SlideShare a Scribd company logo

MITRE-Module 3 Slides.pdf

ReZa AdineH
ReZa AdineH

This document discusses mapping raw cyber threat data to the ATT&CK framework. It describes finding behaviors in raw data, researching the behaviors, translating them to ATT&CK tactics, and identifying the relevant ATT&CK techniques. The process includes comparing mappings to other analysts and understanding different types of techniques. An exercise demonstrates mapping behaviors from command line executions and malware analysis to ATT&CK.

Presentations & Public Speaking
1 of 23
Download to read offline
Module 3: Mapping to ATT&CK from Raw Data
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
Mapping to ATT&CK from Raw Data ▪ So far, working from intel where activity has already been analyzed ▪ Analysis of techniques/behaviors directly from source data – Likely more information available at the procedure level – Not reinterpreting another analyst’s prose – Greater knowledge/expertise required to interpret intent/tactic ▪ Broad set of possible data can contain behaviors – Shell commands, malware, forensic disk images, packets ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Mapping to ATT&CK 0. Understand ATT&CK 1. Find the behavior 2. Research the behavior 3. Translate the behavior into a tactic 4. Figure out what technique applies to the behavior 5. Compare your results to other analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
ipconfig /all sc.exe ln334656-pc create .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx Commands captured by Sysmon being run interactively via cmd.exe 10.2.13.44:32123 -> 128.29.32.4:443 128.29.32.4:443 -> 10.2.13.44:32123 Flows from malware in a sandbox HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftNetsh New reg keys during an incident 1. Find the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior ▪ Can be similar to analysis of finished reporting for raw data ▪ May require expertise in the specific data type – Network, forensics, malware, Windows cmd line, etc ▪ May require multiple data sources, more context – Additional questions to responders/analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – Can make some educated guesses, but not enough context File analysis: When recycler.exe is executed, it gives the following output: C:recycler.exe RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007 Shareware version Type RAR -? for help – Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx And the file being compressed/encrypted is a Visio diagram, probably exfiltration ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic ipconfig /all – Specific procedure only mapped to System Network Configuration Discovery – System Network Configuration Discovery -> Discovery ✅ – Seen being run via Sysmon -> Execution .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “vsdx” is Visio data – Moderate confidence Exfiltration, commands around this could make clearer – Seen being run via Sysmon -> Execution ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies ▪ Similar to working with finished reporting we may jump straight here – Procedure may map directly to Technique/Tactic – May have enough experience to compress steps ipconfig /all – Specific procedure in System Network Configuration Discovery (T1016) – Also Command-Line Interface (T1059) .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “a –hp” compresses/encrypts – Appears to be Data Compressed (T1002) and Data Encrypted (T1022) – Also Command-Line Interface (T1059) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Concurrent Techniques ▪ Don’t just think of what’s happening – think of how it’s happening ▪ Certain tactics commonly have concurrent techniques: – Execution – Defense Evasion – Collection ▪ Examples: – Data Compressed + Data Encrypted (2x Exfiltration) – Spearphishing Attachment + User Execution (Initial Access + Execution) – Data from Local System + Email Collection (2x Collection) – Process Discovery + Command-Line Interface (Discovery + Execution) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Different Types of Techniques ▪ Not all techniques are created equal! – Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/ ▪ Some are specific – Rundll32 – Netsh Helper DLL ▪ Some are broad – Scripting – Obfuscated Files or Information ▪ Some capture “how” the behavior occurs – Masquerading – Data Transfer Size Limits – Automated Collection ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Compare Your Results to Other Analysts ▪ Same caveats about hedging biases ▪ May need a broader set of skills/experience to work with types of data Analyst 1 Analyst 2 • Packets • Malware/Reversing • Windows command line • Windows Events • Disk forensics • macOS/Linux ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Pros/cons of Mapping from the Two Different Sources Step Raw Finished Find the behavior Nearly everything may be a behavior (not all ATT&CK) May be buried amongst prose, IOCs, etc Research the behavior May need to look at multiple sources, data types. May also be a known procedure May have more info/context, may also have lost detail in writing Translate the behavior into a tactic Have to map to adversary intent, need domain knowledge/expertise Often intent has been postulated by report author Figure out what technique applies to the behavior May have a procedure that maps straight to technique, or may require deep understanding to understand how accomplished May be as simple as a text match to description/procedure, or may be too vague to tell Compare your results to other analysts May need multiple analysts to cover all data sources More likely in a form where other analysts needed for coverage/hedge against bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 3: Working with raw data ▪ You’re going to be examining two tickets from a simulated incident ▪ Ticket 473822 – Series of commands interactively executed via cmd.exe on an end system ▪ Ticket 473845 – Pieces of a malware analysis of the primary RAT used in the incident ▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3 ▪ Use whatever to record your results or download and edit ▪ Identify as many behaviors as possible ▪ Annotate the behaviors that are ATT&CK techniques ▪ Please pause. We suggest giving yourself 25 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise Questions ▪ What questions would you have asked of your incident responders? ▪ What was easier/harder than working with finished reporting? ▪ What other types of data do you commonly encounter with behaviors? ▪ Did you notice any behaviors that you couldn’t find a technique for? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473822) ipconfig /all arp -a echo %USERDOMAIN%%USERNAME% tasklist /v sc query systeminfo net group "Domain Admins" /domain net user /domain net group "Domain Controllers" /domain netsh advfirewall show allprofiles netstat -ano System Network Configuration Discovery (T1016) System Network Configuration Discovery (T1016) System Owner / User Discovery (T1033) Process Discovery (T1057) System Service Discovery (T1007) All are Execution - Command-Line Interface (T1059) System Information Discovery (T1082) Permission Groups Discovery (T1069) Account Discovery (T1087) Remote System Discovery (T1018) System Network Configuration Discovery (T1016) System Network Connections Discovery (T1049) Discovery ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473845) C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command. UPLOAD file (upload a file server->client) DOWNLOAD file (download a file client->server) SHELL command (runs a command via cmd.exe) PSHELL command (runs a command via powershell.exe) EXEC path (executes a PE at the path given via CreateProcess) SLEEP n (skips n beacons) 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 Copy C:winspoo1.exe -> C:WindowsSystem32winspool.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinspool REG_SZ "C:WindowsSystem32winspool.exe" Execution - Command-Line Interface (T1059) Execution - Powershell (T1086) Execution - Execution through API (T1106) Command and Control - Commonly Used Port (T1043) Command and Control - Data Encoding (T1132) Command and Control - Standard Application Layer Protocol (T1071) Defense Evasion - Masquerading (T1036) Persistence - Registry Run Keys (T1060) Command and Control – Remote File Copy (T1105) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
From Raw Data to Finished Reporting with ATT&CK ▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting ▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context – Allows other analysts to examine the mapping for themselves – Allows much easier capture of how a technique was done ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Finished Reporting Examples During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2. 1. Discovery – System Network Configuration Discovery (T1016) 2. Execution – Command-Line Interface (T1059) System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell. Instead of Appendix C – ATT&CK Techniques ▪ System Network Configuration Discovery ▪ Command-Line Interface ▪ Hardware Additions ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
End of Module 3 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

Recommended

MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniquesijtsrd
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourKasper de Waard
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 

Recommended

MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniquesijtsrd
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourKasper de Waard
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxduketjoy27252
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Cysinfo Cyber Security Community
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksJoseph Holbrook, Chief Learning Officer (CLO)
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...NetworkCollaborators
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessPrecisely
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdfReZa AdineH
 

More Related Content

Similar to MITRE-Module 3 Slides.pdf

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxduketjoy27252
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Cysinfo Cyber Security Community
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...NetworkCollaborators
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessPrecisely
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 

Similar to MITRE-Module 3 Slides.pdf (20)

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and Tricks
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data Access
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 

More from ReZa AdineH

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdfReZa AdineH
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehReZa AdineH
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehReZa AdineH
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReZa AdineH
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟ReZa AdineH
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareReZa AdineH
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 

More from ReZa AdineH (9)

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdf
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza Adineh
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshare
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 

Recently uploaded

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdfOracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdfSkillCertProExams
 
527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdfrajpreetkaur75080
 
The Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDFThe Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDFRahsaan L. Browne
 
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...Rahsaan L. Browne
 
123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptx123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptxgargh1099
 
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22LHelferty
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesIP ServerOne
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerVladimir Samoylov
 
Hi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptxHi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptxShivamM16
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
 
05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community NetworkingMichael Orias
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationAccess Innovations, Inc.
 
Introduction of Biology in living organisms
Introduction of Biology in living organismsIntroduction of Biology in living organisms
Introduction of Biology in living organismssoumyapottola
 

Recently uploaded (14)

Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdfOracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
 
527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf527598851-ppc-due-to-various-govt-policies.pdf
527598851-ppc-due-to-various-govt-policies.pdf
 
The Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDFThe Canoga Gardens Development Project. PDF
The Canoga Gardens Development Project. PDF
 
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
Writing Sample 2 -Bridging the Divide: Enhancing Public Engagement in Urban D...
 
123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptx123445566544333222333444dxcvbcvcvharsh.pptx
123445566544333222333444dxcvbcvcvharsh.pptx
 
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
Pollinator Ambassador Earth Steward Day Presentation 2024-05-22
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Hi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptxHi-Tech Industry 2024-25 Prospective.pptx
Hi-Tech Industry 2024-25 Prospective.pptx
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
Introduction of Biology in living organisms
Introduction of Biology in living organismsIntroduction of Biology in living organisms
Introduction of Biology in living organisms
 

MITRE-Module 3 Slides.pdf

  • 1. Module 3: Mapping to ATT&CK from Raw Data
  • 2. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 3. Mapping to ATT&CK from Raw Data ▪ So far, working from intel where activity has already been analyzed ▪ Analysis of techniques/behaviors directly from source data – Likely more information available at the procedure level – Not reinterpreting another analyst’s prose – Greater knowledge/expertise required to interpret intent/tactic ▪ Broad set of possible data can contain behaviors – Shell commands, malware, forensic disk images, packets ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 4. Process of Mapping to ATT&CK 0. Understand ATT&CK 1. Find the behavior 2. Research the behavior 3. Translate the behavior into a tactic 4. Figure out what technique applies to the behavior 5. Compare your results to other analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 5. ipconfig /all sc.exe ln334656-pc create .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx Commands captured by Sysmon being run interactively via cmd.exe 10.2.13.44:32123 -> 128.29.32.4:443 128.29.32.4:443 -> 10.2.13.44:32123 Flows from malware in a sandbox HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftNetsh New reg keys during an incident 1. Find the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 6. 2. Research the Behavior ▪ Can be similar to analysis of finished reporting for raw data ▪ May require expertise in the specific data type – Network, forensics, malware, Windows cmd line, etc ▪ May require multiple data sources, more context – Additional questions to responders/analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 7. 2. Research the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 8. 2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – Can make some educated guesses, but not enough context File analysis: When recycler.exe is executed, it gives the following output: C:recycler.exe RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007 Shareware version Type RAR -? for help – Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 9. 2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx And the file being compressed/encrypted is a Visio diagram, probably exfiltration ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 10. 3. Translate the Behavior into a Tactic ipconfig /all – Specific procedure only mapped to System Network Configuration Discovery – System Network Configuration Discovery -> Discovery ✅ – Seen being run via Sysmon -> Execution .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “vsdx” is Visio data – Moderate confidence Exfiltration, commands around this could make clearer – Seen being run via Sysmon -> Execution ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 11. 4. Figure Out What Technique Applies ▪ Similar to working with finished reporting we may jump straight here – Procedure may map directly to Technique/Tactic – May have enough experience to compress steps ipconfig /all – Specific procedure in System Network Configuration Discovery (T1016) – Also Command-Line Interface (T1059) .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “a –hp” compresses/encrypts – Appears to be Data Compressed (T1002) and Data Encrypted (T1022) – Also Command-Line Interface (T1059) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 12. 4. Concurrent Techniques ▪ Don’t just think of what’s happening – think of how it’s happening ▪ Certain tactics commonly have concurrent techniques: – Execution – Defense Evasion – Collection ▪ Examples: – Data Compressed + Data Encrypted (2x Exfiltration) – Spearphishing Attachment + User Execution (Initial Access + Execution) – Data from Local System + Email Collection (2x Collection) – Process Discovery + Command-Line Interface (Discovery + Execution) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 13. 4. Different Types of Techniques ▪ Not all techniques are created equal! – Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/ ▪ Some are specific – Rundll32 – Netsh Helper DLL ▪ Some are broad – Scripting – Obfuscated Files or Information ▪ Some capture “how” the behavior occurs – Masquerading – Data Transfer Size Limits – Automated Collection ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 14. 5. Compare Your Results to Other Analysts ▪ Same caveats about hedging biases ▪ May need a broader set of skills/experience to work with types of data Analyst 1 Analyst 2 • Packets • Malware/Reversing • Windows command line • Windows Events • Disk forensics • macOS/Linux ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 15. Pros/cons of Mapping from the Two Different Sources Step Raw Finished Find the behavior Nearly everything may be a behavior (not all ATT&CK) May be buried amongst prose, IOCs, etc Research the behavior May need to look at multiple sources, data types. May also be a known procedure May have more info/context, may also have lost detail in writing Translate the behavior into a tactic Have to map to adversary intent, need domain knowledge/expertise Often intent has been postulated by report author Figure out what technique applies to the behavior May have a procedure that maps straight to technique, or may require deep understanding to understand how accomplished May be as simple as a text match to description/procedure, or may be too vague to tell Compare your results to other analysts May need multiple analysts to cover all data sources More likely in a form where other analysts needed for coverage/hedge against bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 16. Exercise 3: Working with raw data ▪ You’re going to be examining two tickets from a simulated incident ▪ Ticket 473822 – Series of commands interactively executed via cmd.exe on an end system ▪ Ticket 473845 – Pieces of a malware analysis of the primary RAT used in the incident ▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3 ▪ Use whatever to record your results or download and edit ▪ Identify as many behaviors as possible ▪ Annotate the behaviors that are ATT&CK techniques ▪ Please pause. We suggest giving yourself 25 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 17. Exercise Questions ▪ What questions would you have asked of your incident responders? ▪ What was easier/harder than working with finished reporting? ▪ What other types of data do you commonly encounter with behaviors? ▪ Did you notice any behaviors that you couldn’t find a technique for? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 18. Going Over Exercise 3 (Ticket 473822) ipconfig /all arp -a echo %USERDOMAIN%%USERNAME% tasklist /v sc query systeminfo net group "Domain Admins" /domain net user /domain net group "Domain Controllers" /domain netsh advfirewall show allprofiles netstat -ano System Network Configuration Discovery (T1016) System Network Configuration Discovery (T1016) System Owner / User Discovery (T1033) Process Discovery (T1057) System Service Discovery (T1007) All are Execution - Command-Line Interface (T1059) System Information Discovery (T1082) Permission Groups Discovery (T1069) Account Discovery (T1087) Remote System Discovery (T1018) System Network Configuration Discovery (T1016) System Network Connections Discovery (T1049) Discovery ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 19. Going Over Exercise 3 (Ticket 473845) C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command. UPLOAD file (upload a file server->client) DOWNLOAD file (download a file client->server) SHELL command (runs a command via cmd.exe) PSHELL command (runs a command via powershell.exe) EXEC path (executes a PE at the path given via CreateProcess) SLEEP n (skips n beacons) 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 Copy C:winspoo1.exe -> C:WindowsSystem32winspool.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinspool REG_SZ "C:WindowsSystem32winspool.exe" Execution - Command-Line Interface (T1059) Execution - Powershell (T1086) Execution - Execution through API (T1106) Command and Control - Commonly Used Port (T1043) Command and Control - Data Encoding (T1132) Command and Control - Standard Application Layer Protocol (T1071) Defense Evasion - Masquerading (T1036) Persistence - Registry Run Keys (T1060) Command and Control – Remote File Copy (T1105) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 20. From Raw Data to Finished Reporting with ATT&CK ▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting ▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context – Allows other analysts to examine the mapping for themselves – Allows much easier capture of how a technique was done ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 21. Finished Reporting Examples During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2. 1. Discovery – System Network Configuration Discovery (T1016) 2. Execution – Command-Line Interface (T1059) System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell. Instead of Appendix C – ATT&CK Techniques ▪ System Network Configuration Discovery ▪ Command-Line Interface ▪ Hardware Additions ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 22. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 23. End of Module 3 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.