITRE Corporation. All rights reserved.
ATT&CK Spans Multiple Tech Domains
PRE-ATT&CK: left
of exploit
behaviors
Enterprise:
Windows, Linux, Mac
Mobile:
Android,
iOS
Approved for public release. Distribution unlimited 18-0944-10
| 12 |
© 2018 The MITRE Corporation. All rights reserved.
Key ATT&CK use cases:
 Guide threat hunting campaigns
 Leverage threat intelligence to
prioritize technique detection
 Remediate gaps by mapping
solutions back to ATT&CK techniques
 Emulate adversaries to measure
defenses against relevant threats
Approved for public release. Distribution unlimited 18-0944-10
| 13 |
© 2018 The MITRE Corporation. All rights reserved.
Adversary Emulation
 AKA: Threat-based Red Teaming
 Adversary Emulation
– Emulate the techniques of an adversary that’s most likely to target
your environment
– Focus on the behaviors of those techniques instead of specific
implementations
https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543
Approved for public release. Distribution unlimited 18-0944-10
| 14 |
© 2018 The MITRE Corporation. All rights reserved.
Adversary Emulation with ATT&CK
Prototype APT3 emulation plan on attack.mitre.org
Approved for public release. Distribution unlimited 18-0944-10
| 15 |
© 2018 The MITRE Corporation. All rights reserved.
How to start doing adversary emulation?
 Identify an adversary you want to emulate
– Consider the target you’re going up against
 Defense Contractor
 Financial Sector
 Health Care
 E-Commerce
 Etc.
– Adversaries change accordingly
 Country Specific (APT3, APT28, APT29, APT34, ….)
 Financially Motivated (FIN6, FIN7, …)
Approved for public release. Distribution unlimited 18-0944-10
| 16 |
© 2018 The MITRE Corporation. All rights reserved.
How to start doing adversary emulation?
1. Threat Intelligence Acquisition
– Analyze Reporting:
 Adversary Reports (APTX)
 Reports on Adversary’s toolsets (APTX uses A,B,C)
 Aliases (APTX i.e. ThreatGroup ###, adjective-animal)
 Toolset aliases (A i.e. Trojan.malwareName)
 Associated Campaigns (OperationZ)
 Keep time of reports in mind
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
Approved for public release. Distribution unlimited 18-0944-10
| 17 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Follow the Leads
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
Aliases, Aliases, Aliases everywhere!
Approved for public release. Distribution unlimited 18-0944-10
| 18 |
© 2018 The MITRE Corporation. All rights reserved.
How to start doing adversary emulation?
2. Extract Actionable Techniques and M.O.
– Look for adversary behaviors
– Look for tool functionality
– Establish the adversary’s goal
– Think about the what, why, and how
 In ATT&CK - Technique, Tactic, Procedure
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
Approved for public release. Distribution unlimited 18-0944-10
| 19 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - What does it really say?
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
T1068 - Exploitation for Privilege Escalation
T1059 - Command-Line Interface
T1033 - System Owner/User Discovery
T1053 - Scheduled Task
T1065 - Uncommonly Used Port
T1094 - Custom Command and Control Protocol
Approved for public release. Distribution unlimited 18-0944-10
| 20 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Into the Binary Strings
https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-
evolution_of_pirpi.pdf
T1069 - Permission Groups Discovery
T1049 - System Network
Connections Discovery
T1059 - Command-Line Interface
T1018 - Remote System Discovery
T1107 - File Deletion
T1057 - Process Discovery
T1034 - Path Interception?
Approved for public release. Distribution unlimited 18-0944-10
| 21 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Into the Binaries
T1056 - Input Capture T1027 - Obfuscated Files or Information
T1016 - System Network Configuration Discovery
T1077 - Windows Admin Shares
T1035 - Service Execution
T1003 - Credential Dumping
T1055 - Process Injection
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
Approved for public release. Distribution unlimited 18-0944-10
| 22 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Adversary M.O.
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
Buckeye seems to target file and print servers, which makes it likely the group is
looking to steal documents
https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-
identified-in-targeted-attacks.html
They are extremely proficient at lateral movement … and typically
do not reuse command and control infrastructure
https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/
The rarsfx archive is created 5-6 months before this attack … used
the same rarsfx archive with other payloads before this attack.
Approved for public release. Distribution unlimited 18-0944-10
| 23 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
 This is the hardest part of the puzzle
 No plan will be perfect, so approximate where needed
 This isn’t a replay of an incident - variation is OK
Approved for public release. Distribution unlimited 18-0944-10
| 24 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
3. Develop Tools if needed to emulate behaviors
– What are the COTS / Open Source tools available?
– Can you exhibit the right behaviors with these tools?
 Can you extend them?
 Can you modify them?
– Do you need to develop something specific?
 Delivery mechanisms
 Command and Control
 Capabilities
Approved for public release. Distribution unlimited 18-0944-10
| 25 |
© 2018 The MITRE Corporation. All rights reserved.
What is behavior emulation for TTPs?
 Performing adversary techniques with variations
– Adversary created “C:aos.exe” for Priv Esc via path interception
 You intercept any service path that runs under higher privileges
– Adversary used “PSExec” for Lateral Movement
 You do it manually with “sc.exe” or via PowerShell
– Adversary runs “whoami” for Discovery
 You do it with environment variables
“%USERDOMAIN%%USERNAME%”
 Thinking about what you’re trying to accomplish
– Technique in ATT&CK
– And Why you’re trying to accomplish it
 Tactic in ATT&CK
Approved for public release. Distribution unlimited 18-0944-10
| 26 |
© 2018 The MITRE Corporation. All rights reserved.
Defining Your Toolset
 Don’t limit yourself to a single environment or tool
– Python, PowerShell, Command-Line, Custom Binary, etc
 Do stay within the behavior boundaries
Approved for public release. Distribution unlimited 18-0944-10
| 27 |
© 2018 The MITRE Corporation. All rights reserved.
Create an Adversary Emulation Field Manual
Discovery
T1069 - Permission
Groups Discovery
net
localgroup
net group
/domain
dsquery
group
T1087 - Account
Discovery
net user
/domain
wmic user dsquery user
 Provides multiple implementations across toolsets
 Provides offensive command-line examples
 Create this as you go, and use for reference later
Approved for public release. Distribution unlimited 18-0944-10
| 28 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
4. Set up offensive infrastructure
– Set up Command and Control server(s) and redirector(s), buy
domains, test techniques, install offensive frameworks
– Create Payloads ”inspired by” the adversary’s tradecraft
 Modify IoCs and behaviors if possible
 Obfuscate with purpose, NOT all the things
– Over obfuscation is itself suspicious
Approved for public release. Distribution unlimited 18-0944-10
| 29 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
5. Emulate the Adversary
– Follow the M.O. of your target adversary
– “Domain Admin” most likely isn’t your goal
– Keep the ‘speed of the adversary’ in mind
 Low and slow vs smash and grab
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated-
Adversary-Emulation-System-CALDERA.jpg
Approved for public release. Distribution unlimited 18-0944-10
| 30 |
© 2018 The MITRE Corporation. All rights reserved.
Providing a Starting Point for Red/Blue
 To kickstart the process for Red/Blue teams
everywhere, MITRE is providing two prototypes
 APT3 and APT29
– All based on open-source intelligence
– Breakdowns of APT tools and capabilities mapped to ATT&CK
– Descriptions of how these techniques are implemented
– Potential operator flows during emulations
– Cheat Sheets of commands across
 Live off the Land binaries/scripts
 Open source tools
 Commercial toolkits
 APT3 is on attack.mitre.org now
 APT29 is Coming Soon™
Approved for public release. Distribution unlimited 18-0944-10
| 31 |
© 2018 The MITRE Corporation. All rights reserved.
Contact Us
 Chris - @ckorban, ckorban@mitre.org
 Cody - @its_a_feature_, cbthomas@mitre.org
 ATT&CK
– https://attack.mitre.org
– @MITREattack
 ATT&CK Navigator
– https://github.com/mitre/attack-navigator
– https://mitre.github.io/attack-navigator/enterprise/
 Adversary Emulation Plans
– https://attack.mitre.org/wiki/Adversary_Emulation_Plans
 CALDERA: Automated Adversary Emulation
– https://github.com/mitre/caldera
Approved for public release. Distribution unlimited 18-0944-10
| 32 |
© 2018 The MITRE Corporation. All rights reserved.
MITRE is a not-for-profit organization whose sole focus is to
operate federally funded research and development centers,
or FFRDCs. Independent and objective, we take on some of
our nation's—and the world’s—most critical challenges and
provide innovative, practical solutions.
Learn and share more about MITRE, FFRDCs,
and our unique value at www.mitre.org

More Related Content

What's hot

Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
MITRE - ATT&CKcon
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Marlabs
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
Rahul Neel Mani
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 

What's hot (20)

Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 

Similar to ATT&CKing with Threat Intelligence

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
Juanjo MARTINEZ PAGAN
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
ReZa AdineH
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
Daniel Weiss
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial World
Rehgan Avon
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
ReZa AdineH
 
CALDERA-Automating-Adversary-Emulation.pdf
CALDERA-Automating-Adversary-Emulation.pdfCALDERA-Automating-Adversary-Emulation.pdf
CALDERA-Automating-Adversary-Emulation.pdf
lawofsoul
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE - ATT&CKcon
 
CSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseCSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for Enterprise
David Haimes
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
novsela
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE - ATT&CKcon
 

Similar to ATT&CKing with Threat Intelligence (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial World
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
 
CALDERA-Automating-Adversary-Emulation.pdf
CALDERA-Automating-Adversary-Emulation.pdfCALDERA-Automating-Adversary-Emulation.pdf
CALDERA-Automating-Adversary-Emulation.pdf
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
 
CSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseCSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for Enterprise
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
 

Recently uploaded

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 

Recently uploaded (20)

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 

ATT&CKing with Threat Intelligence

  • 1. © 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas HOPE - July 2018 ATT&CKing with Threat Intelligence Approved for public release. Distribution unlimited 18-0944-10
  • 2. | 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – ATT&CKing for the past 5+ years – Creates Adversary Emulation Plans – @ckorban  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_ Approved for public release. Distribution unlimited 18-0944-10
  • 3. | 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-10
  • 4. | 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 5. | 5 | © 2018 The MITRE Corporation. All rights reserved. How do these outcomes progress?  Blue signatures Red tool (MD5=4de587ac29…) – Red changes tool slightly (new hash)  Blue signatures Red tool (string=“mimikatz”) – Red changes tool slightly (string=“mimidogz”)  Blue stops single red instantiation (psexec) – Red modifies implementation (psexec manually)  …  This isn’t really helping blue or red Approved for public release. Distribution unlimited 18-0944-10
  • 6. | 6 | © 2018 The MITRE Corporation. All rights reserved. Change the game, even for Red David Bianco’s Pyramid of Pain Approved for public release. Distribution unlimited 18-0944-10
  • 7. | 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for TTPs  What do we need from this common language? – Communicate and articulate what happened in a test, and results – Do so at a level that’s specific enough that it’s repeatable – Enable us to create metrics that make sense  What do we use for this? – MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Approved for public release. Distribution unlimited 18-0944-10
  • 8. | 8 | ATT&CK™ is increasingly being used by the community as a common way to describe adversary behavior. ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations. attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 9. | 9 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Matrix Format Tactic: Adversary’s technical goal, the “Why” Technique: Adversary’s action to achieves the goal, the “What” Approved for public release. Distribution unlimited 18-0944-10
  • 10. | 10 | © 2018 The MITRE Corporation. All rights reserved. Example of Technique: New Service  Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools.  Platform: Windows  Permissions required: Administrator, SYSTEM  Effective permissions: SYSTEM  Detection: – Monitor service creation through changes in the Registry and common utilities using command- line invocation – Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at persistence – Monitor processes and command-line arguments for actions that could create services  Mitigation: – Limit privileges of user accounts and remediate Privilege Escalation vectors – Identify and block unnecessary system utilities or potentially malicious software that may be used to create services  Data Sources: Windows Registry, process monitoring, command-line parameters  Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … Approved for public release. Distribution unlimited 18-0944-10
  • 11. | 11 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Spans Multiple Tech Domains PRE-ATT&CK: left of exploit behaviors Enterprise: Windows, Linux, Mac Mobile: Android, iOS Approved for public release. Distribution unlimited 18-0944-10
  • 12. | 12 | © 2018 The MITRE Corporation. All rights reserved. Key ATT&CK use cases:  Guide threat hunting campaigns  Leverage threat intelligence to prioritize technique detection  Remediate gaps by mapping solutions back to ATT&CK techniques  Emulate adversaries to measure defenses against relevant threats Approved for public release. Distribution unlimited 18-0944-10
  • 13. | 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 Approved for public release. Distribution unlimited 18-0944-10
  • 14. | 14 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 15. | 15 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation?  Identify an adversary you want to emulate – Consider the target you’re going up against  Defense Contractor  Financial Sector  Health Care  E-Commerce  Etc. – Adversaries change accordingly  Country Specific (APT3, APT28, APT29, APT34, ….)  Financially Motivated (FIN6, FIN7, …) Approved for public release. Distribution unlimited 18-0944-10
  • 16. | 16 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 1. Threat Intelligence Acquisition – Analyze Reporting:  Adversary Reports (APTX)  Reports on Adversary’s toolsets (APTX uses A,B,C)  Aliases (APTX i.e. ThreatGroup ###, adjective-animal)  Toolset aliases (A i.e. Trojan.malwareName)  Associated Campaigns (OperationZ)  Keep time of reports in mind Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 17. | 17 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Follow the Leads https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Aliases, Aliases, Aliases everywhere! Approved for public release. Distribution unlimited 18-0944-10
  • 18. | 18 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 2. Extract Actionable Techniques and M.O. – Look for adversary behaviors – Look for tool functionality – Establish the adversary’s goal – Think about the what, why, and how  In ATT&CK - Technique, Tactic, Procedure Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 19. | 19 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - What does it really say? https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1094 - Custom Command and Control Protocol Approved for public release. Distribution unlimited 18-0944-10
  • 20. | 20 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binary Strings https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1059 - Command-Line Interface T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception? Approved for public release. Distribution unlimited 18-0944-10
  • 21. | 21 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binaries T1056 - Input Capture T1027 - Obfuscated Files or Information T1016 - System Network Configuration Discovery T1077 - Windows Admin Shares T1035 - Service Execution T1003 - Credential Dumping T1055 - Process Injection https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Approved for public release. Distribution unlimited 18-0944-10
  • 22. | 22 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Adversary M.O. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11- identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. Approved for public release. Distribution unlimited 18-0944-10
  • 23. | 23 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan  This is the hardest part of the puzzle  No plan will be perfect, so approximate where needed  This isn’t a replay of an incident - variation is OK Approved for public release. Distribution unlimited 18-0944-10
  • 24. | 24 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 3. Develop Tools if needed to emulate behaviors – What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools?  Can you extend them?  Can you modify them? – Do you need to develop something specific?  Delivery mechanisms  Command and Control  Capabilities Approved for public release. Distribution unlimited 18-0944-10
  • 25. | 25 | © 2018 The MITRE Corporation. All rights reserved. What is behavior emulation for TTPs?  Performing adversary techniques with variations – Adversary created “C:aos.exe” for Priv Esc via path interception  You intercept any service path that runs under higher privileges – Adversary used “PSExec” for Lateral Movement  You do it manually with “sc.exe” or via PowerShell – Adversary runs “whoami” for Discovery  You do it with environment variables “%USERDOMAIN%%USERNAME%”  Thinking about what you’re trying to accomplish – Technique in ATT&CK – And Why you’re trying to accomplish it  Tactic in ATT&CK Approved for public release. Distribution unlimited 18-0944-10
  • 26. | 26 | © 2018 The MITRE Corporation. All rights reserved. Defining Your Toolset  Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc  Do stay within the behavior boundaries Approved for public release. Distribution unlimited 18-0944-10
  • 27. | 27 | © 2018 The MITRE Corporation. All rights reserved. Create an Adversary Emulation Field Manual Discovery T1069 - Permission Groups Discovery net localgroup net group /domain dsquery group T1087 - Account Discovery net user /domain wmic user dsquery user  Provides multiple implementations across toolsets  Provides offensive command-line examples  Create this as you go, and use for reference later Approved for public release. Distribution unlimited 18-0944-10
  • 28. | 28 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 4. Set up offensive infrastructure – Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks – Create Payloads ”inspired by” the adversary’s tradecraft  Modify IoCs and behaviors if possible  Obfuscate with purpose, NOT all the things – Over obfuscation is itself suspicious Approved for public release. Distribution unlimited 18-0944-10
  • 29. | 29 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan 5. Emulate the Adversary – Follow the M.O. of your target adversary – “Domain Admin” most likely isn’t your goal – Keep the ‘speed of the adversary’ in mind  Low and slow vs smash and grab Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated- Adversary-Emulation-System-CALDERA.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 30. | 30 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-10
  • 31. | 31 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans  CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera Approved for public release. Distribution unlimited 18-0944-10
  • 32. | 32 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org

Editor's Notes

  1. *
  2. Person 1
  3. Person 1
  4. This slide comes up a lot for defenders to change how they’re approaching the problem of identifying the adversary. This is helpful to change the red teamer’s frame of mind as well. As a red teamer, you need to be thinking, refining, expanding your TTPs and Tools rather than simply thinking about domain names, hash values, binary strings, etc. These are important to consider when creating payloads and planning operations, but they should be second nature by now to randomize them all the time.
  5. Person 1 What is needed for this kind of language to work well for purple teaming? It means that red and blue need to be able to communicate effectively to articulate what happened in a test and the results It means that there needs to be a way to talk about what was done during a test so that it’s repeatable And it means that the language needs some way to measure improvement between tests
  6. We like to use ATT&CK for purple teaming. ATT&CK is Adversary Tactics, Techniques, and Common Knowledge We have a small sample of it here. There are currently 11 Tactics across the top - each one refers to a ‘goal’ of the attacker. This equates to the reason why an attacker is doing any given technique. Down each column are different techniques that achieve that tactic. These techniques equate to what the adversary is doing (creating services, using WMI for persistence, dumping credentials, etc). If you just glance across the different techniques we have listed, you’ll notice something start to jump out - these are descriptions of adversary behaviors, not indicators of compromise. The same holds true for the information we capture about different threat groups on ATT&CK - we tie everything back to behaviors. We focus on adversary TTPs and behaviors because that’s the hardest thing for an adversary to change.
  7. *Person 2 Ok, so we talked about a common language to use, but ATT&CK is getting pretty big! We’ve scoped the realm of the possible down to the realm of the probable, but can we start to prioritize a bit more from there? We sure can! This is where we start doing Adversary Emulation, or sometimes called Threat-based Red Teaming. In our case, we don’t want to just look like advanced adversaries, we want to look like a very specific adversary. We want to look like the adversary you’re most likely going to face (based on your industry, your company, your past incidents, etc) so that we can prioritize working on defenses for those techniques first. Remember, this is a prioritization mechanism to help frame where you should start working on defenses and forcing your offense and defense to work together to build stronger behavior-based defensive measures. Ok, this is cool, but how can I do this adversary emulation thing you describe?
  8. Person 2 We like ATT&CK, so we do this adversary emulation thing with ATT&CK (and we already have one example here for you). More emulation plans to come, and we welcome all community additions or edits to the emulation plans (email attack@mitre.org)
  9. We break it down into 5 steps for doing adversary emulation. For this first step, Threat intel acquisition, consider the following Start by simply googling the name, but then start following the leads You should also gather info on the tools that adversary uses Aliases is a really hot topic in the threat intel community right now, and I'm not going to throw that into the mix of what we're covering today, but just keep that in mind as you start searching for reporting. Threat intel is also binned into broad categories like campaigns, so be sure to look into those as well. Lastly, keep in mind when these reports are released. Reports about an adversary 5 years ago shouldn't carry as much weight as a report released yesterday. Lets take a few examples to see how this looks in practice.
  10. Here's a report on APT3, and you'll see right here at the beginning it refers to them as Buckeye. Lots of times these aliases are indicated front and center in reporting. Remember when I said to not forget campaigns? Operation Double Tap and Operation Clandestine Fox are both attributed to APT3, or UPS. Sometimes these aliases start to get a little conflated though, so you need to be careful Here we see the APT3 group referred to as 'Pirpi', which is actually the name of one of their tools. Because of this, it's sometimes hard to differentiate between what the behavior of the group is vs the behavior of a tool
  11. So, we've gathered a bunch of threat intel. Cool. Now what? In step 2, we need to actually go through that threat intel to figure out what the behaviors are, determine capabilities, and establish motives. There are a few things to keep in mind as we go through this next piece: the what, the why, and the how This is one reason why it's nice to use ATT&CK because it captures a lot of this information already in its TTP format
  12. There are three main kinds of reporting I see with information needed for Adversary Emulation: Prose writing in paragraphs (like you see here) In-depth analysis of specific malware samples (which you'll see next) Prose writing of specific malware samples (somewhere between the two and that's our last example) So, how do you approach something like this, and what is interesting for you as a red teamer wanting to do adversary emulation
  13. Person 2