(SACON) Wayne Tufek - chapter five - attacks

PRACTICAL SECURITY
ARCHITECTURE
WAYNE TUFEK
15TH – 16TH OF FEBRUARY 2019
SACON
BANGALORE

2
Sensitivity: Confidential
• MITRE ATT&CK™ is a knowledge base of adversary tactics
and techniques based on real-world observations. ATT&CK is
a comprehensive knowledge base and framework of over 200
techniques that adversaries may use over the course of an
attack. These include specific and general techniques, as well
as concepts and background information on well-known
adversary groups and their campaigns.
• ATT&CK is increasingly being used by the security community
as a common way to describe adversary behaviour.
• The MITRE ATT&CK framework is a set of known Tactics,
Techniques, and Procedures (TTPs) that have been used by
adversaries to achieve their objectives. Defenders can use the
framework to measure and improve their detection capabilities
so they can be better prepared when for a real-world attack.
MITRE ADVERSARIAL TACTICS, TECHNIQUES &
COMMON KNOWLEDGE (ATTACK)

3
• The aim of the framework is to improve post-compromise
detection of adversaries in enterprises by illustrating the
actions an attacker may have taken. How did the attacker get
in? How are they moving around?

4
Mapping defensive controls
• Defensive controls can carry well-understood meaning when
referenced against the ATT&CK tactics and techniques they apply to.
Threat hunting
• Mapping defences to ATT&CK yields a roadmap of defensive gaps
that provide threat hunters the perfect places to find missed attacker
activity.
Detections & Investigations
• The Security Operations Center (SOC) and incident response team
can reference ATT&CK techniques and tactics that have been
detected or uncovered. This aids in understanding where defensive
strengths and weaknesses are and validates mitigation and detection
controls, and can uncover misconfigurations and other operational
issues.
Referencing actors
• Actors and groups can be associated with specific, definable
behaviours.
Source: https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful

5
Tool integrations
• Disparate tools and services can standardise on ATT&CK
tactics and techniques, lending a cohesiveness to
a defence that is often lacking.
Sharing
• When sharing information about an attack, an actor or
group, or defensive controls, defenders can ensure
common understanding by using ATT&CK techniques and
tactics.
Red Team/Penetration Test Activities
• Planning, execution, and reporting of red team, purple
team, and penetration test activities can use ATT&CK to
speak a common language with defenders and report
recipients as well as amongst themselves.

6
• Prioritise detection and mitigation actions
• Better evaluate new security technologies
• Conduct adversary emulation
• Perform a gap analysis of current defences
• Track a specific adversaries TPPs

7
Adversarial Simulation and ATT&CK
Testing the techniques in ATT&CK against the environment is the
best way to:
• Test controls and their efficacy
• Ensure coverage against different techniques
• Understand gaps in visibility or protection
• Validate the configuration of tools and systems
• Demonstrate where different actors would be successful or
would be caught in the environment
• Avoid guesses and assumptions with controls by knowing
exactly what is detected or mitigated and what is not

8
Challenges When Leveraging ATT&CK
Using ATT&CK doesn’t come without challenges. It’s good to keep these in mind when leveraging
ATT&CK.
Not all techniques are always malicious
• Example: Data from Network Shared Drive (T1039)
• Key to detection: How is this technique being invoked?
Not all techniques are easy to detect
• Example: Spearphishing Link (T1192)
• Key to detection: Other events surrounding email receipt
Some techniques have many possible methods of execution
• Example: Credential Dumping (T1003)
• Key to detection: Build out known methods of evoking the technique and label them all as
Credential Dumping
• MITRE will be releasing sub-techniques to help address this
Some techniques are listed under multiple tactics
• Example: DLL Search Order Hijacking (T1038)
• Shows up under Persistence, Privilege Escalation, and Defense Evasion tactics
• Some techniques, such as this one, can be used for multiple use cases and are useful in
multiple stages of attack

9
• Adversary behaviours. Focusing on adversary tactics and
techniques allowed us to develop analytics to detect possible
adversary behaviours. Typical indicators such as domains, IP
addresses, file hashes, registry keys, etc. were easily changed by
adversaries and were only useful for point in time detection —
they didn’t represent how adversaries interact with systems, only
that they likely interacted at some time.
• Lifecycle models that didn’t fit. Existing adversary lifecycle and
Cyber Kill Chain concepts were too high-level to relate
behaviours to defences — the level of abstraction wasn’t useful to
map TTPs to new types of sensors.
• Applicability to real environments. TTPs need to be based on
observed incidents to show the work is applicable to real
environments.
• Common taxonomy. TTPs need to be comparable across different
types of adversary groups using the same terminology.
Source: https://mitre-attack/att-ck-101-17074d3bc62

10
• Tactic: Adversary’s technical goal
• Technique: How the adversary achieves the goal
• Threat based security - focused on specific TTPs

11

12
Source: https://attack.mitre.org/wiki/Main_Page

13
Source: https://attack.mitre.org/wiki/Main_Page

14
PRE ATT&CK
PRE-ATT&CK and ATT&CK Enterprise combine to form the full
list of tactics that happen to roughly align with the Cyber Kill
Chain. PRE-ATT&CK mostly aligns with the first three phases of
the kill chain: reconnaissance, weaponization, and delivery.
ATT&CK Enterprise aligns well with the final four phases of the kill
chain: exploitation, installation, command & control, and actions
on objectives.

15
PRE ATT&CK
PRE-ATT&CK Tactics ATT&CK Enterprise Tactics
•Priority Definition
•Target Selection
•Information Gathering
•Weakness Identification
•Adversary OpSec
•Establish & Maintain Infrastructure
•Persona Development
•Build Capabilities
•Test Capabilities
•Stage Capabilities
•Initial Access
•Execution
•Persistence
•Privilege Escalation
•Defense Evasion
•Credential Access
•Discovery
•Lateral Movement
•Collection
•Exfiltration
•Command and Control

16
ADVERSARY EMULATION
Caldera

17

18
THREAT ACTOR GROUPS

19
THREAT ACTOR GROUPS

20
THREAT ACTOR GROUPS

21
THREAT ACTOR GROUPS

22
SOFTWARE

23
SOFTWARE

24
SOFTWARE

25
SOFTWARE

26
EXERCISE

27
QUESTIONS?
Questions

28
PA S S I O N • I N T E G R I T Y • E X P E R I E N C E • R E S U LT S

(SACON) Wayne Tufek - chapter five - attacks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to (SACON) Wayne Tufek - chapter five - attacks

Similar to (SACON) Wayne Tufek - chapter five - attacks (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

(SACON) Wayne Tufek - chapter five - attacks