Purple Teaming with ATT&CK - x33fcon 2018

1. © 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas x33fcon - May 2018 Threat-based Purple Teaming with ATT&CK Approved for public release. Distribution unlimited 18-0944-5

2. | 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – Works on ATT&CK – Creates Adversary Emulation Plans – @ckorban Approved for public release. Distribution unlimited 18-0944-5  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_

3. | 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-5

4. | 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing  Little to no collaboration Approved for public release. Distribution unlimited 18-0944-5 https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg

5. | 5 | © 2018 The MITRE Corporation. All rights reserved. Purple for a Better Future  What is purple teaming? – Remove win/lose mentality between red and blue  One team, one goal - improve security – Continual cooperation and sharing between red and blue  Transparency benefits all – Not just internal red teams, external red teams can do this too – More hands, moar secure? Approved for public release. Distribution unlimited 18-0944-5 https://media.giphy.com/media/yUlFNRDWVfxCM/giphy.gif

6. | 6 | © 2018 The MITRE Corporation. All rights reserved. Moving Towards Purple Workflow Intel Gathering Protect/Defend Vulnerability Assessment Protect/Defend Target Acquisition Protect/Defend Exploitation Protect/Defend Privilege Escalation Protect/Defend Lateral Movement Protect/Defend Persistence Protect/Defend Exfiltration Protect/Defend Traditional Red Team Action Traditional Blue Team Action  After a traditional Red vs Blue event start blended retesting: Slide inspired by Chris Gates’ and Chris Nickerson’s presentation “Building a Successful Internal Adversarial Simulation Team”: https://goo.gl/R3yglm Approved for public release. Distribution unlimited 18-0944-5

7. | 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for Purple  Communicate – To articulate test and results  Repeat – To verify results and retest  Measure – To gauge improvement across tests attack.mitre.org Approved for public release. Distribution unlimited 18-0944-5

12. | 12 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations Approved for public release. Distribution unlimited 18-0944-5 https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543

13. | 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-5

14. | 14 | © 2018 The MITRE Corporation. All rights reserved.  Test Components: – Amount of time for the emulation – Threat Intelligence  Extract Actionable Techniques  Extract adversary MO – Tools  Determine capability to emulate Constraining the Test Intel Technical Capability Length of Test ATT&CK Techniques in Scope (Partial Matrix – APT3) Approved for public release. Distribution unlimited 18-0944-5

15. | 15 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Setup Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-5

17. | 17 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Setup Infrastructure Emulate Adversary  What are the COTS / Open Source tools available?  Can you exhibit the right behaviors with these tools? – Can you extend them? – Can you modify them?  Do you need to develop something specific? – Delivery mechanisms – Command and Control – Capabilities Approved for public release. Distribution unlimited 18-0944-5

18. | 18 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation Field Manual Discovery groups net localgroup administrators net group "Domain Admins" /domain dsquery group users net user net user /domain wmic user processes tasklist qprocess * Permutations bolster effectiveness of behavior-based defensive analytics and mission capabilities  Provides multiple implementations across toolsets  Provides offensive command-line examples Approved for public release. Distribution unlimited 18-0944-5

19. | 19 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Setup Infrastructure Emulate Adversary  Adjust generic plan for your environment – Is defense aware there will be red activity? Is it a Purple Team? Who are the in-scope users and boxes?  Setup offensive infrastructure – Command and Control server(s), redirector(s), create payloads, buy domains, test techniques, install offensive frameworks  Emulate Adversary – Don’t use known IoCs! Force detections on behavior not prior IOCs or signatured tools Approved for public release. Distribution unlimited 18-0944-5

20. | 20 | © 2018 The MITRE Corporation. All rights reserved. An Initial Capability Matrix for Planning Green - at least one implementation tested and detected Grey - technique in scope, but not tested Yellow - tested and weren't detected, but data collected Red - sensor gaps Approved for public release. Distribution unlimited 18-0944-5

21. | 21 | © 2018 The MITRE Corporation. All rights reserved. Update analytic or defensive configuration Use different implementation of same ATT&CK technique The Road to Success Approved for public release. Distribution unlimited 18-0944-5

22. | 22 | © 2018 The MITRE Corporation. All rights reserved. Benefits of Adversary Emulation  Red gets: – Cheat sheet of many technique implementations – OPSEC considerations per implementation  Blue gets: – Defensive playbook of how to detect ATT&CK technique behaviors – More data points for creating/refining analytics  Both get: – A better understanding of how techniques work – An offensive and defensive perspective on how to solve problems – Faster solution to problems Approved for public release. Distribution unlimited 18-0944-5

23. | 23 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-5

24. | 24 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans Approved for public release. Distribution unlimited 18-0944-5

25. | 25 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org