SlideShare a Scribd company logo

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

K
Katie Nickels

Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.

Technology
1 of 40
Download to read offline
©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15. ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK™ Katie Nickels John Wunder August 7, 2018 | 1 |
The Plan for Today ▪ Define the challenges we’re facing ▪ Explain what ATT&CK is ▪ Show how to use it for: – Threat intelligence – Detection and analytics ▪ Tell you what’s next for ATT&CK ▪ Chat as a community | 2 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Tough Questions for Defenders ▪ How effective are my defenses? ▪ Do I have a chance at detecting APT28? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this *shiny new* product from vendor XYZ help my organization’s defenses? | 3 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain | 4 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
| 5 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Zooming in on the Adversary Lifecycle | 6 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Recon Weaponize Deliver Exploit Control Execute Maintain Priority Definition • Planning, Direction Target Selection Information Gathering • Technical, People, Organizational Weakness Identification • Technical, People, Organizational Adversary OpSec Establish & Maintain Infrastructure Persona Development Build Capabilities Test Capabilities Stage Capabilities Enterprise ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Spanning Multiple Technology Domains | 7 | Enterprise: Windows, Linux, macOS Mobile: Android, iOS ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Management Re-opened Applications Rc.common Trusted Developer Query Registry | 8 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control What is ATT&CK, really? Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures – Specific technique implementation ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Example Technique: New Service | 9 | Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016. ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Example Group: APT28 | 10 | Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group- 4127, TG-4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Connection Proxy 1 8 • Standard Application Layer Protocol 1 • Remote File Copy 8 9 • Rundll32 8 9 • Indicator Removal on Host 5 • Timestomp5 • Credential Dumping 10 • Screen Capture 10 11 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Example Software: CHOPSTICK | 11 | Description: CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. 1 2 3 Aliases: CHOPSTICK, SPLM, Xagent, X-Agent, webhp Techniques: Input Capture - CHOPSTICK is capable of performing keylogging. 5 2 Command-Line Interface - CHOPSTICK is capable of performing remote command execution.5 Fallback Channels - CHOPSTICK can switch to a new C2 channel if the current one is broken. 2 Connection Proxy - CHOPSTICK used a proxy server between victims and the C2 server. 2 and more… Groups: APT28 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
How can I actually *use* it? | 12 | Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Adversary Emulation Assessment and Engineering ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
All the ATT&CK Things! | 13 | Public ATT&CK Knowledge Base attack.mitre.org ATT&CK Navigator Structured Content github.com/mitre/cti cti-taxii.mitre.org Adversary Emulation Plans mitre.github.io/attack-navigator attack.mitre.org/wiki/Adversary_Emulation_Plans Cyber Analytic Repository car.mitre.org ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
ATT&CK for Threat Intelligence | 14 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
The Status Quo in Threat Intelligence | 15 | Reliance on indicators So. Many. Reports! Tough to apply intel to defense ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
So what can we do? Structure threat intelligence using ATT&CK! Here’s how… | 16 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
“Extracting” ATT&CK techniques from a threat report | 17 | https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1095 - Standard Non-Application Layer Protocol T1104 - Multi-Stage Channels ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control APT28 techniques* | 18 | *from open source reporting we’ve mapped Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control APT29 techniques | 19 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control Comparing APT28 and APT29 | 20 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Overlay known gaps APT28 APT29 Both groups ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Example from industry – Unit 42 Adversary Playbook https://pan-unit42.github.io/playbook_viewer/ ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Implementation Tips ▪ Tailor your existing threat intel repository – Threat Intelligence Platforms are starting to support ATT&CK (MISP, ThreatQ, others) ▪ Have the threat intel originator do it ▪ Start at the tactic level ▪ Use existing website examples ▪ Work as a team ▪ Remember it’s still human analysis ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
So what does this get us? ▪ Plus!  Gives us a common language to communicate  Allows us to compare groups Status Quo ATT&CKing threat intel So. Many. Reports! Structures threat intel so it’s easier to consume a lot of it Tough to apply intel to defenses Provides a way to directly compare intel to defenses Reliance on indicators Moves to TTPs and behaviors ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Detection and Analytics ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Analytics vs. Indicators AnalyticsIndicators Known malicious behavior Fewer false positives More atomic Higher quantity Suspicious behavior More false positives Broader Lower quantity ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
How do analytics work? ▪ Analytics look for observable events and artifacts that indicate adversary behavior – E.g., if an adversary uses RDP, Windows Event Logs will show a Login with type=RemoteInteractive ▪ The trick: distinguishing the good from the bad Almost everything in ATT&CK Our goal: place event in one circle Evidence Good Bad Good Bad ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Example: Detecting UAC Bypass index=__your sysmon stuff__ IntegrityLevel=High | search ( ParentImage=c:windowssystem32fodhelper.exe OR CommandLine="*.exe”*cleanmgr.exe /autoclean*" OR ... | eval PossibleTechniques=case( like(lower(ParentImage),"c:windowssystem32fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe"%cleanmgr.exe /autoclean%"), "UACME #34", ... ) FOR ILLUSTRATIVE PURPOSES ONLY - INCOMPLETE ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Developing an Analytic ▪ Read the ATT&CK page and understand the attack – ’ – Think from an adversary perspective – Try to mentally separate legitimate usage from malicious usage ▪ Try it – Carry out the attacks via your own testing or pre-written scripts – What does it look like in the logs? ▪ Write and iterate – Write your first search, narrow down false positives, and iterate – Keep testing – make sure you check for a variety of ways it can be used, not just the easiest ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Measuring Defense: what can you cover? Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Legitimate Credentials Credential Dumping Application Window Discovery Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment Software Command-Line Data Staged Data Encrypted AppInit DLLs Code Signing Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware Exploitation of Vulnerability Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command and Control Channel Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Hash Process Hollowing Data Obfuscation File System Permissions Weakness File System Logical Offsets Two-Factor Authentication Interception Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium Multi-Stage Channels Web Shell Indicator Blocking Peripheral Device Discovery Remote File Copy Rundll32 Screen Capture Multiband Communication Basic Input/Output System Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical MediumBypass User Account Control Permission Groups Discovery Replication Through Removable Media Scripting Video Capture Multilayer Encryption Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections Change Default File Association Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation Remote File Copy Indicator Removal from Tools Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild Hypervisor Indicator Removal on Host Security Software Discovery Execution through Module Load Standard Cryptographic Protocol Logon Scripts Modify Existing Service InstallUtil System Information Discovery Standard Non-Application Layer ProtocolRedundant Access Masquerading Registry Run Keys / Start Folder Modify Registry System Owner/User Discovery Uncommonly Used Port NTFS Extended Attributes Web Service Security Support Provider Obfuscated Files or Information System Service Discovery Data Encoding Shortcut Modification System Time Discovery Windows Management Instrumentation Event Subscription Process Hollowing Redundant Access Regsvcs/Regasm Winlogon Helper DLL Regsvr32 Netsh Helper DLL Rootkit Authentication Package Rundll32 External Remote Services Scripting Software Packing Timestomp MSBuild Network Share Removal Install Root Certificate ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Prioritizing techniques Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Legitimate Credentials Credential Dumping Application Window Discovery Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment Software Command-Line Data Staged Data Encrypted AppInit DLLs Code Signing Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware Exploitation of Vulnerability Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command and Control Channel Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Hash Process Hollowing Data Obfuscation File System Permissions Weakness File System Logical Offsets Two-Factor Authentication Interception Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium Multi-Stage Channels Web Shell Indicator Blocking Peripheral Device Discovery Remote File Copy Rundll32 Screen Capture Multiband Communication Basic Input/Output System Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical MediumBypass User Account Control Permission Groups Discovery Replication Through Removable Media Scripting Video Capture Multilayer Encryption Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections Change Default File Association Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation Remote File Copy Indicator Removal from Tools Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild Hypervisor Indicator Removal on Host Security Software Discovery Execution through Module Load Standard Cryptographic Protocol Logon Scripts Modify Existing Service InstallUtil System Information Discovery Standard Non-Application Layer ProtocolRedundant Access Masquerading Registry Run Keys / Start Folder Modify Registry System Owner/User Discovery Uncommonly Used Port NTFS Extended Attributes Web Service Security Support Provider Obfuscated Files or Information System Service Discovery Data Encoding Shortcut Modification System Time Discovery Windows Management Instrumentation Event Subscription Process Hollowing Redundant Access Regsvcs/Regasm Winlogon Helper DLL Regsvr32 Netsh Helper DLL Rootkit Authentication Package Rundll32 External Remote Services Scripting Software Packing Timestomp MSBuild Network Share Removal Install Root Certificate Legend Moderate Confidence of Detection High Confidence of Detection Low Confidence of Detection IOC Coverage Prioritized Adversary Techniques Define your threat model Assess your coverage Identify gaps Fill gaps ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Working together Filling the gaps is hard, time-consuming, and expensive. • There are a lot of prevalent techniques • Adversary practices are always evolving • Techniques have a wide set of procedures • We all have limited resources • Requires in-depth expertise of system internals But you’re not alone. • Work with your red-team • Work with others in your industry • Talk on Twitter or Slack • Contribute to open source • Read blogs and blog yourself! ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Challenge area: being realistic about coverage ▪ ATT&CK coverage heatmaps are great – Easy to understand – From a defender perspective “ ” straightforward ▪ BUT: Understanding coverage this way is often deceiving and doesn’t align with how attacks are actually detected 1. ATT&CK techniques can be executed and detected in many ways 2. Detecting single ATT&CK techniques is usually not the right level of abstraction ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Challenge area: handling false positives ▪ We think we need to develop comprehensive coverage, but is it realistic with current FP rates and current approaches to detection? – Analytics are noisy, and more coverage means more false positives – Waste of analyst time, alert fatigue, etc. Novel Approaches Detecting event graphs Machine-Learning Tighten the feedback loop Target detections ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Challenge area: getting and searching data ▪ Analytics require increasing amounts of data – , “ ” markers become less useful – Data often needs to come from endpoint + network + infrastructure Collection ▪ Can collection be targeted? ▪ Can collection be agile? ▪ Can collection be decentralized? Search ▪ How can graph-based search scale? ▪ How can you make effective use of your resources? ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Getting started on your own ▪ Take a look at Detection Lab – https://github.com/clong/DetectionLab – https://medium.com/@clong/introducing-detection-lab-61db34bed6ae ▪ Be bad! – Atomic Red Team has a lot of commands to try: https://atomicredteam.io/ ▪ See what bad looks like, write some detections. – https://github.com/Cyb3rWard0g/ThreatHunter-Playbook is a good place for inspiration ▪ Share! ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Bringing it all together… ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
Threat-informed defense, but for real Structured Threat Intel An ever-improving & validated defenseIntel-Driven Adversary Emulation ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
What’s next for ATT&CK? | 38 | Create a new website and infrastructure that makes ATT&CK easier to use Continue to expand the ATT&CK community Open up the development and governance of ATT&CK Improve and add to ATT&CK content: • Sub-techniques • Impacts • New technology domains ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
et’s Chat! ▪ Any questions for us? ▪ How have you tackled the challenges we discussed? ▪ If this is new to you… – How do you think you could use ATT&CK? – What could we do to help you start? ▪ If you’re already familiar with ATT&CK… – How are you using it? – What could we do to help you do that better? ▪ What is missing from ATT&CK? | 39 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
| 40 | @likethecoins attack.mitre.org attack@mitre.org @MITREattack Katie Nickels John Wunder @jwunder ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.

Recommended

ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 

Recommended

ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 

More Related Content

What's hot

It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 

What's hot (20)

It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 

Similar to BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamAdam Pennington
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfAisyiFree
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 

Similar to BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo (20)

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet Analysis
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

  • 1. ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15. ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK™ Katie Nickels John Wunder August 7, 2018 | 1 |
  • 2. The Plan for Today ▪ Define the challenges we’re facing ▪ Explain what ATT&CK is ▪ Show how to use it for: – Threat intelligence – Detection and analytics ▪ Tell you what’s next for ATT&CK ▪ Chat as a community | 2 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 3. Tough Questions for Defenders ▪ How effective are my defenses? ▪ Do I have a chance at detecting APT28? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this *shiny new* product from vendor XYZ help my organization’s defenses? | 3 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 4. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain | 4 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 5. | 5 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 6. Zooming in on the Adversary Lifecycle | 6 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Recon Weaponize Deliver Exploit Control Execute Maintain Priority Definition • Planning, Direction Target Selection Information Gathering • Technical, People, Organizational Weakness Identification • Technical, People, Organizational Adversary OpSec Establish & Maintain Infrastructure Persona Development Build Capabilities Test Capabilities Stage Capabilities Enterprise ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 7. Spanning Multiple Technology Domains | 7 | Enterprise: Windows, Linux, macOS Mobile: Android, iOS ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 8. Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Management Re-opened Applications Rc.common Trusted Developer Query Registry | 8 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control What is ATT&CK, really? Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures – Specific technique implementation ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 9. Example Technique: New Service | 9 | Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016. ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 10. Example Group: APT28 | 10 | Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group- 4127, TG-4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Connection Proxy 1 8 • Standard Application Layer Protocol 1 • Remote File Copy 8 9 • Rundll32 8 9 • Indicator Removal on Host 5 • Timestomp5 • Credential Dumping 10 • Screen Capture 10 11 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 11. Example Software: CHOPSTICK | 11 | Description: CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. 1 2 3 Aliases: CHOPSTICK, SPLM, Xagent, X-Agent, webhp Techniques: Input Capture - CHOPSTICK is capable of performing keylogging. 5 2 Command-Line Interface - CHOPSTICK is capable of performing remote command execution.5 Fallback Channels - CHOPSTICK can switch to a new C2 channel if the current one is broken. 2 Connection Proxy - CHOPSTICK used a proxy server between victims and the C2 server. 2 and more… Groups: APT28 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 12. How can I actually *use* it? | 12 | Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Adversary Emulation Assessment and Engineering ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 13. All the ATT&CK Things! | 13 | Public ATT&CK Knowledge Base attack.mitre.org ATT&CK Navigator Structured Content github.com/mitre/cti cti-taxii.mitre.org Adversary Emulation Plans mitre.github.io/attack-navigator attack.mitre.org/wiki/Adversary_Emulation_Plans Cyber Analytic Repository car.mitre.org ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 14. ATT&CK for Threat Intelligence | 14 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 15. The Status Quo in Threat Intelligence | 15 | Reliance on indicators So. Many. Reports! Tough to apply intel to defense ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 16. So what can we do? Structure threat intelligence using ATT&CK! Here’s how… | 16 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 17. “Extracting” ATT&CK techniques from a threat report | 17 | https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1095 - Standard Non-Application Layer Protocol T1104 - Multi-Stage Channels ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 18. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control APT28 techniques* | 18 | *from open source reporting we’ve mapped Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 19. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control APT29 techniques | 19 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 20. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control Comparing APT28 and APT29 | 20 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Overlay known gaps APT28 APT29 Both groups ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 21. Example from industry – Unit 42 Adversary Playbook https://pan-unit42.github.io/playbook_viewer/ ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 22. Implementation Tips ▪ Tailor your existing threat intel repository – Threat Intelligence Platforms are starting to support ATT&CK (MISP, ThreatQ, others) ▪ Have the threat intel originator do it ▪ Start at the tactic level ▪ Use existing website examples ▪ Work as a team ▪ Remember it’s still human analysis ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 23. So what does this get us? ▪ Plus!  Gives us a common language to communicate  Allows us to compare groups Status Quo ATT&CKing threat intel So. Many. Reports! Structures threat intel so it’s easier to consume a lot of it Tough to apply intel to defenses Provides a way to directly compare intel to defenses Reliance on indicators Moves to TTPs and behaviors ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 24. Detection and Analytics ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 25. Analytics vs. Indicators AnalyticsIndicators Known malicious behavior Fewer false positives More atomic Higher quantity Suspicious behavior More false positives Broader Lower quantity ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 26. How do analytics work? ▪ Analytics look for observable events and artifacts that indicate adversary behavior – E.g., if an adversary uses RDP, Windows Event Logs will show a Login with type=RemoteInteractive ▪ The trick: distinguishing the good from the bad Almost everything in ATT&CK Our goal: place event in one circle Evidence Good Bad Good Bad ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 27. Example: Detecting UAC Bypass index=__your sysmon stuff__ IntegrityLevel=High | search ( ParentImage=c:windowssystem32fodhelper.exe OR CommandLine="*.exe”*cleanmgr.exe /autoclean*" OR ... | eval PossibleTechniques=case( like(lower(ParentImage),"c:windowssystem32fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe"%cleanmgr.exe /autoclean%"), "UACME #34", ... ) FOR ILLUSTRATIVE PURPOSES ONLY - INCOMPLETE ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 28. Developing an Analytic ▪ Read the ATT&CK page and understand the attack – ’ – Think from an adversary perspective – Try to mentally separate legitimate usage from malicious usage ▪ Try it – Carry out the attacks via your own testing or pre-written scripts – What does it look like in the logs? ▪ Write and iterate – Write your first search, narrow down false positives, and iterate – Keep testing – make sure you check for a variety of ways it can be used, not just the easiest ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 29. Measuring Defense: what can you cover? Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Legitimate Credentials Credential Dumping Application Window Discovery Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment Software Command-Line Data Staged Data Encrypted AppInit DLLs Code Signing Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware Exploitation of Vulnerability Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command and Control Channel Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Hash Process Hollowing Data Obfuscation File System Permissions Weakness File System Logical Offsets Two-Factor Authentication Interception Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium Multi-Stage Channels Web Shell Indicator Blocking Peripheral Device Discovery Remote File Copy Rundll32 Screen Capture Multiband Communication Basic Input/Output System Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical MediumBypass User Account Control Permission Groups Discovery Replication Through Removable Media Scripting Video Capture Multilayer Encryption Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections Change Default File Association Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation Remote File Copy Indicator Removal from Tools Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild Hypervisor Indicator Removal on Host Security Software Discovery Execution through Module Load Standard Cryptographic Protocol Logon Scripts Modify Existing Service InstallUtil System Information Discovery Standard Non-Application Layer ProtocolRedundant Access Masquerading Registry Run Keys / Start Folder Modify Registry System Owner/User Discovery Uncommonly Used Port NTFS Extended Attributes Web Service Security Support Provider Obfuscated Files or Information System Service Discovery Data Encoding Shortcut Modification System Time Discovery Windows Management Instrumentation Event Subscription Process Hollowing Redundant Access Regsvcs/Regasm Winlogon Helper DLL Regsvr32 Netsh Helper DLL Rootkit Authentication Package Rundll32 External Remote Services Scripting Software Packing Timestomp MSBuild Network Share Removal Install Root Certificate ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 30. Prioritizing techniques Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Legitimate Credentials Credential Dumping Application Window Discovery Third-party Software Clipboard Data Data Compressed Communication Through Removable MediaAccessibility Features Binary Padding Application Deployment Software Command-Line Data Staged Data Encrypted AppInit DLLs Code Signing Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolLocal Port Monitor Component Firmware Exploitation of Vulnerability Graphical User Interface Data from Network Shared Drive Exfiltration Over Alternative ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration Discovery InstallUtil Custom Cryptographic ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable Media Exfiltration Over Command and Control Channel Scheduled Task File Deletion Network Sniffing Local Network Connections Discovery Pass the Hash Process Hollowing Data Obfuscation File System Permissions Weakness File System Logical Offsets Two-Factor Authentication Interception Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Medium Multi-Stage Channels Web Shell Indicator Blocking Peripheral Device Discovery Remote File Copy Rundll32 Screen Capture Multiband Communication Basic Input/Output System Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical MediumBypass User Account Control Permission Groups Discovery Replication Through Removable Media Scripting Video Capture Multilayer Encryption Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections Change Default File Association Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Instrumentation Remote File Copy Indicator Removal from Tools Query Registry Taint Shared Content Standard Application Layer ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild Hypervisor Indicator Removal on Host Security Software Discovery Execution through Module Load Standard Cryptographic Protocol Logon Scripts Modify Existing Service InstallUtil System Information Discovery Standard Non-Application Layer ProtocolRedundant Access Masquerading Registry Run Keys / Start Folder Modify Registry System Owner/User Discovery Uncommonly Used Port NTFS Extended Attributes Web Service Security Support Provider Obfuscated Files or Information System Service Discovery Data Encoding Shortcut Modification System Time Discovery Windows Management Instrumentation Event Subscription Process Hollowing Redundant Access Regsvcs/Regasm Winlogon Helper DLL Regsvr32 Netsh Helper DLL Rootkit Authentication Package Rundll32 External Remote Services Scripting Software Packing Timestomp MSBuild Network Share Removal Install Root Certificate Legend Moderate Confidence of Detection High Confidence of Detection Low Confidence of Detection IOC Coverage Prioritized Adversary Techniques Define your threat model Assess your coverage Identify gaps Fill gaps ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 31. Working together Filling the gaps is hard, time-consuming, and expensive. • There are a lot of prevalent techniques • Adversary practices are always evolving • Techniques have a wide set of procedures • We all have limited resources • Requires in-depth expertise of system internals But you’re not alone. • Work with your red-team • Work with others in your industry • Talk on Twitter or Slack • Contribute to open source • Read blogs and blog yourself! ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 32. Challenge area: being realistic about coverage ▪ ATT&CK coverage heatmaps are great – Easy to understand – From a defender perspective “ ” straightforward ▪ BUT: Understanding coverage this way is often deceiving and doesn’t align with how attacks are actually detected 1. ATT&CK techniques can be executed and detected in many ways 2. Detecting single ATT&CK techniques is usually not the right level of abstraction ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 33. Challenge area: handling false positives ▪ We think we need to develop comprehensive coverage, but is it realistic with current FP rates and current approaches to detection? – Analytics are noisy, and more coverage means more false positives – Waste of analyst time, alert fatigue, etc. Novel Approaches Detecting event graphs Machine-Learning Tighten the feedback loop Target detections ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 34. Challenge area: getting and searching data ▪ Analytics require increasing amounts of data – , “ ” markers become less useful – Data often needs to come from endpoint + network + infrastructure Collection ▪ Can collection be targeted? ▪ Can collection be agile? ▪ Can collection be decentralized? Search ▪ How can graph-based search scale? ▪ How can you make effective use of your resources? ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 35. Getting started on your own ▪ Take a look at Detection Lab – https://github.com/clong/DetectionLab – https://medium.com/@clong/introducing-detection-lab-61db34bed6ae ▪ Be bad! – Atomic Red Team has a lot of commands to try: https://atomicredteam.io/ ▪ See what bad looks like, write some detections. – https://github.com/Cyb3rWard0g/ThreatHunter-Playbook is a good place for inspiration ▪ Share! ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 36. Bringing it all together… ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 37. Threat-informed defense, but for real Structured Threat Intel An ever-improving & validated defenseIntel-Driven Adversary Emulation ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 38. What’s next for ATT&CK? | 38 | Create a new website and infrastructure that makes ATT&CK easier to use Continue to expand the ATT&CK community Open up the development and governance of ATT&CK Improve and add to ATT&CK content: • Sub-techniques • Impacts • New technology domains ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 39. et’s Chat! ▪ Any questions for us? ▪ How have you tackled the challenges we discussed? ▪ If this is new to you… – How do you think you could use ATT&CK? – What could we do to help you start? ▪ If you’re already familiar with ATT&CK… – How are you using it? – What could we do to help you do that better? ▪ What is missing from ATT&CK? | 39 | ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
  • 40. | 40 | @likethecoins attack.mitre.org attack@mitre.org @MITREattack Katie Nickels John Wunder @jwunder ©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.