Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases. Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078 Many thanks to Teymur for great tech dive

1. Teymur Kheirkhabarov
Head of SOC R&D
Sergey Soldatov
Head of SOC
How MITRE ATT&CK helps security operations

2. Who is Sergey ?
Since 2016: Head of SOC at Kaspersky lab
Internal SOC
Commercial MDR* services
2012 – 2016: Chief manager at RN-Inform
Rosneft security services insourcing
2002 – 2012: TNK-BP Group
IT security integration into business and IT operations
Security controls in IT projects
Security operations
2001-2002: Software developer at RIPN
BMSTU graduate
CISA, CISSP
* Managed Detection and Response

3. Who is Teymur ?
2016 – : Head of SOC R&D at
Kaspersky lab
Development: sensors, sensor data, event
processing, detection logic, SOC
infrastructure
SOC R&D team coordination and
management
2011 – 2016: Head of Information
security
IT security integration into business and IT
operations
Security controls in IT projects
Security operations
Krasnoyarsk SibSAU graduate

4. Detect layers: David Bianco's pyramid of pain
http://detect-respond.blogspot.ru/2013/03/the-pyramid-of-pain.html
Commodity
Prevention/Detection
tools capabilities
(can be done
automatically)
Human Analyst required
IoC
AM-signature,YaraTTP*-based
detect
* TTP – tactics techniques and procedures

5. Different approaches to detection
5
Attacker activity IoC-based detection Tool-based detection TTP-based detection
Use Mimikatz for
dumping
authentication data
(password/hashes)
from memory
Search for hashes
(MD5/SHA1/SHA256)
of utilities that dump
credentials
Search for files with specific
extensions. For example,
Mimikatz export Kerberos tickets
to .kirbi files, and WCE creates
wceaux.dll
Search for processes, that access
Lsass memory
Use of unsigned DLLs, loaded into
Lsass process
Use PsExec for
remote
administration
Search for hashes
(MD5/SHA1/SHA256)
of utilities for remote
administration
Search for installations of
services, typical for remote
administration utilities. For
example, psexec installs service
PSEXECSVC
Search for remote installation of
new service, and then that service
starts process
C&C communication Search for known C&C
(IP/FQDN/URL)
Search for User-Agents, typical
for particular utilities/malware
Search for use of particular DGA,
typical for specific
utilities/malware
Search for periodic network
communication
Search for communication with
randomly generated domain names
Search for communication with
domains, registered not long ago

6. Tactics, Techniques and Procedures
6
Tactic - the way the threat actor operates during different
steps of its operation/campaign. Tactics represent the “why” of
an ATT&CK technique. It is the adversary’s tactical objective: the
reason for performing an action.
Technique – the approach the threat actor uses to facilitate
Tactic. Technique represent “how” an adversary achieves a tactical
objective by performing an action. For example, and adversary may
dump credentials to achieve credential access
Procedure - the exact ways a particular adversary or piece
of software implements a technique. These are described by the
examples sections in ATT&CK techniques
Tactic
(Why?)
Technique
(How?)
Procedure
(Particular
implementation)

7. ATT&CK – Adversarial Tactics Techniques and Common Knowledge
7
https://attack.mitre.org/matrices/enterprise/
Tactics
Techniques

8. Technique
8
https://attack.mitre.org/techniques/T1060/

9. The importance of Procedure
9
For each Technique many Procedures can be introduced
There are Procedures that can’t be detected due to
technological limitations
Not all procedures are yet known

10. What do we detect? Procedure!

11. Where do Procedures can taken? ATT&CK technique description!

12. Good talks in the Internet
https://offzone.moscow/speakers
/teymur-heirhabarov/
https://2017.zeronights.ru/report/hunting-for-credentials-
dumping-in-windows-environment/
https://www.slideshare.net/heirhabarov/
kheirkhabarov24052017phdays7

13. Examples of Techniques and corresponding Procedures
T1086: PowerShell
13

14. Examples of Techniques and corresponding Procedures
T1086: PowerShell
14
~ 45 000 PC, last 30 days period

15. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell in autorun
15

16. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell in autorun
16

17. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell suspicious command lines
17
Before adaptation
After adaptation

18. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell download cradles
18 https://gist.github.com/HarmJ0y/bb48307ffa663256e239#file-downloadcradles-ps1

19. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell download cradles
19

20. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell obfuscation
20
https://github.com/danielbohannon/Invoke-Obfuscation

21. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell obfuscation
21

22. Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell Base64 encoding
22

23. Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
23

24. Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
Enumeration of installed ActiveScript consumers
Before adaptation After adaptation
~ 146 000 PC, 1 year period
Enumeration of installed CommandLine consumers
Before adaptation After adaptation

25. Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
25
Malicious CommandLine event consumer

26. Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
26
Malicious ActiveScript event consumer

27. Use case #1: Detects development
27
ATT&CK – one of the good sources of
detect ideas
Attack
emulation
Analysis of
detection
capabilities
Required
processing
Required
telemetry
Detect development,
testing, publication
Endless testing in
operations
Metrics

28. Other sources of detect ideas – TI from operations
28
Public
Twitter, blogs, talks, etc.
Tests*
Private
Internal threat research
Operations practice
Threat hunting**
DFIRMA***
Security Assessment/Red teaming
* https://attackevals.mitre.org/evaluations.html , for example
** the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions
*** Digital forensics, Incident response, Malware analysis

29. Use case #1’: Detects development priorities (post-breach)
30
Tactics priorities:
Persistence
Privilege escalation
Defense evasion
Credential access
Lateral movement
Execution
…
Techniques priorities
Available telemetry
Used by which APT actors and how they relevant to you?
Required investments (~ risk assessment)

30. Use case #2: Detects classification
31
Detects management
Understand current coverage
• What do we have for each technique*?
• Gap analysis
Extend coverage
• Add new detects?
• Update existing?
Simplifies R&D team work
* Through appropriate Procedure

31. Detects (“Hunts”) mapped to MITRE techniques

32. Use case #3: SOC Analyst’s body of knowledge
33
Attack kill chain (tactics)
Known so far attack techniques descriptions
Public reports about actual APT campaign linked to
used techniques
Recommendations on detection and mitigation
In addition:
• OS architecture
• Known attacker’s toolset
• Not hypothetical attacks, but taken
from practice*
* https://reply-to-all.blogspot.com/2013/01/blog-post.html

33. Use case #4: detect rate assessment by ATT&CK coverage
34
Choose scenario (sequence of particular
procedures)*
Execute in lab and see detects
Evaluate based on detection types**:
Telemetry
Enrichment
Behavior detect
Now results can be compared***
Can the techniques be considered covered
based on the test – the question is open –
depends on actual procedures, used in test
* https://attackevals.mitre.org/
** https://attackevals.mitre.org/methodology/detection-categorization.html
*** https://reply-to-all.blogspot.com/2018/12/mitre-edr.html

34. MITRE ATT&CK Evaluations
Particular Procedures:
APT3: 56 Enterprise techniques across 10 tactics
“Living off the land”*
Focus on “Primary” techniques**, on behavior and not tools and IoCs
2 Scenarios: 10-step with Cobalt Strike + 10 step Empire***
Same lab environment for all vendors
Detection categorization
Main detection types:
• None
• Telemery
• Indicator of Compromise
• Enrichment
• General behavior
• Specific behavior
* https://www.youtube.com/watch?v=j-r6UonEkUw
** Differentiate “Primary” and “Enabling” techniques. “Enabling” - many of the techniques required Command-Line Interface, Execution through API, and
PowerShell. In assessment MITRE focused on the Primary technique that was performed, rather than the mechanism of execution (which was considered the
Enabling technique)
*** https://www.cobaltstrike.com/ ; https://github.com/EmpireProject/Empire
Modifiers:
• Delayed
• Tained
• Configuration
change

35. BAS: Breach and Attack Simulation
METTA
https://github.com/uber-common/metta
Caldera
https://github.com/mitre/caldera
Unfetter
https://mitre.github.io/unfetter/
Endgame
https://github.com/endgameinc/RTA
Red Canary - Atomic read team
https://github.com/redcanaryco/atomic-red-team
Microsoft
https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/

36. KaLaBAS?
Existing – vendor specific
Not enough tests
Need to integrate to existing auto-
testing infrastructure

37. Use case #5: Adversary emulation, red teaming
38
Common framework for Red teams, Blue teams and Purple teams collaboration
Create adversary emulation scenarios: choose relevant TTP
Create red team plan: choose TTPs that might be missed by existing Blue team
Gap analysis of current defensive technologies – prioritize future investments
SOC operational efficiency (maturity) assessment

38. !!DEMO!!

39. Let’s talk?