SlideShare a Scribd company logo

Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups

A
Adam Pennington

Slides used by Adam Pennington on Katie Nickel's SANS STAR Livestream 9/20/22

1 of 26
Download to read offline
Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups Adam Pennington (@_whatshisface) MITRE ATT&CK Lead ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
Problems with long duration groups What about ransomware? A bit about threat groups What adversary change looks like (Re) Introducing campaigns Today’s Journey ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
Building a Threat Group ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident Threat Group Mauve Ostrich APT1337 Angry Gecko G0256
©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. https://attack.mitre.org/groups/
Adversaries often reuse behaviors from incident to incident One of the main ideas behind ATT&CK Our Adversaries Change ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Over time, small changes can add up to complete transformation However
G0016/Cozy Bear/APT29 in ATT&CK § 48 References – Oldest published in 2015 with intel back to at least 2008 § 12 Associated Groups § 142 ATT&CK Techniques – Every tactic but Impact § 46 Software Entries ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. https://attack.mitre.org/groups/G0016/
G0016/Cozy Bear/APT29 Over Time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Early Years (~2008-2013) § Spearphishing attachments § Operation within enterprise network § Custom malware § Windows command shell use § Trusting of victim environment § Artifacts left behind/files on disk § Some cleartext C2
G0016/Cozy Bear/APT29 Over Time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. If you know, you know. Middle Age (~2014-2016) § Spearphishing attachments § Operation within enterprise network § Custom malware + commodity tools § E.g., Microsoft SysInternals § Extensive PowerShell use § Immediate deletion of files § Overwritten with SDelete § Paranoid hunting for honeypots § TLS with Ephemeral Diffie-Hellman == Changed from early years
G0016/Cozy Bear/APT29 Over Time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Modern Era (~2017-now) § Supply chain attacks § Extensive use of cloud resources § Commercial malware § E.g., Cobalt Strike § Extensive WMI use § Fileless techniques § Paranoid hunting for honeypots § TLS with Ephemeral Diffie-Hellman
©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. G0016/Cozy Bear/APT29 Combined Group ✓ Focus on a broad set of behaviors to defend against ✓ More complete picture of a group over time ✓ Helps fill in intelligence gaps ✗ Adversary represented never existed at any given time ✗ Can’t use to emulate current or past adversary ✗ Loss of fidelity ✗ Misguided prioritization § Spearphishing attachments § Supply chain attacks § Operation within enterprise network § Extensive use of cloud resources § Custom + commercial malware + commodity tools § Windows command shell use § Extensive WMI use § Artifacts left behind/files on disk § Fileless techniques § Trusting of victim environment § Paranoid hunting for honeypots § Some cleartext C2 § TLS with Ephemeral Diffie-Hellman
Similar but Different Issues with Ransomware § Ransomware affiliates are being combined based on software § Sloppy CTI practice § Affiliates have unique styles even starting from the same playbook § Similar losses of fidelity as combining years ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Ransomware-as-a- Service Operator RaaS Affiliate RaaS Affiliate 🛠Tools 📖Playbook 💰Payment 💧Leak site Processing 🛠Tools 📖Playbook 💰Payment 💧Leak site Processing Inspired by: https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
The Final Straw
©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. On a Sunday in December
Extensive Tracking of UNC2452 ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714 https://github.com/center-for-threat-informed-defense/public-resources/blob/master/solorigate/README.md
UNC2452 Widely Agreed to be APT29 ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. § 50 techniques from UNC2452 merged into G0016/APT29 in ATT&CK v9 § Multiple researchers have asked us how to separate out UNC2452 in ATT&CK § …You can’t
©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Campaign A grouping of intrusion activity conducted over a specific period of time with common targets and objectives; this activity may or may not be linked to a specific threat actor. https://medium.com/mitre-attack/attack-2022-roadmap-cd5a1a3387c7
Campaigns § Familiar CTI concept, but often not used in threat group tracking § Break groups back out into clusters of activity that share § A relatively short time period (generally days or months not years) § A common objective § Individual intrusions in a campaign might not share: § Specific software or behaviors § Victim country/industry/role ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
A Threat Group into Campaigns ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident C0154/Solorigate C0194 C0199/GRIZZLY STEPPE C0155/PowerDuke G0016 APT29
Campaigns in ATT&CK § Introducing in ATT&CK v12 (October 2022) § May or may not be connected to a Group § May or may not have a name § ATT&CK currently only tracks named threat groups § Will be tied to a period of time § Existing content will be converted as resources/contributions allow ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
What Does Structuring with Campaigns Get You? ✓ More accurately represents how an adversary looked at a given time ✓ Sets up for emulation of multiple periods of an adversary ✓ Keeps the fidelity of clusters of incidents ✓ Allows prioritization of current adversary (if there’s a campaign) Can still look at a group’s campaigns combined, enabling: ✓ Focus on a broad set of behaviors to defend against ✓ A complete picture of a group over time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
Takeaways Adversaries change behavior slowly, but even with slow change can completely transform Building long term threat groups can be useful, but can make our intel less actionable Introducing a bit of structure can restore some of the context we’ve lost ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
Adam Pennington @_whatshisface https://attack.mitre.org @mitreattack ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
Reports Shown in Slides § https://cyber.dhs.gov/ed/21-01/#supplemental-guidance § https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state- cyberattacks/ § https://www.solarwinds.com/sa-overview/securityadvisory § https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29 § https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F- Secure_Dukes_Whitepaper.pdf § https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-report-april-2017.pdf § https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf § https://www.fbi.gov/wanted/cyber/apt-10-group ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.

Recommended

Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of TheseusLeveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Adam Pennington
 
State of ATT&CK
State of ATT&CKState of ATT&CK
State of ATT&CK
Adam Pennington
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
Christian Deger
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
Scalar Decisions
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 

Recommended

Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of TheseusLeveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Adam Pennington
 
State of ATT&CK
State of ATT&CKState of ATT&CK
State of ATT&CK
Adam Pennington
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Highway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup DublinHighway to heaven - Microservices Meetup Dublin
Highway to heaven - Microservices Meetup Dublin
Christian Deger
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
Scalar Decisions
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
CHAOSS Metrics Overview and Examples
CHAOSS Metrics Overview and ExamplesCHAOSS Metrics Overview and Examples
CHAOSS Metrics Overview and Examples
Dawn Foster
 
DDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseDDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in Defense
NETSCOUT
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
Scalar Decisions
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfSoftware Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Craig Saunders
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?
Dawn Foster
 
Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?
All Things Open
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaper
lincktello
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
Cloudflare
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
Scalar Decisions
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Building Microservices in the cloud at AutoScout24
Building Microservices in the cloud at AutoScout24Building Microservices in the cloud at AutoScout24
Building Microservices in the cloud at AutoScout24
Christian Deger
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Skycure
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
Skycure
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point Consolidation
Group of company MUK
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Cloudflare
 
Navigating Open Source Project Risk
Navigating Open Source Project RiskNavigating Open Source Project Risk
Navigating Open Source Project Risk
All Things Open
 
Navigating Open Source Risk
Navigating Open Source RiskNavigating Open Source Risk
Navigating Open Source Risk
Dawn Foster
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz Asia Pte Ltd
 
State of the ATT&CK May 2023
State of the ATT&CK May 2023State of the ATT&CK May 2023
State of the ATT&CK May 2023
Adam Pennington
 
The Adversaries We've Met Along the Way
The Adversaries We've Met Along the WayThe Adversaries We've Met Along the Way
The Adversaries We've Met Along the Way
Adam Pennington
 

More Related Content

Similar to Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups

CHAOSS Metrics Overview and Examples
CHAOSS Metrics Overview and ExamplesCHAOSS Metrics Overview and Examples
CHAOSS Metrics Overview and Examples
Dawn Foster
 
DDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseDDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in Defense
NETSCOUT
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
Scalar Decisions
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfSoftware Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Craig Saunders
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?
Dawn Foster
 
Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?
All Things Open
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaper
lincktello
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
Cloudflare
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
Scalar Decisions
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Building Microservices in the cloud at AutoScout24
Building Microservices in the cloud at AutoScout24Building Microservices in the cloud at AutoScout24
Building Microservices in the cloud at AutoScout24
Christian Deger
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Skycure
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
Skycure
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point Consolidation
Group of company MUK
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Cloudflare
 
Navigating Open Source Project Risk
Navigating Open Source Project RiskNavigating Open Source Project Risk
Navigating Open Source Project Risk
All Things Open
 
Navigating Open Source Risk
Navigating Open Source RiskNavigating Open Source Risk
Navigating Open Source Risk
Dawn Foster
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz Asia Pte Ltd
 

Similar to Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups (20)

CHAOSS Metrics Overview and Examples
CHAOSS Metrics Overview and ExamplesCHAOSS Metrics Overview and Examples
CHAOSS Metrics Overview and Examples
 
DDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in DefenseDDoS Attacks in 2020 & Best Practices in Defense
DDoS Attacks in 2020 & Best Practices in Defense
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdfSoftware Principles and Project Deadlines Don't have to be Polar Opposites.pdf
Software Principles and Project Deadlines Don't have to be Polar Opposites.pdf
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?
 
Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?Is this Open Source Project Healthy or Lifeless?
Is this Open Source Project Healthy or Lifeless?
 
WithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaperWithSecure Deepguard WhitePaper
WithSecure Deepguard WhitePaper
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Building Microservices in the cloud at AutoScout24
Building Microservices in the cloud at AutoScout24Building Microservices in the cloud at AutoScout24
Building Microservices in the cloud at AutoScout24
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
 
Check Point Consolidation
Check Point ConsolidationCheck Point Consolidation
Check Point Consolidation
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDCDefending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
 
Navigating Open Source Project Risk
Navigating Open Source Project RiskNavigating Open Source Project Risk
Navigating Open Source Project Risk
 
Navigating Open Source Risk
Navigating Open Source RiskNavigating Open Source Risk
Navigating Open Source Risk
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security
 

More from Adam Pennington

State of the ATT&CK May 2023
State of the ATT&CK May 2023State of the ATT&CK May 2023
State of the ATT&CK May 2023
Adam Pennington
 
The Adversaries We've Met Along the Way
The Adversaries We've Met Along the WayThe Adversaries We've Met Along the Way
The Adversaries We've Met Along the Way
Adam Pennington
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesBecoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Adam Pennington
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
Adam Pennington
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
ATT&CK BINGO
ATT&CK BINGOATT&CK BINGO
ATT&CK BINGO
Adam Pennington
 

More from Adam Pennington (10)

State of the ATT&CK May 2023
State of the ATT&CK May 2023State of the ATT&CK May 2023
State of the ATT&CK May 2023
 
The Adversaries We've Met Along the Way
The Adversaries We've Met Along the WayThe Adversaries We've Met Along the Way
The Adversaries We've Met Along the Way
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus PosturesBecoming a Yogi on Mac ATT&CK with OceanLotus Postures
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
ATT&CK BINGO
ATT&CK BINGOATT&CK BINGO
ATT&CK BINGO
 

Recently uploaded

OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 

Recently uploaded (20)

OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 

Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups

  • 1. Picking Up the Pieces: How Campaigns Can Help Us Better Track Groups Adam Pennington (@_whatshisface) MITRE ATT&CK Lead ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 2. Problems with long duration groups What about ransomware? A bit about threat groups What adversary change looks like (Re) Introducing campaigns Today’s Journey ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 3. Building a Threat Group ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident Threat Group Mauve Ostrich APT1337 Angry Gecko G0256
  • 4. ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. https://attack.mitre.org/groups/
  • 5. Adversaries often reuse behaviors from incident to incident One of the main ideas behind ATT&CK Our Adversaries Change ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Over time, small changes can add up to complete transformation However
  • 6. G0016/Cozy Bear/APT29 in ATT&CK § 48 References – Oldest published in 2015 with intel back to at least 2008 § 12 Associated Groups § 142 ATT&CK Techniques – Every tactic but Impact § 46 Software Entries ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. https://attack.mitre.org/groups/G0016/
  • 7. G0016/Cozy Bear/APT29 Over Time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Early Years (~2008-2013) § Spearphishing attachments § Operation within enterprise network § Custom malware § Windows command shell use § Trusting of victim environment § Artifacts left behind/files on disk § Some cleartext C2
  • 8. G0016/Cozy Bear/APT29 Over Time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. If you know, you know. Middle Age (~2014-2016) § Spearphishing attachments § Operation within enterprise network § Custom malware + commodity tools § E.g., Microsoft SysInternals § Extensive PowerShell use § Immediate deletion of files § Overwritten with SDelete § Paranoid hunting for honeypots § TLS with Ephemeral Diffie-Hellman == Changed from early years
  • 9. G0016/Cozy Bear/APT29 Over Time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Modern Era (~2017-now) § Supply chain attacks § Extensive use of cloud resources § Commercial malware § E.g., Cobalt Strike § Extensive WMI use § Fileless techniques § Paranoid hunting for honeypots § TLS with Ephemeral Diffie-Hellman
  • 10. ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. G0016/Cozy Bear/APT29 Combined Group ✓ Focus on a broad set of behaviors to defend against ✓ More complete picture of a group over time ✓ Helps fill in intelligence gaps ✗ Adversary represented never existed at any given time ✗ Can’t use to emulate current or past adversary ✗ Loss of fidelity ✗ Misguided prioritization § Spearphishing attachments § Supply chain attacks § Operation within enterprise network § Extensive use of cloud resources § Custom + commercial malware + commodity tools § Windows command shell use § Extensive WMI use § Artifacts left behind/files on disk § Fileless techniques § Trusting of victim environment § Paranoid hunting for honeypots § Some cleartext C2 § TLS with Ephemeral Diffie-Hellman
  • 11. Similar but Different Issues with Ransomware § Ransomware affiliates are being combined based on software § Sloppy CTI practice § Affiliates have unique styles even starting from the same playbook § Similar losses of fidelity as combining years ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Ransomware-as-a- Service Operator RaaS Affiliate RaaS Affiliate 🛠Tools 📖Playbook 💰Payment 💧Leak site Processing 🛠Tools 📖Playbook 💰Payment 💧Leak site Processing Inspired by: https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
  • 13. ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. On a Sunday in December
  • 14. Extensive Tracking of UNC2452 ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714 https://github.com/center-for-threat-informed-defense/public-resources/blob/master/solorigate/README.md
  • 15. UNC2452 Widely Agreed to be APT29 ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. § 50 techniques from UNC2452 merged into G0016/APT29 in ATT&CK v9 § Multiple researchers have asked us how to separate out UNC2452 in ATT&CK § …You can’t
  • 16. ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Campaign A grouping of intrusion activity conducted over a specific period of time with common targets and objectives; this activity may or may not be linked to a specific threat actor. https://medium.com/mitre-attack/attack-2022-roadmap-cd5a1a3387c7
  • 17. Campaigns § Familiar CTI concept, but often not used in threat group tracking § Break groups back out into clusters of activity that share § A relatively short time period (generally days or months not years) § A common objective § Individual intrusions in a campaign might not share: § Specific software or behaviors § Victim country/industry/role ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 18. A Threat Group into Campaigns ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9. Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident Incident C0154/Solorigate C0194 C0199/GRIZZLY STEPPE C0155/PowerDuke G0016 APT29
  • 19. Campaigns in ATT&CK § Introducing in ATT&CK v12 (October 2022) § May or may not be connected to a Group § May or may not have a name § ATT&CK currently only tracks named threat groups § Will be tied to a period of time § Existing content will be converted as resources/contributions allow ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 20. ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 21.
  • 22.
  • 23. What Does Structuring with Campaigns Get You? ✓ More accurately represents how an adversary looked at a given time ✓ Sets up for emulation of multiple periods of an adversary ✓ Keeps the fidelity of clusters of incidents ✓ Allows prioritization of current adversary (if there’s a campaign) Can still look at a group’s campaigns combined, enabling: ✓ Focus on a broad set of behaviors to defend against ✓ A complete picture of a group over time ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 24. Takeaways Adversaries change behavior slowly, but even with slow change can completely transform Building long term threat groups can be useful, but can make our intel less actionable Introducing a bit of structure can restore some of the context we’ve lost ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 25. Adam Pennington @_whatshisface https://attack.mitre.org @mitreattack ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.
  • 26. Reports Shown in Slides § https://cyber.dhs.gov/ed/21-01/#supplemental-guidance § https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state- cyberattacks/ § https://www.solarwinds.com/sa-overview/securityadvisory § https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29 § https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F- Secure_Dukes_Whitepaper.pdf § https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-report-april-2017.pdf § https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf § https://www.fbi.gov/wanted/cyber/apt-10-group ©2022 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 22-00744-9.