SlideShare a Scribd company logo

ATT&CKing with Threat Intelligence

Download as PPTX, PDF
C
Christopher Korban

MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.

Technology
1 of 32
© 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas HOPE - July 2018 ATT&CKing with Threat Intelligence Approved for public release. Distribution unlimited 18-0944-10
| 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – ATT&CKing for the past 5+ years – Creates Adversary Emulation Plans – @ckorban  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_ Approved for public release. Distribution unlimited 18-0944-10
| 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-10
| 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg Approved for public release. Distribution unlimited 18-0944-10
| 5 | © 2018 The MITRE Corporation. All rights reserved. How do these outcomes progress?  Blue signatures Red tool (MD5=4de587ac29…) – Red changes tool slightly (new hash)  Blue signatures Red tool (string=“mimikatz”) – Red changes tool slightly (string=“mimidogz”)  Blue stops single red instantiation (psexec) – Red modifies implementation (psexec manually)  …  This isn’t really helping blue or red Approved for public release. Distribution unlimited 18-0944-10
| 6 | © 2018 The MITRE Corporation. All rights reserved. Change the game, even for Red David Bianco’s Pyramid of Pain Approved for public release. Distribution unlimited 18-0944-10
| 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for TTPs  What do we need from this common language? – Communicate and articulate what happened in a test, and results – Do so at a level that’s specific enough that it’s repeatable – Enable us to create metrics that make sense  What do we use for this? – MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Approved for public release. Distribution unlimited 18-0944-10
| 8 | ATT&CK™ is increasingly being used by the community as a common way to describe adversary behavior. ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations. attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
| 9 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Matrix Format Tactic: Adversary’s technical goal, the “Why” Technique: Adversary’s action to achieves the goal, the “What” Approved for public release. Distribution unlimited 18-0944-10
| 10 | © 2018 The MITRE Corporation. All rights reserved. Example of Technique: New Service  Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools.  Platform: Windows  Permissions required: Administrator, SYSTEM  Effective permissions: SYSTEM  Detection: – Monitor service creation through changes in the Registry and common utilities using command- line invocation – Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at persistence – Monitor processes and command-line arguments for actions that could create services  Mitigation: – Limit privileges of user accounts and remediate Privilege Escalation vectors – Identify and block unnecessary system utilities or potentially malicious software that may be used to create services  Data Sources: Windows Registry, process monitoring, command-line parameters  Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … Approved for public release. Distribution unlimited 18-0944-10
| 11 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Spans Multiple Tech Domains PRE-ATT&CK: left of exploit behaviors Enterprise: Windows, Linux, Mac Mobile: Android, iOS Approved for public release. Distribution unlimited 18-0944-10
| 12 | © 2018 The MITRE Corporation. All rights reserved. Key ATT&CK use cases:  Guide threat hunting campaigns  Leverage threat intelligence to prioritize technique detection  Remediate gaps by mapping solutions back to ATT&CK techniques  Emulate adversaries to measure defenses against relevant threats Approved for public release. Distribution unlimited 18-0944-10
| 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 Approved for public release. Distribution unlimited 18-0944-10
| 14 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
| 15 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation?  Identify an adversary you want to emulate – Consider the target you’re going up against  Defense Contractor  Financial Sector  Health Care  E-Commerce  Etc. – Adversaries change accordingly  Country Specific (APT3, APT28, APT29, APT34, ….)  Financially Motivated (FIN6, FIN7, …) Approved for public release. Distribution unlimited 18-0944-10
| 16 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 1. Threat Intelligence Acquisition – Analyze Reporting:  Adversary Reports (APTX)  Reports on Adversary’s toolsets (APTX uses A,B,C)  Aliases (APTX i.e. ThreatGroup ###, adjective-animal)  Toolset aliases (A i.e. Trojan.malwareName)  Associated Campaigns (OperationZ)  Keep time of reports in mind Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
| 17 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Follow the Leads https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Aliases, Aliases, Aliases everywhere! Approved for public release. Distribution unlimited 18-0944-10
| 18 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 2. Extract Actionable Techniques and M.O. – Look for adversary behaviors – Look for tool functionality – Establish the adversary’s goal – Think about the what, why, and how  In ATT&CK - Technique, Tactic, Procedure Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
| 19 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - What does it really say? https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1094 - Custom Command and Control Protocol Approved for public release. Distribution unlimited 18-0944-10
| 20 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binary Strings https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1059 - Command-Line Interface T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception? Approved for public release. Distribution unlimited 18-0944-10
| 21 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binaries T1056 - Input Capture T1027 - Obfuscated Files or Information T1016 - System Network Configuration Discovery T1077 - Windows Admin Shares T1035 - Service Execution T1003 - Credential Dumping T1055 - Process Injection https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Approved for public release. Distribution unlimited 18-0944-10
| 22 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Adversary M.O. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11- identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. Approved for public release. Distribution unlimited 18-0944-10
| 23 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan  This is the hardest part of the puzzle  No plan will be perfect, so approximate where needed  This isn’t a replay of an incident - variation is OK Approved for public release. Distribution unlimited 18-0944-10
| 24 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 3. Develop Tools if needed to emulate behaviors – What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools?  Can you extend them?  Can you modify them? – Do you need to develop something specific?  Delivery mechanisms  Command and Control  Capabilities Approved for public release. Distribution unlimited 18-0944-10
| 25 | © 2018 The MITRE Corporation. All rights reserved. What is behavior emulation for TTPs?  Performing adversary techniques with variations – Adversary created “C:aos.exe” for Priv Esc via path interception  You intercept any service path that runs under higher privileges – Adversary used “PSExec” for Lateral Movement  You do it manually with “sc.exe” or via PowerShell – Adversary runs “whoami” for Discovery  You do it with environment variables “%USERDOMAIN%%USERNAME%”  Thinking about what you’re trying to accomplish – Technique in ATT&CK – And Why you’re trying to accomplish it  Tactic in ATT&CK Approved for public release. Distribution unlimited 18-0944-10
| 26 | © 2018 The MITRE Corporation. All rights reserved. Defining Your Toolset  Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc  Do stay within the behavior boundaries Approved for public release. Distribution unlimited 18-0944-10
| 27 | © 2018 The MITRE Corporation. All rights reserved. Create an Adversary Emulation Field Manual Discovery T1069 - Permission Groups Discovery net localgroup net group /domain dsquery group T1087 - Account Discovery net user /domain wmic user dsquery user  Provides multiple implementations across toolsets  Provides offensive command-line examples  Create this as you go, and use for reference later Approved for public release. Distribution unlimited 18-0944-10
| 28 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 4. Set up offensive infrastructure – Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks – Create Payloads ”inspired by” the adversary’s tradecraft  Modify IoCs and behaviors if possible  Obfuscate with purpose, NOT all the things – Over obfuscation is itself suspicious Approved for public release. Distribution unlimited 18-0944-10
| 29 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan 5. Emulate the Adversary – Follow the M.O. of your target adversary – “Domain Admin” most likely isn’t your goal – Keep the ‘speed of the adversary’ in mind  Low and slow vs smash and grab Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated- Adversary-Emulation-System-CALDERA.jpg Approved for public release. Distribution unlimited 18-0944-10
| 30 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-10
| 31 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans  CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera Approved for public release. Distribution unlimited 18-0944-10
| 32 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org

Recommended

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 

Recommended

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 

More Related Content

What's hot

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 

What's hot (20)

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 

Similar to ATT&CKing with Threat Intelligence

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceAdam Pennington
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019Daniel Weiss
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldRehgan Avon
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE - ATT&CKcon
 
CSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseCSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseDavid Haimes
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analyticsnovsela
 

Similar to ATT&CKing with Threat Intelligence (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial World
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
 
CSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseCSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for Enterprise
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

ATT&CKing with Threat Intelligence

  • 1. © 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas HOPE - July 2018 ATT&CKing with Threat Intelligence Approved for public release. Distribution unlimited 18-0944-10
  • 2. | 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – ATT&CKing for the past 5+ years – Creates Adversary Emulation Plans – @ckorban  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_ Approved for public release. Distribution unlimited 18-0944-10
  • 3. | 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-10
  • 4. | 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 5. | 5 | © 2018 The MITRE Corporation. All rights reserved. How do these outcomes progress?  Blue signatures Red tool (MD5=4de587ac29…) – Red changes tool slightly (new hash)  Blue signatures Red tool (string=“mimikatz”) – Red changes tool slightly (string=“mimidogz”)  Blue stops single red instantiation (psexec) – Red modifies implementation (psexec manually)  …  This isn’t really helping blue or red Approved for public release. Distribution unlimited 18-0944-10
  • 6. | 6 | © 2018 The MITRE Corporation. All rights reserved. Change the game, even for Red David Bianco’s Pyramid of Pain Approved for public release. Distribution unlimited 18-0944-10
  • 7. | 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for TTPs  What do we need from this common language? – Communicate and articulate what happened in a test, and results – Do so at a level that’s specific enough that it’s repeatable – Enable us to create metrics that make sense  What do we use for this? – MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Approved for public release. Distribution unlimited 18-0944-10
  • 8. | 8 | ATT&CK™ is increasingly being used by the community as a common way to describe adversary behavior. ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations. attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 9. | 9 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Matrix Format Tactic: Adversary’s technical goal, the “Why” Technique: Adversary’s action to achieves the goal, the “What” Approved for public release. Distribution unlimited 18-0944-10
  • 10. | 10 | © 2018 The MITRE Corporation. All rights reserved. Example of Technique: New Service  Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools.  Platform: Windows  Permissions required: Administrator, SYSTEM  Effective permissions: SYSTEM  Detection: – Monitor service creation through changes in the Registry and common utilities using command- line invocation – Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at persistence – Monitor processes and command-line arguments for actions that could create services  Mitigation: – Limit privileges of user accounts and remediate Privilege Escalation vectors – Identify and block unnecessary system utilities or potentially malicious software that may be used to create services  Data Sources: Windows Registry, process monitoring, command-line parameters  Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … Approved for public release. Distribution unlimited 18-0944-10
  • 11. | 11 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Spans Multiple Tech Domains PRE-ATT&CK: left of exploit behaviors Enterprise: Windows, Linux, Mac Mobile: Android, iOS Approved for public release. Distribution unlimited 18-0944-10
  • 12. | 12 | © 2018 The MITRE Corporation. All rights reserved. Key ATT&CK use cases:  Guide threat hunting campaigns  Leverage threat intelligence to prioritize technique detection  Remediate gaps by mapping solutions back to ATT&CK techniques  Emulate adversaries to measure defenses against relevant threats Approved for public release. Distribution unlimited 18-0944-10
  • 13. | 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 Approved for public release. Distribution unlimited 18-0944-10
  • 14. | 14 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 15. | 15 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation?  Identify an adversary you want to emulate – Consider the target you’re going up against  Defense Contractor  Financial Sector  Health Care  E-Commerce  Etc. – Adversaries change accordingly  Country Specific (APT3, APT28, APT29, APT34, ….)  Financially Motivated (FIN6, FIN7, …) Approved for public release. Distribution unlimited 18-0944-10
  • 16. | 16 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 1. Threat Intelligence Acquisition – Analyze Reporting:  Adversary Reports (APTX)  Reports on Adversary’s toolsets (APTX uses A,B,C)  Aliases (APTX i.e. ThreatGroup ###, adjective-animal)  Toolset aliases (A i.e. Trojan.malwareName)  Associated Campaigns (OperationZ)  Keep time of reports in mind Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 17. | 17 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Follow the Leads https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Aliases, Aliases, Aliases everywhere! Approved for public release. Distribution unlimited 18-0944-10
  • 18. | 18 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 2. Extract Actionable Techniques and M.O. – Look for adversary behaviors – Look for tool functionality – Establish the adversary’s goal – Think about the what, why, and how  In ATT&CK - Technique, Tactic, Procedure Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 19. | 19 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - What does it really say? https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1094 - Custom Command and Control Protocol Approved for public release. Distribution unlimited 18-0944-10
  • 20. | 20 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binary Strings https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1059 - Command-Line Interface T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception? Approved for public release. Distribution unlimited 18-0944-10
  • 21. | 21 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binaries T1056 - Input Capture T1027 - Obfuscated Files or Information T1016 - System Network Configuration Discovery T1077 - Windows Admin Shares T1035 - Service Execution T1003 - Credential Dumping T1055 - Process Injection https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Approved for public release. Distribution unlimited 18-0944-10
  • 22. | 22 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Adversary M.O. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11- identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. Approved for public release. Distribution unlimited 18-0944-10
  • 23. | 23 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan  This is the hardest part of the puzzle  No plan will be perfect, so approximate where needed  This isn’t a replay of an incident - variation is OK Approved for public release. Distribution unlimited 18-0944-10
  • 24. | 24 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 3. Develop Tools if needed to emulate behaviors – What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools?  Can you extend them?  Can you modify them? – Do you need to develop something specific?  Delivery mechanisms  Command and Control  Capabilities Approved for public release. Distribution unlimited 18-0944-10
  • 25. | 25 | © 2018 The MITRE Corporation. All rights reserved. What is behavior emulation for TTPs?  Performing adversary techniques with variations – Adversary created “C:aos.exe” for Priv Esc via path interception  You intercept any service path that runs under higher privileges – Adversary used “PSExec” for Lateral Movement  You do it manually with “sc.exe” or via PowerShell – Adversary runs “whoami” for Discovery  You do it with environment variables “%USERDOMAIN%%USERNAME%”  Thinking about what you’re trying to accomplish – Technique in ATT&CK – And Why you’re trying to accomplish it  Tactic in ATT&CK Approved for public release. Distribution unlimited 18-0944-10
  • 26. | 26 | © 2018 The MITRE Corporation. All rights reserved. Defining Your Toolset  Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc  Do stay within the behavior boundaries Approved for public release. Distribution unlimited 18-0944-10
  • 27. | 27 | © 2018 The MITRE Corporation. All rights reserved. Create an Adversary Emulation Field Manual Discovery T1069 - Permission Groups Discovery net localgroup net group /domain dsquery group T1087 - Account Discovery net user /domain wmic user dsquery user  Provides multiple implementations across toolsets  Provides offensive command-line examples  Create this as you go, and use for reference later Approved for public release. Distribution unlimited 18-0944-10
  • 28. | 28 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 4. Set up offensive infrastructure – Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks – Create Payloads ”inspired by” the adversary’s tradecraft  Modify IoCs and behaviors if possible  Obfuscate with purpose, NOT all the things – Over obfuscation is itself suspicious Approved for public release. Distribution unlimited 18-0944-10
  • 29. | 29 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan 5. Emulate the Adversary – Follow the M.O. of your target adversary – “Domain Admin” most likely isn’t your goal – Keep the ‘speed of the adversary’ in mind  Low and slow vs smash and grab Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated- Adversary-Emulation-System-CALDERA.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 30. | 30 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-10
  • 31. | 31 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans  CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera Approved for public release. Distribution unlimited 18-0944-10
  • 32. | 32 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org

Editor's Notes

  1. *
  2. Person 1
  3. Person 1
  4. This slide comes up a lot for defenders to change how they’re approaching the problem of identifying the adversary. This is helpful to change the red teamer’s frame of mind as well. As a red teamer, you need to be thinking, refining, expanding your TTPs and Tools rather than simply thinking about domain names, hash values, binary strings, etc. These are important to consider when creating payloads and planning operations, but they should be second nature by now to randomize them all the time.
  5. Person 1 What is needed for this kind of language to work well for purple teaming? It means that red and blue need to be able to communicate effectively to articulate what happened in a test and the results It means that there needs to be a way to talk about what was done during a test so that it’s repeatable And it means that the language needs some way to measure improvement between tests
  6. We like to use ATT&CK for purple teaming. ATT&CK is Adversary Tactics, Techniques, and Common Knowledge We have a small sample of it here. There are currently 11 Tactics across the top - each one refers to a ‘goal’ of the attacker. This equates to the reason why an attacker is doing any given technique. Down each column are different techniques that achieve that tactic. These techniques equate to what the adversary is doing (creating services, using WMI for persistence, dumping credentials, etc). If you just glance across the different techniques we have listed, you’ll notice something start to jump out - these are descriptions of adversary behaviors, not indicators of compromise. The same holds true for the information we capture about different threat groups on ATT&CK - we tie everything back to behaviors. We focus on adversary TTPs and behaviors because that’s the hardest thing for an adversary to change.
  7. *Person 2 Ok, so we talked about a common language to use, but ATT&CK is getting pretty big! We’ve scoped the realm of the possible down to the realm of the probable, but can we start to prioritize a bit more from there? We sure can! This is where we start doing Adversary Emulation, or sometimes called Threat-based Red Teaming. In our case, we don’t want to just look like advanced adversaries, we want to look like a very specific adversary. We want to look like the adversary you’re most likely going to face (based on your industry, your company, your past incidents, etc) so that we can prioritize working on defenses for those techniques first. Remember, this is a prioritization mechanism to help frame where you should start working on defenses and forcing your offense and defense to work together to build stronger behavior-based defensive measures. Ok, this is cool, but how can I do this adversary emulation thing you describe?
  8. Person 2 We like ATT&CK, so we do this adversary emulation thing with ATT&CK (and we already have one example here for you). More emulation plans to come, and we welcome all community additions or edits to the emulation plans (email attack@mitre.org)
  9. We break it down into 5 steps for doing adversary emulation. For this first step, Threat intel acquisition, consider the following Start by simply googling the name, but then start following the leads You should also gather info on the tools that adversary uses Aliases is a really hot topic in the threat intel community right now, and I'm not going to throw that into the mix of what we're covering today, but just keep that in mind as you start searching for reporting. Threat intel is also binned into broad categories like campaigns, so be sure to look into those as well. Lastly, keep in mind when these reports are released. Reports about an adversary 5 years ago shouldn't carry as much weight as a report released yesterday. Lets take a few examples to see how this looks in practice.
  10. Here's a report on APT3, and you'll see right here at the beginning it refers to them as Buckeye. Lots of times these aliases are indicated front and center in reporting. Remember when I said to not forget campaigns? Operation Double Tap and Operation Clandestine Fox are both attributed to APT3, or UPS. Sometimes these aliases start to get a little conflated though, so you need to be careful Here we see the APT3 group referred to as 'Pirpi', which is actually the name of one of their tools. Because of this, it's sometimes hard to differentiate between what the behavior of the group is vs the behavior of a tool
  11. So, we've gathered a bunch of threat intel. Cool. Now what? In step 2, we need to actually go through that threat intel to figure out what the behaviors are, determine capabilities, and establish motives. There are a few things to keep in mind as we go through this next piece: the what, the why, and the how This is one reason why it's nice to use ATT&CK because it captures a lot of this information already in its TTP format
  12. There are three main kinds of reporting I see with information needed for Adversary Emulation: Prose writing in paragraphs (like you see here) In-depth analysis of specific malware samples (which you'll see next) Prose writing of specific malware samples (somewhere between the two and that's our last example) So, how do you approach something like this, and what is interesting for you as a red teamer wanting to do adversary emulation
  13. Person 2