The document summarizes a talk on using the MITRE ATT&CK framework to guide threat hunting and detection efforts. It provides an overview of ATT&CK, describes how to perform a preliminary assessment to prioritize techniques, and discusses using open source projects mapped to ATT&CK to improve coverage. It also cautions that alerting and hunting require different approaches, and that false positives should be addressed through dashboards rather than stopping detection development.
2. BIO
Sr Security Architect at Bell Canada
Threat Hunting Team Lead
Adversary Detection Team Lead
Blue Team Village Talk
Sunday 11:00
French Canadian
Don’t pronounce ‘h’ or ‘s’
6. What is ATT&CK
Adversarial Tactics, Techniques, and Common Knowledge
Knowledgebase of Adversary Behavior (TTP)
Tactics
Techniques
Procedures
Focus on Real Attacks
Provide a common language
Open Source
BSidesLV 2018 : ATT&CKing the Status Quo
https://youtu.be/p7Hyd7d9k-c
15. Preliminary Assessment
Basic Questions
Logs
Complexity
Severity
Probability
Dependency on other teams
Targets (Servers / Workstations)
Open Source Project
Data Source
Number
Know what you have
Focus on getting the one you
don’t
Plan your retention strategy
Quantify Your Hunt: Not Your Parents Red Teaming
https://youtu.be/w_kByDwB6J0 | https://youtu.be/u_RaWTzB1wA
17. Example of Questions
How Many log sources do I have for this Technique?
What is the probability to be targeted by this?
Does this target Linux server?
Open Source Project?
0 - 35 = RED -> Low Dev Priority
36 - 75 = ORANGE -> Medium Dev Priority
76 - 100 = GREEN -> High Dev Priority
35%
30%
25%
10%
23. Metrics & KPI
Good
Show Monthly Progression
Show Coverage
Prioritize Data Source
Alerting vs Hunting
Single vs Multiple
Bad
Assuming all TTP are equal
Falling for Coverage vs Depth
Some TTP are not for Alerting
Not counting Non ATT&CK
Convert all rules from a
project to an Alert
5 Ways to Screw Up Your Security Program with ATT&CK
https://youtu.be/MBVxaE9oaMQ
32. Olaf Hartong’s ThreatHunting
• https://github.com/olafhartong/ThreatHunting
• A Splunk app mapped to MITRE ATT&CK to guide your threat
hunts
• Olaf Hartong
38. T1170 - MSHTA
2. Search for “mshta” in our logs
No hits
3. Build Alerting Pipeline (Easy content)
2. Built training on how MSHTA can be used by adversaries
3. Put detection in production
4. To date, zero false positive
39. T1197 - BITS Jobs
2. Search for “bitsadmin” and “Start-BitsTransfer” in our logs
Few hits on all end points
i. Research
Process Creation (Sysmon ID: 1)
bitsadmin.exe /transfer /Download /priority
ii. File creation (Sysmon ID: 11)
BITXXX.tmp
“C:WindowsSoftwareDistributionDownload”
Windows Update
40. T1197 - BITS Admin
3. Build Alerting Pipeline
4. Built training on why BITS Admin is important
5. Put detection in production
6. To date, zero false positive
41. T1085 - Rundll32
2. Search for “rundll32” in our logs
Gazillions of hits
3. Build Alerting Pipeline (Whitelisting for months)
4. Built training on why Rundll32 is important
5. Put detection in production
6. Keep on generating FP
Solution : Dashboard that is reviewed weekly
43. Key Takeaways
ATT&CK address the highest level of the PoP
Perform a Preliminary Assessment of all Techniques
Choose the right questions
Define scores
Track in Enterprise-Navigator
https://mitre-attack.github.io/attack-navigator/enterprise/
Use Open Source Projects to improve coverage
Don’t confuse Alerting and Hunting
When there is too many FP, use dashboards
Stop, Drop and Assess Your SOC
https://youtu.be/SMKVkpzGhOs
For those who aren’t French speaking, the title of the talk is a refence to Star Wars
There won’t be any technical deep dive into any of the technique of the ATT&CK Framework
Tactics : the “why” OR adversary’s tactical objective: the reason for performing an action. (Credential Access or Persist on your system?)
Techniques : the “how” adversary achieves a tactical objective eg: Dump Credential vs Brute Force / Pass Spray
Procedures : exact ways eg Using Mimikatz, the exact command line eg: cat /etc/passwd
Focus: It’s not a Bible. It does not contains all the attacks under the sun.
Language: For the Red Team, Blue Team, The Community, Vendor
Open Source: Community driven and It is actively maintain
Status Quo by Katie Nickels & John Wunder
This simple diagram shows the relationship between the types of indicators you might use to detect an adversary's activities
and how much pain it will cause them when you are able to deny those indicators to them.
Hash : Add a SPACE in your file and you are done
IP : Build a new VPS, jump to another compromise machine
Domains : Register a new one (free DynDNS)
Artifacts : User-Agent String, Some Function Name
Tools : Meterpreter Shell -> Force them to use another Framework all together which means, learning curve
TTP : Pass-the-Hash, Auto-Run Registry Keys, etc
By David Bianco
Probability : What is more likely to happened : Phish against my employee or supply chain attack
Dependency : In large enterprises you might need to deal with the Server Team, the Web Server Team, The App Team, DBA Team, etc. etc. to get your logs
Your current scope might be only a subset of your assets (Workstations, DMZ, Crown Jewels like PCI, etc)
Open Source : I have a dedicated section to present a few interesting projects that can help you
Number : How many of the listed source do we currently collect?
Know : Inventory of all your sourcesFocus : Sysmon for example covers ~70% of the technique in the matrix. So if you don’t have Sysmon on your servers (and you have Windows servers) that might be where you should put your effortsROI : How long should I store my data? FW Logs vs Sysmon vs AV vs NIPS
How many EPS do they generate, how far does my DFIR team needs to go and which logs do they use the most? How much to store that data in Hot/Warm/Cold what is the price per gig
BSidesCharm & SANS DFIR Summit
Define your color coding and use the LEGENDE
Green might means you have all Data Sources
Or RED = HIGH Priority
As long as the team agrees and we can easily come back to what it means
Once Prelim Ass is done Create a new layer
Take Monthly or Quarterly Snapshot to show management
Again define Score/Color (Compliance (report) vs Hunting vs Alert
This is Q1
5 Techniques
This is Q2
15 Techniques and improved on Hardware Addition
It took me a few minutes to tell them exactly how much coverage we had
90% and we started working on the missing TTP on the next sprint
TM = You wouldn’t attack a retail for the same reasons you attack media – Give example
TA = Which TA are after your vertical? You can profile them, follow researchers that focus on them
If you know that APT999 is targeting you, you can select it in the Navigator and highlight all the Tactics they are known to have use
TTP = What are the list of TTP they used or are using? Do you have detection for all of them? You can now prioritize those Tactics
GOOD
Monthly or quarterly save your layer so you can revisit / show your progress
Show % increase over period
Show gap reduction in Data Sources coverage
BAD
EQUAL : Powershell vs Bash History. One is endless and can pretty much do all of TTP the other is simply monitoring 1 file per user
Coverage vs Depth : If the team is scored solely on Number of TTP Covered they might be entice to do only a very simple rule to detect a technique and then switching to the next, leaving you vulnerable to many other attack scenario
Again Powershell for example. You could watch only for Powershell establishing remote connection to Known Bad IP. It’s a good rule but it’s not nearly enough to say you cover POSH.
Don’t fall for One mile wide one inch deep (like CISSP ;)
Alerting : TTP like File Deletion are not made for either Alerting or Hunting. They can be used during a Forensics investigation
Non-ATTACK : ATT&CK != Bible. It only contains TTP that have been reported to be used by Adversaries. I asked about Bloodhound…
Another example is adding your own SSH key to authorized_keys to achieve Persistence. It is important to monitor but it is not (yet) in ATT&CK
CONVERT : Next few slides I will present a few OS Project and we will elaborate on this.
Converting all rules from Sigma or any other projects into alerts will flood your analysts
They will lose confidence in ATT&CK, but more importantly in YOU Convert a small number at a time (1, 3, 5) depending on your team capacity
Soak a few weeks, when satisfy with the level of noise convert to alert.
Some are NOT made to be alert, you can have Hunting Dashboards or IR Dashboards give context eg : All PowerShell & CMD commands.
It’s all open soure you just open /default/savedsearches.conf
You will see a
You search for the TTP you want and you have a “search” entry
It’s it now very easy to convert to the SIEM you are using.
1- Identify : Which TTP we want to work on. Based on our list, chatter on various media (Slack, Twitter, Threat Reports, Open Source Project, etc.)
2- Proof of Concept : Basic query/filter to see how much hits we have in our dataset
3- Develop : Optimize the query, create an alert, document using ADS Framework from Palantir
4- Train : Building training for our 24/7 analysts. Wiki Page, PowerPoint and a recorded version
5- Go Live : Alerts are sent to 24/7 analysts
6- Evolve : Monitor the FP ratio and modify / White List the content
1- Background Intelligent Transfer Protocol
1.1 - Another known lolbin
2 - Windows Updates uses BITS..
2.1 Looked for /Download but a bit of evasion “a la Daniel Bohannon showed us that you can modify that
2.2 We found out that BITS ALWAYS create a file
That directory is not writable so we can white list it. If someone writes there to avoid our detection, we have other serious problem…
Prelim is a good way to start with ATT&CK
Coverage
Andy Applebaum From MITRE