Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to The SOC Counter ATT&CK
Similar to The SOC Counter ATT&CK (20)
Recently uploaded
Recently uploaded (20)
The SOC Counter ATT&CK
- 1. THE SOC COUNTER ATT&CK By Mathieu Saulnier @ScoubiMtl
- 2. BIO Sr Security Architect at Bell Canada Threat Hunting Team Lead Adversary Detection Team Lead Blue Team Village Talk Sunday 11:00 French Canadian Don’t pronounce ‘h’ or ‘s’
- 4. Agenda ATT&CK Overview ATT&CK-Navigator Preliminary Assessment ATT&CK & Open Sources Building Detection
- 6. What is ATT&CK Adversarial Tactics, Techniques, and Common Knowledge Knowledgebase of Adversary Behavior (TTP) Tactics Techniques Procedures Focus on Real Attacks Provide a common language Open Source BSidesLV 2018 : ATT&CKing the Status Quo https://youtu.be/p7Hyd7d9k-c
- 15. Preliminary Assessment Basic Questions Logs Complexity Severity Probability Dependency on other teams Targets (Servers / Workstations) Open Source Project Data Source Number Know what you have Focus on getting the one you don’t Plan your retention strategy Quantify Your Hunt: Not Your Parents Red Teaming https://youtu.be/w_kByDwB6J0 | https://youtu.be/u_RaWTzB1wA
- 16. Scoring Each Question have points / weight Score Each TTP (color) Script to apply to the JSON file
- 17. Example of Questions How Many log sources do I have for this Technique? What is the probability to be targeted by this? Does this target Linux server? Open Source Project? 0 - 35 = RED -> Low Dev Priority 36 - 75 = ORANGE -> Medium Dev Priority 76 - 100 = GREEN -> High Dev Priority 35% 30% 25% 10%
- 19. Track Progress & Coverage
- 20. Track Progress & Coverage
- 21. Management Questions March 19 : Red Canary - Threat Detection Report https://redcanary.com/resources/guides/threat-detection-report/
- 22. Know Your Enemy Threat Model Threat Actors TTP
- 23. Metrics & KPI Good Show Monthly Progression Show Coverage Prioritize Data Source Alerting vs Hunting Single vs Multiple Bad Assuming all TTP are equal Falling for Coverage vs Depth Some TTP are not for Alerting Not counting Non ATT&CK Convert all rules from a project to an Alert 5 Ways to Screw Up Your Security Program with ATT&CK https://youtu.be/MBVxaE9oaMQ
- 24. ATT&CK & OPEN SOURCE
- 25. Sigma https://github.com/Neo23x0/sigma Generic Signature Format for SIEM Systems Florian Roth
- 26. Sigma https://github.com/Neo23x0/sigma Generic Signature Format for SIEM Systems Florian Roth
- 27. SysMon Modular https://github.com/olafhartong/sysmon-modular A repository of sysmon configuration modules Olaf Hartong
- 28. SysMon Modular
- 29. OSQuery-attck https://github.com/teoseller/osquery-attck Mapping the MITRE ATT&CK Matrix with Osquery Filippo Mottini
- 30. OSQuery
- 31. Olaf Hartong’s ThreatHunting https://github.com/olafhartong/ThreatHunting A Splunk app mapped to MITRE ATT&CK to guide your threat hunts Olaf Hartong
- 32. Olaf Hartong’s ThreatHunting • https://github.com/olafhartong/ThreatHunting • A Splunk app mapped to MITRE ATT&CK to guide your threat hunts • Olaf Hartong
- 34. Atomic Red Team https://github.com/redcanaryco/atomic-red-team Small and highly portable detection tests based on MITRE's ATT&CK. Red Canary Slack : https://slack.atomicredteam.io/ Atomic Friday’s : https://bit.ly/2VpNRVT
- 35. Atomic Red Team https://github.com/redcanaryco/atomic-red-team Small and highly portable detection tests based on MITRE's ATT&CK. Red Canary
- 37. The Process Identify Proof of Concept Develop Train Go Live Evolve
- 38. T1170 - MSHTA 2. Search for “mshta” in our logs No hits 3. Build Alerting Pipeline (Easy content) 2. Built training on how MSHTA can be used by adversaries 3. Put detection in production 4. To date, zero false positive
- 39. T1197 - BITS Jobs 2. Search for “bitsadmin” and “Start-BitsTransfer” in our logs Few hits on all end points i. Research Process Creation (Sysmon ID: 1) bitsadmin.exe /transfer /Download /priority ii. File creation (Sysmon ID: 11) BITXXX.tmp “C:WindowsSoftwareDistributionDownload” Windows Update
- 40. T1197 - BITS Admin 3. Build Alerting Pipeline 4. Built training on why BITS Admin is important 5. Put detection in production 6. To date, zero false positive
- 41. T1085 - Rundll32 2. Search for “rundll32” in our logs Gazillions of hits 3. Build Alerting Pipeline (Whitelisting for months) 4. Built training on why Rundll32 is important 5. Put detection in production 6. Keep on generating FP Solution : Dashboard that is reviewed weekly
- 42. CONCLUSION
- 43. Key Takeaways ATT&CK address the highest level of the PoP Perform a Preliminary Assessment of all Techniques Choose the right questions Define scores Track in Enterprise-Navigator https://mitre-attack.github.io/attack-navigator/enterprise/ Use Open Source Projects to improve coverage Don’t confuse Alerting and Hunting When there is too many FP, use dashboards Stop, Drop and Assess Your SOC https://youtu.be/SMKVkpzGhOs
- 44. Thank You @Grifter801, @PyroTek3, @danielhbohannon @cyb3rops, @olafhartong, Filippo Mottini, @redcanaryco @MITREcorp, @MITREattack @Bell, @BSidesLV
Editor's Notes
- For those who aren’t French speaking, the title of the talk is a refence to Star Wars
- There won’t be any technical deep dive into any of the technique of the ATT&CK Framework
- Tactics : the “why” OR adversary’s tactical objective: the reason for performing an action. (Credential Access or Persist on your system?) Techniques : the “how” adversary achieves a tactical objective eg: Dump Credential vs Brute Force / Pass Spray Procedures : exact ways eg Using Mimikatz, the exact command line eg: cat /etc/passwd Focus: It’s not a Bible. It does not contains all the attacks under the sun. Language: For the Red Team, Blue Team, The Community, Vendor Open Source: Community driven and It is actively maintain Status Quo by Katie Nickels & John Wunder
- This simple diagram shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them. Hash : Add a SPACE in your file and you are done IP : Build a new VPS, jump to another compromise machine Domains : Register a new one (free DynDNS) Artifacts : User-Agent String, Some Function Name Tools : Meterpreter Shell -> Force them to use another Framework all together which means, learning curve TTP : Pass-the-Hash, Auto-Run Registry Keys, etc By David Bianco
- Probability : What is more likely to happened : Phish against my employee or supply chain attack Dependency : In large enterprises you might need to deal with the Server Team, the Web Server Team, The App Team, DBA Team, etc. etc. to get your logs Your current scope might be only a subset of your assets (Workstations, DMZ, Crown Jewels like PCI, etc) Open Source : I have a dedicated section to present a few interesting projects that can help you Number : How many of the listed source do we currently collect? Know : Inventory of all your sources Focus : Sysmon for example covers ~70% of the technique in the matrix. So if you don’t have Sysmon on your servers (and you have Windows servers) that might be where you should put your efforts ROI : How long should I store my data? FW Logs vs Sysmon vs AV vs NIPS How many EPS do they generate, how far does my DFIR team needs to go and which logs do they use the most? How much to store that data in Hot/Warm/Cold what is the price per gig BSidesCharm & SANS DFIR Summit
- Define your color coding and use the LEGENDE Green might means you have all Data Sources Or RED = HIGH Priority As long as the team agrees and we can easily come back to what it means
- Once Prelim Ass is done Create a new layer Take Monthly or Quarterly Snapshot to show management Again define Score/Color (Compliance (report) vs Hunting vs Alert This is Q1 5 Techniques
- This is Q2 15 Techniques and improved on Hardware Addition
- It took me a few minutes to tell them exactly how much coverage we had 90% and we started working on the missing TTP on the next sprint
- TM = You wouldn’t attack a retail for the same reasons you attack media – Give example TA = Which TA are after your vertical? You can profile them, follow researchers that focus on them If you know that APT999 is targeting you, you can select it in the Navigator and highlight all the Tactics they are known to have use TTP = What are the list of TTP they used or are using? Do you have detection for all of them? You can now prioritize those Tactics
- GOOD Monthly or quarterly save your layer so you can revisit / show your progress Show % increase over period Show gap reduction in Data Sources coverage BAD EQUAL : Powershell vs Bash History. One is endless and can pretty much do all of TTP the other is simply monitoring 1 file per user Coverage vs Depth : If the team is scored solely on Number of TTP Covered they might be entice to do only a very simple rule to detect a technique and then switching to the next, leaving you vulnerable to many other attack scenario Again Powershell for example. You could watch only for Powershell establishing remote connection to Known Bad IP. It’s a good rule but it’s not nearly enough to say you cover POSH. Don’t fall for One mile wide one inch deep (like CISSP ;) Alerting : TTP like File Deletion are not made for either Alerting or Hunting. They can be used during a Forensics investigation Non-ATTACK : ATT&CK != Bible. It only contains TTP that have been reported to be used by Adversaries. I asked about Bloodhound… Another example is adding your own SSH key to authorized_keys to achieve Persistence. It is important to monitor but it is not (yet) in ATT&CK CONVERT : Next few slides I will present a few OS Project and we will elaborate on this.
- Converting all rules from Sigma or any other projects into alerts will flood your analysts They will lose confidence in ATT&CK, but more importantly in YOU Convert a small number at a time (1, 3, 5) depending on your team capacity Soak a few weeks, when satisfy with the level of noise convert to alert. Some are NOT made to be alert, you can have Hunting Dashboards or IR Dashboards give context eg : All PowerShell & CMD commands.
- It’s all open soure you just open /default/savedsearches.conf You will see a
- You search for the TTP you want and you have a “search” entry It’s it now very easy to convert to the SIEM you are using.
- 1- Identify : Which TTP we want to work on. Based on our list, chatter on various media (Slack, Twitter, Threat Reports, Open Source Project, etc.) 2- Proof of Concept : Basic query/filter to see how much hits we have in our dataset 3- Develop : Optimize the query, create an alert, document using ADS Framework from Palantir 4- Train : Building training for our 24/7 analysts. Wiki Page, PowerPoint and a recorded version 5- Go Live : Alerts are sent to 24/7 analysts 6- Evolve : Monitor the FP ratio and modify / White List the content
- 1- Background Intelligent Transfer Protocol 1.1 - Another known lolbin 2 - Windows Updates uses BITS.. 2.1 Looked for /Download but a bit of evasion “a la Daniel Bohannon showed us that you can modify that 2.2 We found out that BITS ALWAYS create a file That directory is not writable so we can white list it. If someone writes there to avoid our detection, we have other serious problem…
- Prelim is a good way to start with ATT&CK Coverage Andy Applebaum From MITRE