Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MITRE ATTACKcon Power Hour - January

Presentation slides from the MITRE ATT&CKcon Power Hour session held on January 14, 2021.

  • Be the first to comment

MITRE ATTACKcon Power Hour - January

  1. 1. Welcome
  2. 2. Join us on Slack https://join.slack.com/t/mitreattack/shared_invite/zt- kyydxo81-XZlEJGFTo33pby~Mf2aYvQ
  3. 3. MEASURE WHAT MATTERS: HOW TO USE MITRE ATT&CK TO DO THE RIGHT THINGS IN THE RIGHT ORDER
  4. 4. curl http://169.254.169.254/latest/meta-data/profile Daniel Wyleczuk-Stern (he/him) @Daniel_Infosec
  5. 5. Agenda • Assumptions • The Problem • Books & Principles • The Main Idea • Examples • Devil’s Advocate and Disclaimers
  6. 6. Assumptions • Security is technical risk management • Leadership needs to spend just enough to reduce risk to an appropriate level • Our field is not good at quantitative risk management yet Risk Reduction ROI = Reduction in Risk ($) – Cost of Control ($) Cost of Control ($) Risk = Likelihood x Impact Reduction in risk = (Annualized Rate of Occurrence) x (Expected Monetary Loss) x (Decrease in Risk Probability)
  7. 7. The Problem How do you calculate all that? How do we measure impact/likelihood? How do we estimate how much risk we will reduce by implementing a solution? How do we ensure standardization across multiple potential projects?
  8. 8. Books
  9. 9. Guiding Principles Your problem is not as unique as you think You have more data than you think You need less data than you think An adequate amount of new data is more accessible than you think Some reduction in uncertainty is better than none Risk quantification is possible through understanding threats
  10. 10. Application Security Gets It Results: Standardized, repeatable, and defendable threat models Threat Property Violated Spoofing Authentication Tampering Integrity Repudiation Non-Repudiation Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization STRIDE Framework
  11. 11. The Main Idea • Use ATT&CK TTPs in your threat models • Helps with: – Consistency – Estimates/research – Standardization – Measurements!
  12. 12. SO MUCH DATA!!! https://www.rapid7.com/research/report/2020-threat-report/
  13. 13. DIY Data
  14. 14. Impact Data Exists Cost of a Data Breach Report - 2019
  15. 15. Examples Threat modeling and measurement with ATT&CK helps avoid recency bias VS $50k/month $5k/month
  16. 16. PAM Before
  17. 17. PAM After
  18. 18. Impact Before
  19. 19. Impact After
  20. 20. Passwordless SSO
  21. 21. Passwordless SSO
  22. 22. Impact Before
  23. 23. Impact Before
  24. 24. Devil’s Advocate • Isn’t this just threat modeling with ATT&CK? • You can’t just make up numbers! • These examples are too simple
  25. 25. Disclaimers • You have to invest time in calibrating your people (CTI is a good first group) • This can be hard - still learning and improving at my current organization
  26. 26. Questions?
  27. 27. Misc References • https://github.com/vlegoy/rcATT • https://www.rapid7.com/research/report/2020-threat-report/ • https://github.com/mitre-attack/tram • https://insights.sei.cmu.edu/sei_blog/2018/12/threat- modeling-12-available-methods.html • https://www.accenture.com/_acnmedia/PDF-96/Accenture- 2019-Cost-of-Cybercrime-Study-Final.pdf • https://www.ibm.com/downloads/cas/ZBZLY7KL • https://securitybulwark.com/ (for their PAM image) • https://medium.com/@nopasswordlogin/passwordless-as-a- service-3b8fd43a796e (for the passwordless login image)
  28. 28. Building Graphs for Threat Intelligence ATT&CKers Think in Graphs Valentine Mairet & Samantha Gottlieb
  29. 29. McAfee ATR At McAfee Advanced Threat Research (McAfee ATR), our goal is to identify and illuminate a broad spectrum of threats in today's complex landscape. Valentine McAfee ATR since May 2020 Red Team and Blue Team WICCA Interests: Writing, cats, D&D Twitter: @vm00z Who
  30. 30. A tale of MISP triage Cyber threats and attack data are analyzed and dissected into: ▪ MITRE ATT&CK techniques ▪ Target country information ▪ Threat Actor ▪ Sector ▪ Tools used ▪ etc Threat Intelligence
  31. 31. Research Goal • How can we connect all this information? • Can we quickly visualize connections between events? • Can we identify patterns between threats and attacks? • Can we identify trends in the data? • What are we missing? Questions and challenges
  32. 32. Graphs
  33. 33. Based on our data… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
  34. 34. Initial Representation • Dense, highly connected graph • Sparse sector and country data, offers little differentiation Event-centric Representation • Useful for questions of about frequency Actor-centric Representation • Useful for questions about actor behavioral patterns Different Graphs for Different Questions
  35. 35. Event-centric Graph
  36. 36. Actor-centric Graph
  37. 37. Which techniques are observed most often? Event-centric graph + Degree analysis
  38. 38. Which techniques the most common across actors? Actor-centric graph + Centrality algorithms
  39. 39. Important to try various algorithms Actor-centric graph + Community detection algorithms Can we identify groups of actors using the same techniques?
  40. 40. Based on our data… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
  41. 41. Add in Kill Chain Information
  42. 42. Are actors using techniques in the same way?
  43. 43. Data Representation • MISP's granularity level might not be good enough if we're only using MITRE metadata to differentiate threat actors • MISP allow us to associate MITRE techniques with an event, but not to specify which kill chain step the technique was used for in the context of the event • Overall, recorded threat actors seem to be using the same techniques • Desired mapping (actor) - [uses] -> (technique:step) Remaining Issues
  44. 44. Conclusion • Helps us visualize data instantly • Helps us make sense of the data we see • Helps us connect cyber threats and attacks • Can do much more… Building graphs the right* way…
  45. 45. Conclusion • How can we add more granularity? • Is the data we receive complete enough? • Are there additional data sources to incorporate? A few questions that remain:
  46. 46. Thank you. Any questions?
  47. 47. 1 @gertjanbruggink ATT&CK-ONOMICS Attacking the economics behind techniques used by adversaries Gert-Jan Bruggink | Defensive Specialist | FalconForce ATT&CKCON Power Hour 2020-2021 TLP: White Classification: Public
  48. 48. 2 @gertjanbruggink Who am I? FalconForce Gert-Jan Bruggink Defensive Specialist 10+ years in InfoSec Consulted at financial services, high tech, manufacturing and governmental • Built / led CTI capabilities • Creation & delivery of CTI products • Intelligence-led Red- & Purple Teaming • Strategic change through CTI-, SOC- & Cyber transformation programs Cynical optimist, artist, CTI, bluetivism & pioneering Don’t like magic tricks Father² @gertjanbruggink github.com/gertjanbruggink /gertjanbrugink gj@falconforce.nl
  49. 49. 3 @gertjanbruggink Why am I here? ▪ The industry currently emphasizes post-compromise behavior in the criminal value chain. Detection & response is the reality, prevention is the goal. ▪ Advocate the use of ATT&CK as your security program’s evidence- based, statistical, frame of reference. ▪ Inspire defensive strategies designed to impact ‘cost per intrusion’ incurred by adversaries.
  50. 50. 4 @gertjanbruggink Example: burglars vs UNC2452 Understanding the cybercrime value chain There’s more to it than just the compromise Kerman Hang et al; https://sloanreview.mit.edu/article/casting-the-dark-web-in-a-new-light/ 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Manage the attack life-cycle Organize crew Determine opportunity & select target Overcome attempts to disrupt ROI from attack Marketing and Delivery Develop marketplace for trading Build reputation in community Evaluate value of trading Launder money HR Recruit new hackers Train new hackers
  51. 51. 5 @gertjanbruggink Using ATT&CK to plot economic drivers Getting rich, or arrested, or indicted, or worse, trying 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Explored the following - from an adversary perspective: 1. Can we be detected/disrupted by our target? (yes/no/partial) 2. Is tooling currently available to execute the technique? (Manual activity/custom code/scripts/tools/frameworks) 3. Level of expertise required to ‘do’ the technique? (easy / hard) Data available @ https://github.com/gertjanbruggink
  52. 52. 6 @gertjanbruggink Detecting early has always been complicated Exploring ‘defending to the left’ in ‘TA0043 – Reconnaissance’ Is it possible to detect these techniques? No Partial Yes Grand Total 67% 0% 33% 100% T1589 Gather Victim Identity Information 100% 0% 0% 100% T1590 Gather Victim Network Information 100% 0% 0% 100% T1591 Gather Victim Org Information 100% 0% 0% 100% T1593 Search Open Websites/Domains 100% 0% 0% 100% T1594 Search Victim-Owned Websites 0% 0% 100% 100% T1595 Active Scanning 0% 0% 100% 100% T1596 Search Open Technical Databases 100% 0% 0% 100% T1597 Search Closed Sources 100% 0% 0% 100% T1598 Phishing for Information 0% 0% 100% 100% Reason we can’t detect 67% of these techniques: very high occurrence & associated false positive rates. Also potentially taking place outside the visibility of the target organization. All these techniques can be executed with automated tooling & little to no expertise Mitigation efforts should focus on detecting related stages of the cybercrime value chain Start using Greynoise (https://viz.greynoise.io/signup) to understand targeted from broad scanning
  53. 53. 7 @gertjanbruggink Sub techniques (2) focus on establishing Social Media & email accounts Picking up & actioning their preparation phase Things get more nuanced in ‘TA0042 - Resource Development’ T1583 Acquire Infrastructure T1584 Compromise Infrastructure T1585 Establish Accounts T1586 Compromise Accounts T1587 Develop Capabilities T1588 Obtain Capabilities Can we detect these techniques? Yes No Acquisition of domains can be monitored & tracked Sub techniques (2) focus on establishing Social Media & email accounts Focus on establishing Social Media & email accounts; monitoring Social Media as most effective initial mitigation Tracking certificates usage in sites across the internet
  54. 54. 8 @gertjanbruggink Valid accounts Replication Through Removable Media External Remote Services Drive-by Compromise Exploit Public-Facing Application Supply Chain Compromise Trusted Relationship Hardware Additions Phishing There are only so much ways to gain ‘Initial Access’ Attacking the ‘deliver exploit’ phase TA0001 Phishing remains the go-to, low cost, low effort and easy- to-automate attack vector Honorable mention Infiltrating supply chains (Hardware & Software) remains high-cost & risk but also high-ROI Exploitation external infrastructure & applications close second as top attack vector Please note, the graph sizing is based on # of subtechniques per technique Exploiting external infrastructure & applications close second top attack vector Mitigations come down to security basics & hygiene (unfortunately) Obtained credentials from other breaches
  55. 55. 9 @gertjanbruggink Disincentivize the ‘cyberattack’ ATT&CK the rest 100% of post ‘Initial Access’ techniques have detection suggestions. (sidenote: coverage should never be the objective) Work with community to identify ‘top technique’ lists and tailor defenses accordingly Force adversaries to spend time developing tooling Red Canary’s 2020 threat detection report 1. Process injection (T1055) 2. Scheduled Task (T1053) 3. Windows Admin Shares (T1077) 4. PowerShell (T1105) 5. Remote File Copy (T1036) Paul Litvak @ VB2020 Mapping threat actor usage of open-source offensive security tools https://youtu.be/gkxAgaluRpM Share actionable content, for example intel, KQL detections and response content FalconForce’s FalconFriday https://github.com/FalconForceTeam /FalconFriday
  56. 56. 10 @gertjanbruggink Closing thoughts on decreasing adversary ROI Time-to-implement Cost-to-implement Real-time Cheap High Year Defender Attacker Effective risk management Initial mitigation e.g. tool or malware release Faster and smaller initial mitigations, early in the cybercrime value chain Please note, the graph positioning is estimative and meant just to illustrate the point
  57. 57. 11 @gertjanbruggink Let’s continue the discussion! Gert-Jan Bruggink gj@falconforce.nl Shout-outs MITRE for developing an ATT&CK-to-excel export feature
  58. 58. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 State of the ATT&CK® Adam Pennington ATT&CK Lead @_whatshisface
  59. 59. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 MITRE ATT&CK Remains Strong • Backed by 39 MITRE staff and a growing community Enterprise Cloud Network Devices ICS Mobile CAR Infrastructure Threat Intel Outreach
  60. 60. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 + =
  61. 61. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CKcon Power Hour by the Numbers • CFP open three weeks in August • 46% of submissions on the last day, 73% in the last four • 28% acceptance rate – Judged blind by 6 person PC • 4 90-minute sessions over 4 months • 20 talks
  62. 62. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CKcon Power Hour Themes likethecoins Cloud Mobile Threats ATT&CK Meme by @savvyspoon
  63. 63. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CKcon 2021
  64. 64. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Looking Back on 2020 http://gunshowcomic.com/648
  65. 65. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation © 2019 The MITRE Corporation. All rights reserved. Matrix current as of May 2019. Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Credential Access Discovery Network Sniffing Account Manipulation Account Discovery Bash History Application Window Discovery Brute Force Credential Dumping Browser Bookmark Discovery Credentials in Files Credentials in Registry Domain Trust Discovery Exploitation for Credential Access File and Directory Discovery Network Service Scanning Forced Authentication Network Share Discovery Hooking Password Policy Discovery Input Capture Peripheral Device Discovery Input Prompt Permission Groups Discovery Kerberoasting Process Discovery Keychain Query Registry LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Security Software Discovery Password Filter DLL System Information Discovery Private Keys Securityd Memory System Network Configuration Discovery Two-Factor Authentication Interception System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Execution Persistence Privilege Escalation Defense Evasion Scheduled Task Binary Padding Launchctl Access Token Manipulation Local Job Scheduling Bypass User Account Control LSASS Driver Extra Window Memory Injection Trap Process Injection AppleScript DLL Search Order Hijacking CMSTP Image File Execution Options Injection Command-Line Interface Plist Modification Compiled HTML File Valid Accounts Control Panel Items Accessibility Features BITS Jobs Dynamic Data Exchange AppCert DLLs Clear Command History Execution through API AppInit DLLs CMSTP Execution through Module Load Application Shimming Code Signing Dylib Hijacking Compiled HTML File Exploitation for Client Execution File System Permissions Weakness Component Firmware Hooking Component Object Model Hijacking Graphical User Interface Launch Daemon InstallUtil New Service Control Panel Items Mshta Path Interception DCShadow PowerShell Port Monitors Deobfuscate/Decode Files or Information Regsvcs/Regasm Service Registry Permissions Weakness Regsvr32 Setuid and Setgid Disabling Security Tools Rundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails Service Execution .bash_profile and .bashrc Exploitation for Privilege Escalation Exploitation for Defense Evasion Signed Binary Proxy Execution Account Manipulation Authentication Package SID-History Injection File Deletion Signed Script Proxy Execution BITS Jobs Sudo File Permissions Modification Bootkit Sudo Caching Source Browser Extensions File System Logical Offsets Space after Filename Change Default File Association Gatekeeper Bypass Third-party Software Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator Removal from Tools XSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection Removal Rc.common Redundant Access NTFS File Attributes Registry Run Keys / Startup Folder Obfuscated Files or Information Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing Shortcut Modification Redundant Access SIP and Trust Provider Hijacking Regsvcs/Regasm Regsvr32 System Firmware Rootkit Systemd Service Rundll32 Time Providers Scripting Windows Management Instrumentation Event Subscription Signed Binary Proxy Execution Signed Script Proxy Execution Winlogon Helper DLL SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Virtualization/Sandbox Evasion Web Service XSL Script Processing Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Enterprise ATT&CK as of January 2020
  66. 66. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other Network Medium Data Destruction Gather Victim Host Information Compromise Accounts Replication Through Removable Media Windows Management Instrumentation Valid Accounts Network Sniffing Software Deployment Tools Data from Removable Media Fallback Channels Data Encrypted for Impact Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window Discovery Application Layer Protocol Scheduled Transfer Service Stop Gather Victim Network Information Develop Capabilities Trusted Relationship Software Deployment Tools Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through Removable Media Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network Configuration Discovery Data Staged Communication Through Removable Media Exfiltration Over C2 Channel Defacement Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or Information Two-Factor Authentication Interception Internal Spearphishing Screen Capture Firmware Corruption Search Closed Sources Exploit Public-Facing Application User Execution Boot or Logon Autostart Execution System Owner/User Discovery Use Alternate Authentication Material Email Collection Web Service Exfiltration Over Physical Medium Resource Hijacking Search Open Technical Databases Exploitation for Client Execution Account Manipulation Process Injection Exploitation for Credential Access Clipboard Data Multi-Stage Channels Network Denial of Service Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network Connections Discovery Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over Web Service Endpoint Denial of Service Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot Drive-by Compromise Command and Scripting Interpreter Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups Discovery Exploitation of Remote Services Video Capture Traffic Signaling Automated Exfiltration Account Access Removal Browser Extensions Exploitation for Privilege Escalation Indicator Removal on Host Credentials from Password Stores Man in the Browser Remote Access Software Exfiltration Over Alternative Protocol Disk Wipe Native API Traffic Signaling Modify Registry File and Directory Discovery Remote Service Session Hijacking Data from Information Repositories Dynamic Resolution Data Manipulation Inter-Process Communication BITS Jobs Trusted Developer Utilities Proxy Execution Steal or Forge Kerberos Tickets Non-Standard Port Transfer Data to Cloud Account Server Software Component Peripheral Device Discovery Man-in-the-Middle Protocol Tunneling Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel Pre-OS Boot Signed Script Proxy Execution Steal Application Access Token Network Share Discovery Data from Network Shared Drive Non-Application Layer Protocol Compromise Client Software Binary Password Policy Discovery Rogue Domain Controller Man-in-the-Middle Browser Bookmark Discovery Data from Cloud Storage Object Implant Container Image Indirect Command Execution Virtualization/Sandbox Evasion BITS Jobs XSL Script Processing Cloud Service Dashboard Template Injection Software Discovery File and Directory Permissions Modification Query Registry Remote System Discovery Virtualization/Sandbox Evasion Network Service Scanning Process Discovery Unused/Unsupported Cloud Regions System Information Discovery Use Alternate Authentication Material Account Discovery System Time Discovery Impair Defenses Domain Trust Discovery Hide Artifacts Cloud Service Discovery Masquerading Cloud Infrastructure Discovery Deobfuscate/Decode Files or Information Signed Binary Proxy Execution Exploitation for Defense Evasion Execution Guardrails Modify Cloud Compute Infrastructure Pre-OS Boot Subvert Trust Controls Enterprise ATT&CK as of January 2021
  67. 67. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 10 | Why Sub-Techniques? • Abstraction imbalance across knowledge base • Some techniques broad: Masquerading • Some techniques narrow: Rundll32 • Most common complaint over the past couple of years • Techniques have a lot of depth to them • Some don’t read beyond the name • An analytic per technique may not make coverage “green” • Technique overload • "Too many techniques!" • "The matrix is too big!"
  68. 68. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 11 | Credential Access Brute Force Forced Authentication Input Capture OS Credential Dumping Unsecured Credentials … OS Credential Dumping Sub-Techniques Security Accounts Manager LSA Secrets Cached Domain Credentials Proc Filesystem … Sub-Technique Example
  69. 69. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 12 | New Technique Page
  70. 70. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 13 | New Sub-Technique
  71. 71. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 14 | Sub-Techniques are Here! • Released March 31st in beta • Became ATT&CK on July 8th • Website • STIX/TAXII • ATT&CK Navigator • Crosswalks from pre sub- techniques to sub-techniques • Design & Philosophy paper
  72. 72. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
  73. 73. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 The PRE Merge • Deprecated PRE-ATT&CK matrix for PRE Enterprise platform • 2 new Tactics • Criteria for inclusion: 1. Technical 2. Visible to some defenders 3. Evidence of adversary use
  74. 74. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Reconnaissance • Actively or passively gathering information that can be used to support targeting. • 10 Techniques & 31 Sub-techniques • Split into what & how
  75. 75. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Resource Development • Building, buying, or compromising resources that can be used during targeting • Infrastructure • Accounts • Capabilities • 6 Techniques & 26 Sub-techniques
  76. 76. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 PRE ATT&CK Merge Check out Mike and Jamie’s presentation from November’s ATT&CKcon Power Hour https://youtu.be/M_uG_hlmTcA
  77. 77. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Network Devices • New platform in Enterprise • Techniques against network infrastructure devices • 13 techniques and 15 sub- techniques added or modified
  78. 78. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for ICS | 21 | Unique Adversary Goals Technology Differences Different Defenses
  79. 79. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ICS Matrix Released in Jan 2020
  80. 80. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for ICS Check out Otis’s presentation from December’s ATT&CKcon Power Hour https://youtu.be/_GZwY-9QyFk
  81. 81. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 What’s Coming in 2021? Photo by Adam Pennington
  82. 82. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise • A period of stability • No changes as big as PRE or subs on our roadmap • Major releases currently planned in April and October Windows Mac Linux Cloud PRE Network Devices
  83. 83. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (v8.2) • Several new/updated techniques in reporting around the SolarWinds supply chain injection/UNC2452 • Preview of techniques we’ve spotted, will add in v8.2 • http://bit.ly/ATTACKPRVW • Repo listing related reports with behaviors • http://bit.ly/ATTACKRPTS Both resources are being regularly updated
  84. 84. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Mac/Linux) • Ongoing effort to improve and expand coverage • Much less focus historically than Windows techniques • macOS updates targeted for April release • Linux updates targeted for October release
  85. 85. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Data Sources) • Currently a list of text strings • No details beyond the name • No descriptions behind them
  86. 86. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Adding metadata to ATT&CK data sources Process Sysmon 1 Process Creation Sysmon 3 Network Connection Sysmon 8 Create Remote Thread Sysmon 10 Process Access Security 4688 Process Created Security 5156 Connection Permitted Process Process Created Process User Created Ip Process Connected To Ip User Connected To Process Process Wrote To Process Process Opened Process Network Connection Process Creation Process Modification Process Access Data Sources Components Relationships Event Logs
  87. 87. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Data Sources) For a deeper dive on data sources, check out Jose’s Data Sources posts on our blog https://medium.com/mitre-attack
  88. 88. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Data Sources as an Object • Slated for Enterprise in April ATT&CK release • Should flow to other parts of ATT&CK over time • Will dramatically improve ATT&CK data sources
  89. 89. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Cloud) Current Future SaaS IaaS Additional SaaS platforms…. Additional SaaS platforms…. Additional SaaS platforms…. SaaS
  90. 90. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Cloud Example Data Source Instance Data Source Data Component Events (API) Instance Creation Instance Modification Instance Deletion Instance Metadata Instance Enumeration Instance Start Instance Stop AWS: ListInstances AWS: ModifyInstanceAttribute AWS: TerminateInstances AWS: DescribeInstances AWS: RunInstances AWS: StartInstances AWS: StopInstances
  91. 91. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Cloud) Check out Jen’s presentation from October’s ATT&CKcon Power Hour https://youtu.be/a-xs5VqlcKI
  92. 92. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Containers) Microsoft’s ATT&CK-like “Threat Matrix for Kubernetes”
  93. 93. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Containers) Check out Jen’s ATT&CK for Containers post on https://medium.com/mitre-engenuity • Investigating adversary behaviors in containers • May be added to ATT&CK if enough intel exists • Please contribute!
  94. 94. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK Workbench • Tool allowing users to explore, create, annotate and share extensions of ATT&CK • Planned to become ATT&CK team’s content creation tool • Slated for release later in 2021
  95. 95. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Mobile & ICS Mobile ATT&CK Enterprise ATT&CK ICS ATT&CK It’s just • Working towards feature equity with Enterprise • ICS – Otis Alexander’s talk https://youtu.be/_GZwY-9QyFk • Mobile – Watch for upcoming blog posts
  96. 96. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Thank you ATT&CK Community! | 39 | •Alain Homewood, Insomnia Security •Christoffer Strömblad •Alain Homewood, Insomnia Security •Alan Neville, @abnev •Alex Hinchliffe, Palo Alto Networks •Alfredo Abarca •Allen DeRyke, ICE •Anastasios Pingios •Andrew Smith, @jakx_ •Arie Olshtein, Check Point •AttackIQ •Aviran Hazum, Check Point •Avneet Singh •Barry Shteiman, Exabeam •Bart Parys •Bartosz Jerzman •Brian Prange •Brian Wiltse @evalstrings •Bryan Lee •Carlos Borges, @huntingneo, CIP •Casey Smith •Center for Threat-Informed Defense (CTID) •Chen Erlich, @chen_erlich, enSilo •Chris Roffe •Christiaan Beek, @ChristiaanBeek •Christopher Glyer, FireEye, @cglyer •Cody Thomas, SpecterOps •Craig Aitchison •CrowdStrike Falcon OverWatch •Cybereason Nocturnus, @nocturnus •Dan Nutting, @KerberToast •Daniel Oakley •Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project •Daniyal Naeem, @Mrdaniyalnaeem •Darren Spruell •Dave Westgard •David Ferguson, CyberSponse •David Lu, Tripwire •David Routin •Deloitte Threat Library Team •Diogo Fernandes •Doron Karmi, @DoronKarmi •Drew Church, Splunk •Ed Williams, Trustwave, SpiderLabs •Edward Millington •Elastic •Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre •Elia Florio, Microsoft •Elly Searle, CrowdStrike — contributed to tactic definitions •Emile Kenning, Sophos •Emily Ratliff, IBM •Eric Kuehn, Secure Ideas •Erika Noerenberg, @gutterchurl, Carbon Black •Erye Hernandez, Palo Alto Networks •ESET •Expel •Felipe Espósito, @Pr0teus •Filip Kafka, ESET •FS-ISAC •George Allen, VMware Carbon Black •Hans Christoffer Gaardløs •Heather Linn •Ibrahim Ali Khan •Itamar Mizrahi, Cymptom •Itzik Kotler, SafeBreach •Ivan Sinyakov •Jacob Wilkin, Trustwave, SpiderLabs •Jacques Pluviose, @Jacqueswildy_IT •James Dunn, @jamdunnDFW, EY •Jan Miller, CrowdStrike •Jan Petrov, Citi •Janantha Marasinghe •Jannie Li, Microsoft Threat Intelligence Center (MSTIC) •Jared Atkinson, @jaredcatkinson •Jean-Ian Boutin, ESET •Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services) •Jeremy Galloway •Jesse Brown, Red Canary •Jimmy Astle, @AstleJimmy, Carbon Black •Johann Rehberger •John Lambert, Microsoft Threat Intelligence Center •John Strand •Jon Sternstein, Stern Security •Jonathan Shimonovich, Check Point •Jose Luis Sánchez Martinez •Josh Abraham •Josh Campbell, Cyborg Security, @cyb0rgsecur1ty •Josh Day, Gigamon •Justin Warner, ICEBRG •Jörg Abraham, EclecticIQ •Kaspersky •Kobi Eisenkraft, Check Point •Lab52 by S2 Grupo •Lee Christensen, SpecterOps •Leo Loobeek, @leoloobeek •Leo Zhang, Trend Micro •Loic Jaquemet •Lorin Wu, Trend Micro •Lucas da Silva Pereira, @vulcanunsec, CIP •Lukáš Štefanko, ESET •Marc-Etienne M.Léveillé, ESET •Mark Wee •Martin Jirkal, ESET •Martin Smolár, ESET •Mathieu Tartare, ESET •Matias Nicolas Porolli, ESET •Matt Graeber, @mattifestation, SpecterOps •Matt Kelly, @breakersall •Matt Snyder, VMware •Matthew Demaske, Adaptforward •Matthew Molyett, @s1air, Cisco Talos •Matthieu Faou, ESET •McAfee •Menachem Shafran, XM Cyber •Michael Cox •Michal Dida, ESET •Microsoft Threat Intelligence Center (MSTIC) •Mike Kemmerer •Milos Stojadinovic •Mnemonic •Netskope •Nick Carr, FireEye •Nik Seetharaman, Palantir •Nishan Maharjan, @loki248 •Oddvar Moe, @oddvarmoe •Ofir Almkias, Cybereason •Ohad Mana, Check Point •Oleg Kolesnikov, Securonix •Oleg Skulkin, Group-IB •Oleksiy Gayda •Omkar Gudhate •Patrick Campbell, @pjcampbe11 •Paul Speulstra, AECOM Global Security Operations Center •Pedro Harrison •Phil Stokes, SentinelOne •Praetorian •Prashant Verma, Paladion •Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International •Red Canary •RedHuntLabs, @redhuntlabs •Ricardo Dias •Richard Gold, Digital Shadows •Richie Cyrus, SpecterOps •Rick Cole, FireEye •Rob Smith •Robby Winchester, @robwinchester3 •Robert Falcone •Robert Simmons, @MalwareUtkonos •Rodrigo Garcia, Red Canary •Romain Dumont, ESET •Ryan Becwar •Ryan Benson, Exabeam •Sahar Shukrun •Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC) •SarathKumar Rajendran, Trimble Inc •Scott Knight, @sdotknight, VMware Carbon Black •Scott Lundgren, @5twenty9, Carbon Black •Sebastian Salla, McAfee •Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) •Sergey Persikov, Check Point •Shailesh Tiwary (Indian Army) •Shane Tully, @securitygypsy •Stefan Kanthak •Steven Du, Trend Micro •Sudhanshu Chauhan, @Sudhanshu_C •Sunny Neo •Suzy Schapperle - Microsoft Azure Red Team •Swapnil Kumbhar •Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) •Sylvain Gil, Exabeam •Sébastien Ruel, CGI •Tatsuya Daitoku, Cyber Defense Institute, Inc. •Teodor Cimpoesu •Tim MalcomVetter •Toby Kohlenberg •Tom Ueltschi @c_APT_ure •Tony Lambert, Red Canary •Travis Smith, Tripwire •Trend Micro Incorporated •Tristan Bennett, Seamless Intelligence •Valerii Marchuk, Cybersecurity Help s.r.o. •Veeral Patel •Vikas Singh, Sophos •Vinayak Wadhwa, Lucideus •Vincent Le Toux •Walker Johnson •Wayne Silva, F-Secure Countercept •Wes Hurd •Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank •Yonatan Gotlib, Deep Instinct Individuals + orgs contributing to ATT&CK!
  97. 97. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 attack@mitre.org @MITREattack Adam Pennington @_whatshisface

×