FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. Turning Intelligence into Action with MITRE ATT&CK™ Katie Nickels @likethecoins Adam Pennington @_whatshisface MITRE ATT&CK @MITREattack | 1 |

2. What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

3. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ? + ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

4. Zooming in on the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK Mobile ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

5. Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Re-opened Applications Breaking Down ATT&CK | 2 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

8. ATT&CK Threat Intelligence Use Cases ▪ Structuring threat intelligence with ATT&CK allows us to do cool things… – Compare behaviors – Communicate in a common language ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 5 |

9. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 6 | *from open source reporting we’ve mapped APT28* ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

10. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 7 | APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

11. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 8 | APT28 APT29 Both groups Prioritize! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

12. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Defenses | 9 | Overlay known defensive gaps APT28 APT29 Both groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

13. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups Over Time Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control | 10 | Notional group in 2018 Same gro p in 2019…why did we not see these techniques? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

14. Communicate to Defenders | 11 | CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

15. Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 12 | CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B

16. Mapping ATT&CK Techniques from a Threat Report https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html Exploitation for Privilege Escalation (T1068) Command-Line Interface (T1059) System Owner/User Discovery (T1033) Scheduled Task (T1053) Standard Non-Application Layer Protocol (T1095) Uncommonly Used Port (T1065) Uncommonly Used Port (T1065) Multi-Stage Channels (T1104) | 13 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

17. Technique Mapping Work Available from ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 14 | 5 years of reviewing and mapping Technique examples for Software and Groups ~400 report sources Only freely-available public reporting

18. Biases in ATT&CK’s Mapped Data ▪ Important to understand and state our biases in CTI ▪ Two kinds of bias in technique examples in ATT&CK – Bias introduced by us – Bias inherent in the sources we use ▪ Understanding these is the first step in properly leveraging this data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 15 |

19. Security Vendors 92% Press Reports 5% Publicly- available Government Reports 3% Our Biases: Sources We Select | 16 | From reports used for technique examples in ATT&CK Groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

21. Our Biases: Novelty Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 18 | Yet another FUZZYDUCK using Powershell report APT1337 Using Transmitted Data Manipulation

25. Source Biases: Visibility bias | 22 | Visible Disk Forensics Network Flows Process Execution Powershell Registry Monitoring Decoded C2 Not Seen ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

26. Source Biases: Production Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 23 | Operation Snakepit APT1337 Report Operation Brown Fox APT1338 Report Ducks in the Wild FUZZYDUCK Report Source 1 Source 2

27. How Do We Deal With These Biases? ▪ Know that they exist – Once you know them, you can better determine what is real data vs. your biases ▪ Be honest and explain them ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 24| Tenor.com

28. Hedging Our Biases ▪ Work together – Diversity of thought makes for stronger teams ▪ Adjust and calibrate your data sources ▪ Add different data sources ▪ Remember we’re prioritizing the known over the unknown – As opposed to absolute comparison ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 25 |

30. 1. Standard App Layer Protocol 2. Remote File Copy 3. System Information Discovery 4. Command-Line Interface 5. File and Directory Discovery 6. Registry Run Key/Startup Folder 7. Obfuscated Files or Information 8. File Deletion 9. Process Discovery 10.System Network Config Discovery 11.Credential Dumping 12.Screen Capture 13.Input Capture 14.System Owner/User Discovery 15.Scripting 16.Commonly Used Port 17.Standard Crypto Protocol 18.PowerShell 19.& 20 (tie!) Masquerading and New Service Top 20 Techniques from ATT&CK Group/Software Data Know and explain our bias: availability bias from analysts Hedge our bias: how could we calibrate by source? | 27 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

31. ATT&CK Group/Software Data Across Tactics ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 28 | 39 47 42 35 58 31 35 33 28 20 38 19 145 145 98 193 82 173 120 96 55 194 Groups Software Know and explain our bias: why is Initial Access low? Hedge our bias: work with others

32. Process for Making Recommendations from Techniques | 29 | 5. Make recommendations 4. Determine what tradeoffs are for org on specific options 3. Research organizational capability/constraints 2. Research defensive options related to technique 1. Research how techniques are being used 0. Determine priority techniques ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

33. Takeaways ▪ Use ATT&CK for cyber threat intelligence to help yo … – Compare behaviors – Communicate in a common language ▪ Know the biases involved with mapping CTI reporting to ATT&CK ▪ Hedge those biases and use ATT&CK-mapped CTI to improve defenses ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 30 |

34. | 31 | https://attack.mitre.org attack@mitre.org @MITREattack Adam Pennington @_whatshisface Katie Nickels @likethecoins ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.