TA505: A Study of High End Big Game Hunting in 2020

•

0 likes•397 views

From MITRE ATT&CKcon Power Hour October 2020 By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.

TA505
A Study of High End Big
Game Hunting in 2020
Brandon Levene
ATT&CKCON
October 9th, 2020

Proprietary + Confidential
Opportunistically targeted
ransomware deployments, aka
Big Game Hunting (BGH), have caused
a distinct disruption in
the mechanics of monetizing
crimeware compromises.

Agenda Context and background
Threat actor process
Lessons learned
Operational details
02
01
03
04

Context and background
Threat actor process
Lessons learned
Operational details
02
01
03
04

Who is TA505?
Customer of Dridex banking Trojan as well as Locky and Jaff
Ransomware families from 2014-2017
NOT the developers of the tools above (that would be
EvilCorp
Shift to backdoors in 2018 which coincides with a decrease
in bespoke banking trojans and non-targeted ransomware
Rapidly shifted through initial loaders and secondary
payloads throughout 2018 and 2019, slowly shifted towards
Users* of CLOP ransomware (first seen in Feb 2019) as
primary monetization mechanism
There do not appear to be any other users, so this is likely another in-
house tool
Context and background

Proprietary + Confidential
Context and background

NETZSCH GROUP BASED IN GERMANY ALLEGEDLY
BREACHED BY COP RANSOMWARE OPERATORS Hackers publish ExecuPharm internal
data after ransomware attack
Largest Privately-Owned Logistics
Company--EV Cargo Logistics
Ransomware Hits maastricht
University, all Systems
Taken Down
Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline

Context and background
Threat actor process02
01
Lessons learned
Operational details03
04

Source: ANSSI https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
Threat actor process
Overview
TA505
Legitimate
compromised domain
Malicious
domain
Malicious email HTML + Javascript Redirecting URL Phishing page
Malicious office
document
Victim
Malware
1 SENDS
CONTAINS HOSTS
HOSTSHOSTS
6
DROPS AND
EXECUTES
2 3 4 5OPENS
REDIRECTION
DOWNLOADS
AND ACTIVATES THE
MACROS
REDIRECTION

Context and background
Threat actor process
Operational details
02
01
03
Lessons learned04

Operational details
Spear Phishing - T1192 + Spear Phishing Attachment - T1193
Initial Access

Operational details
User Execution + T1204 [.002]
Execution

Operational details
Ingress Tool Transfer - T1055
Command and control

Operational details
Process Injection - T1055
Defense Evasion and Priv Esc
Application Layer Protocol - T1071
Command and control

Operational details
Event Triggered Execution - T1546 (image file execution injections, sub .012)
Persistence

Operational details
Permission Groups Discovery - T1069
Discovery Subvert Trust Controls - T1553
Defense Evasion

Operational details
Data Encrypted for Impact - T1486
Impact

Operational details
Data Leak - Unmapped
Impact

Compliment defense in depth with detection in depth
Study TTPs to seize interdiction opportunities
Detecting the ransomware itself is too late
amateur
Visibility is key

From MITRE ATT&CKcon Power Hour December 2020 By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.

From Theory to Practice: How My ATTACK Perspectives Have Changed

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Katie Nickels, Director of Intelligence, Red Canary Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.

Transforming Adversary Emulation Into a Data Analysis Question

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Matan Hart, Co-Founder & CEO Cymptom @machosec Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.

Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...

MITRE ATT&CK

From ATT&CKcon 3.0 By Aunshul Rege, Katorah Williams, and Rachel Bleiman, Temple University Social engineering (SE) is a technique used by cybercriminals to psychologically manipulate individuals into disclosing sensitive information and providing unauthorized access. Penetration testers are tasked with simulating targeted attacks on a company's system to determine any weaknesses in their environment. The 2021 Summer SE Pen Test Competition allowed students to experience SE pen testing in a safe and ethical way. Student teams were "hired" to conduct a SE pen test on the CARE Lab (run by the authors) and their employees (the authors themselves)! Teams had to use OSINT, phishing, and vishing in real-time to target the lab, develop attack playbooks, and map the techniques to the ATT&CK framework. This talk shares the application of ATT&CK in cybersecurity education. Specifically, it (i) focuses on how students map their SE attack playbooks to the ATT&CK framework, (ii) compares/contrasts SE techniques across various student groups: 6 graduate teams, 9 undergraduate teams, and 1 high school team, and (iii) how ATT&CK can be used for SE.

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.

Starting Over with Sub-Techniques

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour - October By Brian Donohue, Security Evangelist, Red Canary, @thebriandonohue In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report. In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.

Landing on Jupyter: The transformative power of data-driven storytelling for ...

MITRE ATT&CK

From ATT&CKcon 3.0 By Jose Barajas and Stephan Chenette, AttackIQ Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.

From ATT&CKcon 3.0 By Haylee Mills, Splunk Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Valentine Mairet, Security Researcher, McAfee The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Gert-Jan Bruggink, Defensive Specialist, FalconForce Adversaries are humans as well. They have objectives, deadlines and resources for programming. In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred. This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.

Mapping ATT&CK Techniques to ENGAGE Activities

MITRE ATT&CK

From ATT&CKcon 3.0 By David Barroso, CounterCraft When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.

ATT&CKcon Intro

MITRE ATT&CK

What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team

MITRE ATT&CK

From ATT&CKcon 3.0 By Brian Donohue, Red Canary This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...

MITRE ATT&CK

Threat Modelling - It's not just for developers

MITRE ATT&CK

From ATT&CKcon 3.0 By Tim Wadhwa-Brown, Cisco The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter. Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent. One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.

MITRE ATT&CK Framework

n|u - The Open Security Community

ATT&CK Updates- Campaigns

MITRE ATT&CK

Leveraging MITRE ATT&CK - Speaking the Common Language

Erik Van Buggenhout

MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation. Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.

It's just a jump to the left (of boom): Prioritizing detection implementation...

MITRE ATT&CK

From ATT&CKcon 3.0 By Lindsay Kaye and Scott Small, Recorded Future Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively. This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.

ATT&CK Updates- Defensive ATT&CK

MITRE ATT&CK

State of the ATT&CK

MITRE ATT&CK

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...

MITRE ATT&CK

From ATT&CKcon 3.0 By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

MITRE ATT&CK

From ATT&CKcon 3.0 By Jason Wood and Justin Swisher, CrowdStrike When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Katie Nickels

Introduction to MITRE ATT&CK

Arpan Raval

R u hacked

Sumedt Jitpukdebodin

RIFDHY RM ( Cybersecurity ).pdf

RifDhy22

What's hot

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE - ATT&CKcon

Projects to Impact- Operationalizing Work from the Center

MITRE ATT&CK

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK

MITRE ATT&CK

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

MITRE - ATT&CKcon

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE - ATT&CKcon

Mapping ATT&CK Techniques to ENGAGE Activities

MITRE ATT&CK

ATT&CKcon Intro

MITRE ATT&CK

What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team

MITRE ATT&CK

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...

MITRE ATT&CK

Threat Modelling - It's not just for developers

MITRE ATT&CK

MITRE ATT&CK Framework

n|u - The Open Security Community

ATT&CK Updates- Campaigns

MITRE ATT&CK

Leveraging MITRE ATT&CK - Speaking the Common Language

Erik Van Buggenhout

It's just a jump to the left (of boom): Prioritizing detection implementation...

MITRE ATT&CK

ATT&CK Updates- Defensive ATT&CK

MITRE ATT&CK

State of the ATT&CK

MITRE ATT&CK

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...

MITRE ATT&CK

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

MITRE ATT&CK

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Katie Nickels

Introduction to MITRE ATT&CK

Arpan Raval

What's hot (20)

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

Projects to Impact- Operationalizing Work from the Center

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

Mapping ATT&CK Techniques to ENGAGE Activities

ATT&CKcon Intro

What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...

Threat Modelling - It's not just for developers

MITRE ATT&CK Framework

ATT&CK Updates- Campaigns

Leveraging MITRE ATT&CK - Speaking the Common Language

It's just a jump to the left (of boom): Prioritizing detection implementation...

ATT&CK Updates- Defensive ATT&CK

State of the ATT&CK

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Introduction to MITRE ATT&CK

Similar to TA505: A Study of High End Big Game Hunting in 2020

R u hacked

Sumedt Jitpukdebodin

RIFDHY RM ( Cybersecurity ).pdf

RifDhy22

Retail Week: Cloud Security

Datapipe

The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose

Moshe Ferber

loud computing is evolving fast, and so are the threats and defense tactics. Cloud consumers and providers should always be aware of the latest risks and attack vectors and explore the latest security events to identify new attack vectors. Here, we’ll provide you with a list of the latest threats and discuss their effect on our security posture, and review a recent case study of attacks relevant to those threats.

Kurnava_Matthew_Research Paper_NSEC506_SPR16Matthew Kurnava

AWS Chicago May 22 Security event - Redlock CSI report

AWS Chicago

Software management, the seasonal return of DDoS - This Week in Security.pdf

Lior Rotkovitch

Men in the Server Meet the Man in the Browser

Source Conference

Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates

Briskinfosec Technology and Consulting

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy

RootedCON

OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...

Editor IJMTER

Using End to End Connection in packet Switching networks for providing higher security in Cloud Computing. In cloud computing a major role is provide security to services that may be PaaS( Platform as a Service), SaaS( Software as a Service) , CaaS( Communication as a Service) , IaaS( Infrastructure as a Services) , MaaS ( Monitoring as a Service)n, XaaS( X: Platform, Software, Monitoring, Infrastructure). Cloud computing provides wide range of services. Large, Small and medium businesses are depending on out sourcing of data services and computation on cloud this is mainly deals with SaaS. The cloud provides a very high efficient service for the business organizations. These business organizations trust cloud service providers on their data security. But providing security is highly risk in cloud through the third party, especially in private cloud services. Existing data security methods are not so effective. By using this End to End Connection and Session Keys and attempts is to be covered secularism in the area of Cloud computing users. A new approach for securing the data from cloud. OTK – “One Time Key Distribution File” is a service that protects unauthorized file downloading form the cloud.

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx

SecPod

On December 10, 2020, Orange Tsai, a Taiwanese security researcher, discovered a pre-authentication proxy vulnerability (CVE-2021-26855) in Microsoft Exchange Servers that allows a remote actor to bypass authentication and receive admin server privileges. On March 2, Microsoft released critical security updates for four crucial zero-day vulnerabilities discovered in Exchange Servers. Within one week, at least 30,000 U.S. organizations and hundreds of thousands of organizations worldwide had fallen victim to an automated campaign run by HAFNIUM that provides the attackers with remote control over the affected systems. In this session of SecPod Labs Intelligence Series, Veerendra GG and Pooja Shetty, will discuss: 1. What is Proxyogon Vulnerability and how can it impact your security 2. What made ProxyLogon so contagious and spread like a wildfire 3. Steps you can take to remediate the risk of being attacked

AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0

Happiest Minds Technologies

Digitalization has transformed the way business’s function. With the evolution of technologies, attackers are also evolving. They are finding innovative and more invasive ways to attack organizations. Due to this, the organization's security operations center (SOC) is expected to be more agile and dynamic in detecting and responding to attacks. Most organizations' security operations and incident response teams are overworked due to high volumes of security threats and alerts that they need to manage every day.

The ATT&CK Latin American APT Playbook

MITRE ATT&CK

From ATT&CKcon 3.0 By Santiago Pontiroli and Dmitry Bestuzhev, Kaspersky Financially motivated cyber-attacks thrive in emerging Latin American markets. However, there's room for locally grown threat actors operating in the cyber espionage field as well. During the last decade, this includes but is not limited to Blind Eagle, Puppeteer, Machete, Poseidon, and others. We also saw foreign operations targeting specific assets in Latin America, still connected to certain regional sources. Since the threat actors' origin, culture, and language is often different, it's not uncommon for tactics, techniques, and procedures (TTPs) to present marked differences. As a result of our regional expertise and experience, we created MITRE's ATT&CK play-by-play mappings to help other analysts understand regional actors. If you are interested in threat intelligence and what's going on in Latin America, this presentation is for you. Our work is based only on real-world attackers and their operations, including those not publicly known, such as COVID-19 Machete's targeted campaign.

2018 Year in Review- ICS Threat Activity Groups

Dragos, Inc.

IRJET- Detection and Isolation of Zombie Attack under Cloud Computing

IRJET Journal

Targeted attacks on major industry sectors in south korea 20171201 cha minseo...

Minseok(Jacky) Cha

Trends in network security feinstein - informatica64Chema Alonso

MITRE ATT&CKcon Power Hour - November

MITRE - ATT&CKcon

The Comprehensive Security Policy In The Trojan War

Mandy Cross

Similar to TA505: A Study of High End Big Game Hunting in 2020 (20)

R u hacked

RIFDHY RM ( Cybersecurity ).pdf

Retail Week: Cloud Security

The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose

Kurnava_Matthew_Research Paper_NSEC506_SPR16

AWS Chicago May 22 Security event - Redlock CSI report

Software management, the seasonal return of DDoS - This Week in Security.pdf

Men in the Server Meet the Man in the Browser

Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy

OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...

ProxyLogon - MS Exchange Server Vulnerabilities - JS Edited.pptx

AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0

The ATT&CK Latin American APT Playbook

2018 Year in Review- ICS Threat Activity Groups

IRJET- Detection and Isolation of Zombie Attack under Cloud Computing

Targeted attacks on major industry sectors in south korea 20171201 cha minseo...

Trends in network security feinstein - informatica64

MITRE ATT&CKcon Power Hour - November

The Comprehensive Security Policy In The Trojan War

More from MITRE - ATT&CKcon

State of the ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Adam Pennington, ATT&CK Lead, MITRE Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.

MITRE ATTACKcon Power Hour - January

MITRE - ATT&CKcon

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.

What's New with ATTACK for ICS?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Otis Alexander, Principal Cybersecurity Engineer, MITRE Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.

Putting the PRE into ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By: Jamie Williams, Lead Cyber Adversarial Engineer, MITRE Mike Hartley, Lead Cybersecurity Engineer, MITRE In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020 Jamie Williams and Mike Hartley from MITRE discuss the process for merging PRE-ATT&CK and adding two new tactics to Enterprise ATT&CK – Reconnaissance and Resource Development.

What's a MITRE with your Security?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Matt Snyder, Senior Threat Analytics Engineer, VMware The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.

ATTACKing the Cloud: Hopping Between the Matrices

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Anthony Randazzo, Global Response Lead, Expel The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Allie Mellen, Security Strategist, Office of the CSO, Cybereason In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile. One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By: Aunshul Rege, Associate Professor, Temple University, @prof_rege Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928 This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.

What's New with ATTACK for Cloud?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.

MITRE ATTACKCon Power Hour - December

MITRE - ATT&CKcon

MITRE ATTACKcon Power Hour - October

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...

MITRE - ATT&CKcon

More from MITRE - ATT&CKcon (20)