FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Turning Intelligence into Action with
MITRE ATT&CK™
Katie Nickels @likethecoins
Adam Pennington @_whatshisface
MITRE ATT&CK @MITREattack
| 1 |

What is
?
A knowledge base of
adversary behavior
➢ Based on real-world observations
➢ Free, open, and globally accessible
➢ A common language
➢ Community-driven

The Difficult Task of Detecting TTPs
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
?
+

Zooming in on the Adversary Lifecycle
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Enterprise ATT&CKPRE-ATT&CK
Mobile
ATT&CK

Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark
Discovery
Exploitation of Remote
Services
Data from Information
Repositories
Exfiltration Over
Physical Medium
Remote Access Tools
Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for
Credential Access
Port Knocking
Supply Chain Compromise
Local Job Scheduling Access Token Manipulation Network Share
Discovery
Distributed Component
Object Model
Video Capture
Exfiltration Over
Command and
Control Channel
Multi-hop Proxy
Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting
Spearphishing Attachment
Launchctl Process Injection Hooking Peripheral Device
Discovery
Remote File Copy Automated Collection Data Encoding
Signed Binary
Proxy Execution
Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy
Exploit Public-Facing
Application
Plist Modification LLMNR/NBT-NS
Poisoning
File and Directory
Discovery
Replication Through
Removable Media
Email Collection Automated Exfiltration Multi-Stage Channels
User Execution Valid Accounts Screen Capture Exfiltration Over Other
Network Medium
Web Service
Replication Through
Removable Media
Exploitation for
Client Execution
DLL Search Order Hijacking Private Keys Permission Groups
Discovery
Windows Admin Shares Data Staged
Standard
Non-Application
Layer Protocol
AppCert DLLs Signed Script
Proxy Execution
Keychain Pass the Hash Input Capture Exfiltration Over
Alternative Protocol
Spearphishing via
Service
CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network
Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network
Connections Discovery
Shared Webroot Data Transfer
Size Limits
Connection Proxy
Spearphishing Link Mshta Launch Daemon Port Knocking
Two-Factor
Authentication
Interception
Logon Scripts Data from Local System Multilayer Encryption
Drive-by Compromise AppleScript Dylib Hijacking Indirect Command
Execution
System Owner/User
Discovery
Windows Remote
Management
Man in the Browser Data Compressed Standard Application
Layer ProtocolValid Accounts Source Application Shimming Data from Removable
Media
Scheduled Transfer
Space after Filename AppInit DLLs BITS Jobs Replication Through
Removable Media
System Network
Configuration Discovery
Application
Deployment Software
Commonly Used Port
Execution through
Module Load
Web Shell Control Panel Items Standard Cryptographic
Protocol
Service Registry Permissions Weakness CMSTP Input Capture Application Window
Discovery
SSH Hijacking
AppleScript Custom Cryptographic
Protocol
Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing
InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy
Discovery
Taint Shared Content
Regsvr32 Path Interception Hidden Files
and Directories
Kerberoasting Remote Desktop
Protocol
Data Obfuscation
Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command
and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services
Rundll32 Kernel Modules
and Extensions
Sudo Caching LC_MAIN Hijacking Account Manipulation System Information
Discovery
Communication
Through
Removable Media
Third-party Software SID-History Injection HISTCONTROL Credentials in Files
Scripting Port Knocking Sudo Hidden Users Security Software
DiscoveryGraphical User Interface SIP and Trust
Provider Hijacking
Setuid and Setgid Clear Command History Multiband
Communication
Command-Line
Interface
Exploitation for
Privilege Escalation
Gatekeeper Bypass Network Service
ScanningScreensaver Hidden Window Fallback Channels
Service Execution Browser Extensions Deobfuscate/Decode
Files or Information
Remote System
Discovery
Uncommonly Used Port
Windows Remote Re-opened Applications
Breaking Down ATT&CK
| 2 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
& Control
Tactics: the adversary’s technical goals
Techniques:howthegoalsare
achieved
Procedures: Specific technique implementation

Groups and Software: Providing Technique Examples
| 3 |
attack.mitre.org

Example Group: APT28
| 4 |

ATT&CK Threat Intelligence Use Cases
▪ Structuring threat intelligence with ATT&CK allows us to do
cool things…
– Compare behaviors
– Communicate in a common language
| 5 |

Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control
Compare Groups to Each Other
| 6 |
*from open source
reporting we’ve mapped
APT28*

| 7 |
APT29

| 8 |
APT28
APT29
Both groups Prioritize!

Compare Groups to Defenses
| 9 |
Overlay known defensive gaps
APT28
APT29
Both groups

Compare Groups Over Time
| 10 |
Notional group in 2018
Same gro p in 2019…why did
we not see these techniques?

Communicate to Defenders
| 11 |
CTI
Analyst Defender
Registry Run Keys
/ Startup Folder
(T1060)
THIS is what the
adversary is doing!
The Run key is
AdobeUpdater.
Oh, we have
Registry data, we
can detect that!

Communicate Across the Community
| 12 |
CTI Consumer
Registry Run Keys
/ Startup Folder
(T1060)
Oh, you
mean T1060!
APT1337 is
using autorun
FUZZYDUCK
used a Run key
Company
A
Company
B

Mapping ATT&CK Techniques from a Threat Report
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Exploitation for Privilege Escalation (T1068)
Command-Line Interface (T1059)
System Owner/User Discovery (T1033)
Scheduled Task (T1053)
Standard Non-Application Layer Protocol (T1095) Uncommonly Used Port (T1065)
Uncommonly Used Port (T1065)
Multi-Stage Channels (T1104)
| 13 |

Technique Mapping Work Available from ATT&CK
| 14 |
5 years of reviewing and mapping
Technique examples for Software and Groups
~400 report sources
Only freely-available public reporting

Biases in ATT&CK’s Mapped Data
▪ Important to understand and state our biases in CTI
▪ Two kinds of bias in technique examples in ATT&CK
– Bias introduced by us
– Bias inherent in the sources we use
▪ Understanding these is the first step in properly leveraging this data
| 15 |

Security
Vendors
92%
Press
Reports
5%
Publicly-
available
Government
Reports
3%
Our Biases: Sources We Select
| 16 |
From reports used
for technique examples
in ATT&CK Groups

Our Biases: Availability Bias
| 17 |
All Possible
Techniques
Techniques
We
Remember

Our Biases: Novelty Bias
| 18 |
Yet another
FUZZYDUCK
using Powershell
report
APT1337
Using
Transmitted
Data
Manipulation

Source Biases: Availability Bias
| 19 |
All Possible
Behaviors
Familiar
Behaviors

Source Biases: Novelty Bias
| 20 |
Another APT1337
Report
APT1338
Report!!!

Source Biases: Victim Bias
| 21 |
Victim 4
Victim 5Victim 3
Victim 2
Victim 1

Source Biases: Visibility bias
| 22 |
Visible
Disk
Forensics
Network
Flows
Process
Execution
Powershell
Registry
Monitoring
Decoded
C2
Not Seen

Source Biases: Production Bias
| 23 |
Operation Snakepit
APT1337 Report
Operation Brown Fox
APT1338 Report
Ducks in the Wild
FUZZYDUCK Report
Source 1 Source 2

How Do We Deal With These Biases?
▪ Know that they exist
– Once you know them, you can
better determine what is real
data vs. your biases
▪ Be honest and explain them
| 24|
Tenor.com

Hedging Our Biases
▪ Work together
– Diversity of thought makes for stronger teams
▪ Adjust and calibrate your data sources
▪ Add different data sources
▪ Remember we’re prioritizing the known over the unknown
– As opposed to absolute comparison
| 25 |

Now that yo know those biases, here’s
your imperfect data!
| 26 |

1. Standard App Layer Protocol
2. Remote File Copy
3. System Information Discovery
4. Command-Line Interface
5. File and Directory Discovery
6. Registry Run Key/Startup Folder
7. Obfuscated Files or Information
8. File Deletion
9. Process Discovery
10.System Network Config Discovery
11.Credential Dumping
12.Screen Capture
13.Input Capture
14.System Owner/User Discovery
15.Scripting
16.Commonly Used Port
17.Standard Crypto Protocol
18.PowerShell
19.& 20 (tie!)
Masquerading and New Service
Top 20 Techniques from ATT&CK Group/Software Data
Know and explain our bias: availability
bias from analysts
Hedge our bias: how could we calibrate
by source?
| 27 |

ATT&CK Group/Software Data Across Tactics
| 28 |
39 47 42 35
58
31 35 33 28 20
38
19
145 145
98
193
82
173
120
96
55
194
Groups
Software
Know and explain our bias:
why is Initial Access low?
Hedge our bias:
work with others

Process for Making Recommendations from Techniques
| 29 |
5. Make recommendations
4. Determine what tradeoffs are for org on specific options
3. Research organizational capability/constraints
2. Research defensive options related to technique
1. Research how techniques are being used
0. Determine priority techniques

Takeaways
▪ Use ATT&CK for cyber threat intelligence to help yo …
– Compare behaviors
– Communicate in a common language
▪ Know the biases involved with mapping CTI reporting to ATT&CK
▪ Hedge those biases and use ATT&CK-mapped CTI to improve defenses
| 30 |

| 31 |
https://attack.mitre.org
attack@mitre.org
@MITREattack
Adam Pennington
@_whatshisface
Katie Nickels
@likethecoins

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Recommended

More Related Content

What's hot

What's hot (20)

Similar to FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Similar to FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™ (20)

Recently uploaded

Recently uploaded (20)

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™