More Related Content Similar to Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans (20) Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans2. Endpoint Detect and Respond Case Study
Convergence of cyber endpoint technologies offering varying
combos of protect / detect / respond / contain / alert
– Malware Detection, Behavioral Detection, Incident Response ,
DLP Technology, App Isolation Technologies, Deception for
Detection
Capitalize on ATT&CK and post-exploit detection expertise to
declutter the space for MITRE’s sponsors
– To evaluate cyber defense, emulate cyber offense.
•Cyber threat
analysis
•Research
•Industry reports
Adversary
Behavior
•Adversary model
(APT3, APT29, etc.)
•Post-compromise
techniques
ATT&CK
•Data sources
•Analytics
•Prioritization
FMX
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
3. Traditional Offensive Testing Workflow
Intel
Gathering
Vulnerability
Assessment
Target
Acquisition
Exploitation
Privilege
Escalation
Lateral
Movement
Persistence Exfiltration
Report
Findings
Collect Protect Detect Triage Investigate Coordinate Remediate
Typical Red vs Blue event flow
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
4. Improved Offensive Testing Workflow
Intel Gathering
Protect/Defend
Vulnerability
Assessment
Protect/Defend
Target
Acquisition
Protect/Defend
Exploitation
Protect/Defend
Privilege
Escalation
Protect/Defend
Lateral
Movement
Protect/Defend
Persistence
Protect/Defend
Exfiltration
Protect/Defend
Traditional Red
Team
Traditional Blue
Team
After a traditional Red vs Blue event start blended retesting:
Slide inspired by Chris Gates’ and Chris Nickerson’s
presentation “Building a Successful Internal
Adversarial Simulation Team”:
https://goo.gl/R3yglm
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
5. Need Common Criteria
Articulate
– To vendors and
US government
customers
Repeat
– To verify results
and retest
Measure
– Gauge
improvement
attack.mitre.org
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
6. Bianco’s Pyramid of Pain
Source: David Bianco
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
7. Adversary Emulation Using ATT&CK
Create Emulation plans using ATT&CK
Helps focus testing on individual patterns of behavior
– Identify if existing detection mechanisms, analytics, mitigations
work
– Gaps in visibility, data, tools, process, hardening discovered
– Address gaps within defenses by improving system
– Re-test regularly using varied behavior and objectives
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery
Application Deployment
Software
Command-Line Automated Collection Automated Exfiltration Commonly Used Port
AppInit DLLs AppInit DLLs
Bypass User Account
Control
Credential Dumping
Application Window
Discovery
Exploitation of
Vulnerability
Execution through API Clipboard Data Data Compressed
Communication Through
Removable Media
Basic Input/Output System
Bypass User Account
Control
Code Signing Credential Manipulation
File and Directory
Discovery
Logon Scripts Graphical User Interface Data Staged Data Encrypted
Custom Command and
Control Protocol
Bootkit DLL Injection Component Firmware Credentials in Files
Local Network
Configuration Discovery
Pass the Hash PowerShell Data from Local System Data Transfer Size Limits
Custom Cryptographic
Protocol
Change Default File
Handlers
DLL Search Order Hijacking DLL Injection
Exploitation of
Vulnerability
Local Network Connections
Discovery
Pass the Ticket Process Hollowing
Data from Network Shared
Drive
Exfiltration Over
Alternative Protocol
Data Obfuscation
Component Firmware
Exploitation of
Vulnerability
DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32
Data from Removable
Media
Exfiltration Over Command
and Control Channel
Fallback Channels
DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing
Peripheral Device
Discovery
Remote File Copy Scheduled Task Email Collection
Exfiltration Over Other
Network Medium
Multi-Stage Channels
Hypervisor Local Port Monitor Disabling Security Tools
Two-Factor Authentication
Interception
Permission Groups
Discovery
Remote Services Service Execution Input Capture
Exfiltration Over Physical
Medium
Multiband Communication
Legitimate Credentials New Service
Exploitation of
Vulnerability
Process Discovery
Replication Through
Removable Media
Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption
Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot
Windows Management
Instrumentation
Peer Connections
Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content
Windows Remote
Management
Remote File Copy
Modify Existing Service
Service File Permissions
Weakness
Indicator Blocking on Host
Security Software
Discovery
Windows Admin Shares
Standard Application Layer
Protocol
New Service
Service Registry
Permissions Weakness
Indicator Removal from
Tools
System Information
Discovery
Windows Remote
Management
Standard Cryptographic
Protocol
Path Interception Web Shell Indicator Removal on Host
System Owner/User
Discovery
Standard Non-Application
Layer Protocol
Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port
Registry Run Keys / Start
Folder
Masquerading Web Service
Scheduled Task Modify Registry
Security Support Provider NTFS Extended Attributes
Service File Permissions
Weakness
Obfuscated Files or
Information
Service Registry
Permissions Weakness
Process Hollowing
Shortcut Modification Redundant Access
Web Shell Rootkit
Windows Management
Instrumentation Event
Subscription
Rundll32
Winlogon Helper DLL Scripting
Software Packing
Timestomp©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
8. Successful Adversary Emulation
Make it real: Use the same techniques, tools, methods and goals of
an attacker
End-to-End: Don’t just look for holes or perform small attacks. Start
from the initial compromise and go until objectives are accomplished
Repeatable: Be repeatable, so that your detection and prevention
improvement (or degradation) can be measured over time
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
9. Adversary Emulation Process:
– Threat Intelligence Acquisition
– Extract Actionable Techniques
– Develop Tools and Analyze
Adversary Modus Operandi
– Setup Infrastructure and
Emulate Adversary
Constraining the Test
Intel
Technical
Capability
Time
ATT&CK Techniques in Scope (Partial Matrix – APT3)
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
10. APT Emulation Plan – Plan Phases
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
12. A Common Scorecard
Grey - APT3 techniques not tested,
Green - tested and detected,
Yellow - tested and weren't detected but could have been
Red - sensor gaps
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
13. Frequency of Offensive Testing
Time
Atomic Testing
Adversary Emulation
Red Teaming
Knowledge Base
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
14. Automating where possible
Takes care of the simple to allow you to focus on the difficult.
Several options to actuate your plans:
– Custom, roll-your-own methods
– Automated Breach Simulation vendors:
AttackIQ, SafeBreach, Verodin, etc..
– MITRE CALDERA
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
15. MITRE Adversary Emulation Resources
ATT&CK – Adversarial Tactics, Techniques, and Common
Knowledge, a knowledgebase and adversary behavioral model for
describing how adversaries operate across their lifecycle
Adversary Emulation Playbooks – Open source threat intel and
ATT&CK-based adversary group profiles that describe how to
emulate a specific group
CALDERA – An automated adversary emulation system built off of
ATT&CK that is useful for emulating pre-programed sets of behavior
– Open source: https://github.com/mitre/caldera
– Closed source research version available to sponsors
LETS@MITRE.ORG – ATTACK@MITRE.ORG
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
16. Helps smaller shops run APT-style red-teams but, more
importantly, paves the way for real-world, data-driven red teams
Highlight the type of intel we can use, e.g., move IR reports away
from Indicators of Compromise and toward behaviors.
– The intel would be immediately useful
Provides a good “sellable” back-story, especially if in an affected
industry
Enables apples-to-apples comparisons
Lowers the bar to “offensive testing,” empowering blue teams with
the ability to run checks themselves
Creating emulation plans identifies what is unavoidable when
performing a certain TTPs and what is.
– For what is avoidable, run the gamut for the different permutations
and actuations of a TTP
– For what is not avoidable, defenders should focus on the “pinch
point” to quell all possibilities to the right, hamstringing the TTP
category as a whole sometimes.
Reasons to Release and Focus on Adversary
Emulation Plans
©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Editor's Notes Excerpt of flow chart and tools table from the APT Emulation Plan recently released from this project on attack.mitre.org