SlideShare a Scribd company logo

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

Download as PPTX, PDF
C
Christopher Korban

Talk about the evolution of security posture assessments, solving red team problems with ATT&CK-based Adversary Emulation Plans. Conference: Art into Science - A Conference on Defense 2018

Science
1 of 16
Frank Duff Christopher Korban 1/31/2018 Evolution of Security Posture Assessments Approved for Public Release; Distribution Unlimited. Case Number 18-0179 ©2018 The MITRE Corporation. All Rights Reserved
Endpoint Detect and Respond Case Study  Convergence of cyber endpoint technologies offering varying combos of protect / detect / respond / contain / alert – Malware Detection, Behavioral Detection, Incident Response , DLP Technology, App Isolation Technologies, Deception for Detection  Capitalize on ATT&CK and post-exploit detection expertise to declutter the space for MITRE’s sponsors – To evaluate cyber defense, emulate cyber offense. •Cyber threat analysis •Research •Industry reports Adversary Behavior •Adversary model (APT3, APT29, etc.) •Post-compromise techniques ATT&CK •Data sources •Analytics •Prioritization FMX ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Improved Offensive Testing Workflow Intel Gathering Protect/Defend Vulnerability Assessment Protect/Defend Target Acquisition Protect/Defend Exploitation Protect/Defend Privilege Escalation Protect/Defend Lateral Movement Protect/Defend Persistence Protect/Defend Exfiltration Protect/Defend Traditional Red Team Traditional Blue Team  After a traditional Red vs Blue event start blended retesting: Slide inspired by Chris Gates’ and Chris Nickerson’s presentation “Building a Successful Internal Adversarial Simulation Team”: https://goo.gl/R3yglm ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Need Common Criteria  Articulate – To vendors and US government customers  Repeat – To verify results and retest  Measure – Gauge improvement attack.mitre.org ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Bianco’s Pyramid of Pain Source: David Bianco https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Adversary Emulation Using ATT&CK  Create Emulation plans using ATT&CK  Helps focus testing on individual patterns of behavior – Identify if existing detection mechanisms, analytics, mitigations work – Gaps in visibility, data, tools, process, hardening discovered – Address gaps within defenses by improving system – Re-test regularly using varied behavior and objectives Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Folder Masquerading Web Service Scheduled Task Modify Registry Security Support Provider NTFS Extended Attributes Service File Permissions Weakness Obfuscated Files or Information Service Registry Permissions Weakness Process Hollowing Shortcut Modification Redundant Access Web Shell Rootkit Windows Management Instrumentation Event Subscription Rundll32 Winlogon Helper DLL Scripting Software Packing Timestomp©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Successful Adversary Emulation Make it real: Use the same techniques, tools, methods and goals of an attacker End-to-End: Don’t just look for holes or perform small attacks. Start from the initial compromise and go until objectives are accomplished Repeatable: Be repeatable, so that your detection and prevention improvement (or degradation) can be measured over time ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
 Adversary Emulation Process: – Threat Intelligence Acquisition – Extract Actionable Techniques – Develop Tools and Analyze Adversary Modus Operandi – Setup Infrastructure and Emulate Adversary Constraining the Test Intel Technical Capability Time ATT&CK Techniques in Scope (Partial Matrix – APT3) ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
APT Emulation Plan – Plan Phases ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Actionable Emulation Plan ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
A Common Scorecard Grey - APT3 techniques not tested, Green - tested and detected, Yellow - tested and weren't detected but could have been Red - sensor gaps ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Frequency of Offensive Testing Time Atomic Testing Adversary Emulation Red Teaming Knowledge Base ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Automating where possible  Takes care of the simple to allow you to focus on the difficult.  Several options to actuate your plans: – Custom, roll-your-own methods – Automated Breach Simulation vendors:  AttackIQ, SafeBreach, Verodin, etc.. – MITRE CALDERA ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
MITRE Adversary Emulation Resources  ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge, a knowledgebase and adversary behavioral model for describing how adversaries operate across their lifecycle  Adversary Emulation Playbooks – Open source threat intel and ATT&CK-based adversary group profiles that describe how to emulate a specific group  CALDERA – An automated adversary emulation system built off of ATT&CK that is useful for emulating pre-programed sets of behavior – Open source: https://github.com/mitre/caldera – Closed source research version available to sponsors LETS@MITRE.ORG – ATTACK@MITRE.ORG ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
 Helps smaller shops run APT-style red-teams but, more importantly, paves the way for real-world, data-driven red teams  Highlight the type of intel we can use, e.g., move IR reports away from Indicators of Compromise and toward behaviors. – The intel would be immediately useful  Provides a good “sellable” back-story, especially if in an affected industry  Enables apples-to-apples comparisons  Lowers the bar to “offensive testing,” empowering blue teams with the ability to run checks themselves  Creating emulation plans identifies what is unavoidable when performing a certain TTPs and what is. – For what is avoidable, run the gamut for the different permutations and actuations of a TTP – For what is not avoidable, defenders should focus on the “pinch point” to quell all possibilities to the right, hamstringing the TTP category as a whole sometimes. Reasons to Release and Focus on Adversary Emulation Plans ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179

Recommended

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 

Recommended

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
ZaiffiEhsan
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
MITRE ATT&CK
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 

More Related Content

What's hot

Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Chris Gates
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
MITRE ATT&CK
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 

What's hot (20)

Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 

Similar to Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
Splunk
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
Jim Kaplan CIA CFE
 

Similar to Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans (20)

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 

Recently uploaded

Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Sérgio Sacani
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Sérgio Sacani
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
PirithiRaju
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Sérgio Sacani
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
Sérgio Sacani
 
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Monika Rani
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptx
AlMamun560346
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
gindu3009
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
Sapana Sha
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
RizalinePalanog2
 
Bacterial Identification and Classifications
Bacterial Identification and ClassificationsBacterial Identification and Classifications
Bacterial Identification and Classifications
Areesha Ahmad
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
PirithiRaju
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
PirithiRaju
 

Recently uploaded (20)

Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune WaterworldsBiogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
Biogenic Sulfur Gases as Biosignatures on Temperate Sub-Neptune Waterworlds
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 bAsymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
Asymmetry in the atmosphere of the ultra-hot Jupiter WASP-76 b
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
Vip profile Call Girls In Lonavala 9748763073 For Genuine Sex Service At Just...
 
Seismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptxSeismic Method Estimate velocity from seismic data.pptx
Seismic Method Estimate velocity from seismic data.pptx
 
GBSN - Microbiology (Unit 3)
GBSN - Microbiology (Unit 3)GBSN - Microbiology (Unit 3)
GBSN - Microbiology (Unit 3)
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptxCOST ESTIMATION FOR A RESEARCH PROJECT.pptx
COST ESTIMATION FOR A RESEARCH PROJECT.pptx
 
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICESAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
SAMASTIPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
Site Acceptance Test .
Site Acceptance Test .Site Acceptance Test .
Site Acceptance Test .
 
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptxSCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
SCIENCE-4-QUARTER4-WEEK-4-PPT-1 (1).pptx
 
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceuticsPulmonary drug delivery system M.pharm -2nd sem P'ceutics
Pulmonary drug delivery system M.pharm -2nd sem P'ceutics
 
Bacterial Identification and Classifications
Bacterial Identification and ClassificationsBacterial Identification and Classifications
Bacterial Identification and Classifications
 
Chemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdfChemistry 4th semester series (krishna).pdf
Chemistry 4th semester series (krishna).pdf
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
 
Pests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdfPests of mustard_Identification_Management_Dr.UPR.pdf
Pests of mustard_Identification_Management_Dr.UPR.pdf
 

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

  • 1. Frank Duff Christopher Korban 1/31/2018 Evolution of Security Posture Assessments Approved for Public Release; Distribution Unlimited. Case Number 18-0179 ©2018 The MITRE Corporation. All Rights Reserved
  • 2. Endpoint Detect and Respond Case Study  Convergence of cyber endpoint technologies offering varying combos of protect / detect / respond / contain / alert – Malware Detection, Behavioral Detection, Incident Response , DLP Technology, App Isolation Technologies, Deception for Detection  Capitalize on ATT&CK and post-exploit detection expertise to declutter the space for MITRE’s sponsors – To evaluate cyber defense, emulate cyber offense. •Cyber threat analysis •Research •Industry reports Adversary Behavior •Adversary model (APT3, APT29, etc.) •Post-compromise techniques ATT&CK •Data sources •Analytics •Prioritization FMX ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 3. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 4. Improved Offensive Testing Workflow Intel Gathering Protect/Defend Vulnerability Assessment Protect/Defend Target Acquisition Protect/Defend Exploitation Protect/Defend Privilege Escalation Protect/Defend Lateral Movement Protect/Defend Persistence Protect/Defend Exfiltration Protect/Defend Traditional Red Team Traditional Blue Team  After a traditional Red vs Blue event start blended retesting: Slide inspired by Chris Gates’ and Chris Nickerson’s presentation “Building a Successful Internal Adversarial Simulation Team”: https://goo.gl/R3yglm ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 5. Need Common Criteria  Articulate – To vendors and US government customers  Repeat – To verify results and retest  Measure – Gauge improvement attack.mitre.org ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 6. Bianco’s Pyramid of Pain Source: David Bianco https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 7. Adversary Emulation Using ATT&CK  Create Emulation plans using ATT&CK  Helps focus testing on individual patterns of behavior – Identify if existing detection mechanisms, analytics, mitigations work – Gaps in visibility, data, tools, process, hardening discovered – Address gaps within defenses by improving system – Re-test regularly using varied behavior and objectives Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Folder Masquerading Web Service Scheduled Task Modify Registry Security Support Provider NTFS Extended Attributes Service File Permissions Weakness Obfuscated Files or Information Service Registry Permissions Weakness Process Hollowing Shortcut Modification Redundant Access Web Shell Rootkit Windows Management Instrumentation Event Subscription Rundll32 Winlogon Helper DLL Scripting Software Packing Timestomp©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 8. Successful Adversary Emulation Make it real: Use the same techniques, tools, methods and goals of an attacker End-to-End: Don’t just look for holes or perform small attacks. Start from the initial compromise and go until objectives are accomplished Repeatable: Be repeatable, so that your detection and prevention improvement (or degradation) can be measured over time ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 9.  Adversary Emulation Process: – Threat Intelligence Acquisition – Extract Actionable Techniques – Develop Tools and Analyze Adversary Modus Operandi – Setup Infrastructure and Emulate Adversary Constraining the Test Intel Technical Capability Time ATT&CK Techniques in Scope (Partial Matrix – APT3) ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 10. APT Emulation Plan – Plan Phases ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 11. Actionable Emulation Plan ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 12. A Common Scorecard Grey - APT3 techniques not tested, Green - tested and detected, Yellow - tested and weren't detected but could have been Red - sensor gaps ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 13. Frequency of Offensive Testing Time Atomic Testing Adversary Emulation Red Teaming Knowledge Base ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 14. Automating where possible  Takes care of the simple to allow you to focus on the difficult.  Several options to actuate your plans: – Custom, roll-your-own methods – Automated Breach Simulation vendors:  AttackIQ, SafeBreach, Verodin, etc.. – MITRE CALDERA ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 15. MITRE Adversary Emulation Resources  ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge, a knowledgebase and adversary behavioral model for describing how adversaries operate across their lifecycle  Adversary Emulation Playbooks – Open source threat intel and ATT&CK-based adversary group profiles that describe how to emulate a specific group  CALDERA – An automated adversary emulation system built off of ATT&CK that is useful for emulating pre-programed sets of behavior – Open source: https://github.com/mitre/caldera – Closed source research version available to sponsors LETS@MITRE.ORG – ATTACK@MITRE.ORG ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 16.  Helps smaller shops run APT-style red-teams but, more importantly, paves the way for real-world, data-driven red teams  Highlight the type of intel we can use, e.g., move IR reports away from Indicators of Compromise and toward behaviors. – The intel would be immediately useful  Provides a good “sellable” back-story, especially if in an affected industry  Enables apples-to-apples comparisons  Lowers the bar to “offensive testing,” empowering blue teams with the ability to run checks themselves  Creating emulation plans identifies what is unavoidable when performing a certain TTPs and what is. – For what is avoidable, run the gamut for the different permutations and actuations of a TTP – For what is not avoidable, defenders should focus on the “pinch point” to quell all possibilities to the right, hamstringing the TTP category as a whole sometimes. Reasons to Release and Focus on Adversary Emulation Plans ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179

Editor's Notes

  1. Excerpt of flow chart and tools table from the APT Emulation Plan recently released from this project on attack.mitre.org