SlideShare une entreprise Scribd logo

ATT&CKing with Threat Intelligence

Télécharger en tant que PPTX, PDF
C
Christopher Korban

MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.

Technologie
1  sur  32
© 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas HOPE - July 2018 ATT&CKing with Threat Intelligence Approved for public release. Distribution unlimited 18-0944-10
| 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – ATT&CKing for the past 5+ years – Creates Adversary Emulation Plans – @ckorban  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_ Approved for public release. Distribution unlimited 18-0944-10
| 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-10
| 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg Approved for public release. Distribution unlimited 18-0944-10
| 5 | © 2018 The MITRE Corporation. All rights reserved. How do these outcomes progress?  Blue signatures Red tool (MD5=4de587ac29…) – Red changes tool slightly (new hash)  Blue signatures Red tool (string=“mimikatz”) – Red changes tool slightly (string=“mimidogz”)  Blue stops single red instantiation (psexec) – Red modifies implementation (psexec manually)  …  This isn’t really helping blue or red Approved for public release. Distribution unlimited 18-0944-10
| 6 | © 2018 The MITRE Corporation. All rights reserved. Change the game, even for Red David Bianco’s Pyramid of Pain Approved for public release. Distribution unlimited 18-0944-10
| 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for TTPs  What do we need from this common language? – Communicate and articulate what happened in a test, and results – Do so at a level that’s specific enough that it’s repeatable – Enable us to create metrics that make sense  What do we use for this? – MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Approved for public release. Distribution unlimited 18-0944-10
| 8 | ATT&CK™ is increasingly being used by the community as a common way to describe adversary behavior. ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations. attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
| 9 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Matrix Format Tactic: Adversary’s technical goal, the “Why” Technique: Adversary’s action to achieves the goal, the “What” Approved for public release. Distribution unlimited 18-0944-10
| 10 | © 2018 The MITRE Corporation. All rights reserved. Example of Technique: New Service  Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools.  Platform: Windows  Permissions required: Administrator, SYSTEM  Effective permissions: SYSTEM  Detection: – Monitor service creation through changes in the Registry and common utilities using command- line invocation – Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at persistence – Monitor processes and command-line arguments for actions that could create services  Mitigation: – Limit privileges of user accounts and remediate Privilege Escalation vectors – Identify and block unnecessary system utilities or potentially malicious software that may be used to create services  Data Sources: Windows Registry, process monitoring, command-line parameters  Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … Approved for public release. Distribution unlimited 18-0944-10
| 11 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Spans Multiple Tech Domains PRE-ATT&CK: left of exploit behaviors Enterprise: Windows, Linux, Mac Mobile: Android, iOS Approved for public release. Distribution unlimited 18-0944-10
| 12 | © 2018 The MITRE Corporation. All rights reserved. Key ATT&CK use cases:  Guide threat hunting campaigns  Leverage threat intelligence to prioritize technique detection  Remediate gaps by mapping solutions back to ATT&CK techniques  Emulate adversaries to measure defenses against relevant threats Approved for public release. Distribution unlimited 18-0944-10
| 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 Approved for public release. Distribution unlimited 18-0944-10
| 14 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
| 15 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation?  Identify an adversary you want to emulate – Consider the target you’re going up against  Defense Contractor  Financial Sector  Health Care  E-Commerce  Etc. – Adversaries change accordingly  Country Specific (APT3, APT28, APT29, APT34, ….)  Financially Motivated (FIN6, FIN7, …) Approved for public release. Distribution unlimited 18-0944-10
| 16 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 1. Threat Intelligence Acquisition – Analyze Reporting:  Adversary Reports (APTX)  Reports on Adversary’s toolsets (APTX uses A,B,C)  Aliases (APTX i.e. ThreatGroup ###, adjective-animal)  Toolset aliases (A i.e. Trojan.malwareName)  Associated Campaigns (OperationZ)  Keep time of reports in mind Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
| 17 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Follow the Leads https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Aliases, Aliases, Aliases everywhere! Approved for public release. Distribution unlimited 18-0944-10
| 18 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 2. Extract Actionable Techniques and M.O. – Look for adversary behaviors – Look for tool functionality – Establish the adversary’s goal – Think about the what, why, and how  In ATT&CK - Technique, Tactic, Procedure Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
| 19 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - What does it really say? https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1094 - Custom Command and Control Protocol Approved for public release. Distribution unlimited 18-0944-10
| 20 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binary Strings https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1059 - Command-Line Interface T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception? Approved for public release. Distribution unlimited 18-0944-10
| 21 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binaries T1056 - Input Capture T1027 - Obfuscated Files or Information T1016 - System Network Configuration Discovery T1077 - Windows Admin Shares T1035 - Service Execution T1003 - Credential Dumping T1055 - Process Injection https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Approved for public release. Distribution unlimited 18-0944-10
| 22 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Adversary M.O. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11- identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. Approved for public release. Distribution unlimited 18-0944-10
| 23 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan  This is the hardest part of the puzzle  No plan will be perfect, so approximate where needed  This isn’t a replay of an incident - variation is OK Approved for public release. Distribution unlimited 18-0944-10
| 24 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 3. Develop Tools if needed to emulate behaviors – What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools?  Can you extend them?  Can you modify them? – Do you need to develop something specific?  Delivery mechanisms  Command and Control  Capabilities Approved for public release. Distribution unlimited 18-0944-10
| 25 | © 2018 The MITRE Corporation. All rights reserved. What is behavior emulation for TTPs?  Performing adversary techniques with variations – Adversary created “C:aos.exe” for Priv Esc via path interception  You intercept any service path that runs under higher privileges – Adversary used “PSExec” for Lateral Movement  You do it manually with “sc.exe” or via PowerShell – Adversary runs “whoami” for Discovery  You do it with environment variables “%USERDOMAIN%%USERNAME%”  Thinking about what you’re trying to accomplish – Technique in ATT&CK – And Why you’re trying to accomplish it  Tactic in ATT&CK Approved for public release. Distribution unlimited 18-0944-10
| 26 | © 2018 The MITRE Corporation. All rights reserved. Defining Your Toolset  Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc  Do stay within the behavior boundaries Approved for public release. Distribution unlimited 18-0944-10
| 27 | © 2018 The MITRE Corporation. All rights reserved. Create an Adversary Emulation Field Manual Discovery T1069 - Permission Groups Discovery net localgroup net group /domain dsquery group T1087 - Account Discovery net user /domain wmic user dsquery user  Provides multiple implementations across toolsets  Provides offensive command-line examples  Create this as you go, and use for reference later Approved for public release. Distribution unlimited 18-0944-10
| 28 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 4. Set up offensive infrastructure – Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks – Create Payloads ”inspired by” the adversary’s tradecraft  Modify IoCs and behaviors if possible  Obfuscate with purpose, NOT all the things – Over obfuscation is itself suspicious Approved for public release. Distribution unlimited 18-0944-10
| 29 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan 5. Emulate the Adversary – Follow the M.O. of your target adversary – “Domain Admin” most likely isn’t your goal – Keep the ‘speed of the adversary’ in mind  Low and slow vs smash and grab Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated- Adversary-Emulation-System-CALDERA.jpg Approved for public release. Distribution unlimited 18-0944-10
| 30 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-10
| 31 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans  CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera Approved for public release. Distribution unlimited 18-0944-10
| 32 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org

Recommandé

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 

Recommandé

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Hunting_GrrCON22.pdf
Hunting_GrrCON22.pdfHunting_GrrCON22.pdf
Hunting_GrrCON22.pdf
Paül Jaramillo
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 

Contenu connexe

Tendances

Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 

Tendances (20)

State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Hunting_GrrCON22.pdf
Hunting_GrrCON22.pdfHunting_GrrCON22.pdf
Hunting_GrrCON22.pdf
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 

Similaire à ATT&CKing with Threat Intelligence

Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial World
Rehgan Avon
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
novsela
 

Similaire à ATT&CKing with Threat Intelligence (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial World
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
 
CSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseCSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for Enterprise
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Dernier (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

ATT&CKing with Threat Intelligence

  • 1. © 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas HOPE - July 2018 ATT&CKing with Threat Intelligence Approved for public release. Distribution unlimited 18-0944-10
  • 2. | 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – ATT&CKing for the past 5+ years – Creates Adversary Emulation Plans – @ckorban  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_ Approved for public release. Distribution unlimited 18-0944-10
  • 3. | 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-10
  • 4. | 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 5. | 5 | © 2018 The MITRE Corporation. All rights reserved. How do these outcomes progress?  Blue signatures Red tool (MD5=4de587ac29…) – Red changes tool slightly (new hash)  Blue signatures Red tool (string=“mimikatz”) – Red changes tool slightly (string=“mimidogz”)  Blue stops single red instantiation (psexec) – Red modifies implementation (psexec manually)  …  This isn’t really helping blue or red Approved for public release. Distribution unlimited 18-0944-10
  • 6. | 6 | © 2018 The MITRE Corporation. All rights reserved. Change the game, even for Red David Bianco’s Pyramid of Pain Approved for public release. Distribution unlimited 18-0944-10
  • 7. | 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for TTPs  What do we need from this common language? – Communicate and articulate what happened in a test, and results – Do so at a level that’s specific enough that it’s repeatable – Enable us to create metrics that make sense  What do we use for this? – MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Approved for public release. Distribution unlimited 18-0944-10
  • 8. | 8 | ATT&CK™ is increasingly being used by the community as a common way to describe adversary behavior. ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations. attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 9. | 9 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Matrix Format Tactic: Adversary’s technical goal, the “Why” Technique: Adversary’s action to achieves the goal, the “What” Approved for public release. Distribution unlimited 18-0944-10
  • 10. | 10 | © 2018 The MITRE Corporation. All rights reserved. Example of Technique: New Service  Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools.  Platform: Windows  Permissions required: Administrator, SYSTEM  Effective permissions: SYSTEM  Detection: – Monitor service creation through changes in the Registry and common utilities using command- line invocation – Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at persistence – Monitor processes and command-line arguments for actions that could create services  Mitigation: – Limit privileges of user accounts and remediate Privilege Escalation vectors – Identify and block unnecessary system utilities or potentially malicious software that may be used to create services  Data Sources: Windows Registry, process monitoring, command-line parameters  Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … Approved for public release. Distribution unlimited 18-0944-10
  • 11. | 11 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Spans Multiple Tech Domains PRE-ATT&CK: left of exploit behaviors Enterprise: Windows, Linux, Mac Mobile: Android, iOS Approved for public release. Distribution unlimited 18-0944-10
  • 12. | 12 | © 2018 The MITRE Corporation. All rights reserved. Key ATT&CK use cases:  Guide threat hunting campaigns  Leverage threat intelligence to prioritize technique detection  Remediate gaps by mapping solutions back to ATT&CK techniques  Emulate adversaries to measure defenses against relevant threats Approved for public release. Distribution unlimited 18-0944-10
  • 13. | 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 Approved for public release. Distribution unlimited 18-0944-10
  • 14. | 14 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 15. | 15 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation?  Identify an adversary you want to emulate – Consider the target you’re going up against  Defense Contractor  Financial Sector  Health Care  E-Commerce  Etc. – Adversaries change accordingly  Country Specific (APT3, APT28, APT29, APT34, ….)  Financially Motivated (FIN6, FIN7, …) Approved for public release. Distribution unlimited 18-0944-10
  • 16. | 16 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 1. Threat Intelligence Acquisition – Analyze Reporting:  Adversary Reports (APTX)  Reports on Adversary’s toolsets (APTX uses A,B,C)  Aliases (APTX i.e. ThreatGroup ###, adjective-animal)  Toolset aliases (A i.e. Trojan.malwareName)  Associated Campaigns (OperationZ)  Keep time of reports in mind Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 17. | 17 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Follow the Leads https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Aliases, Aliases, Aliases everywhere! Approved for public release. Distribution unlimited 18-0944-10
  • 18. | 18 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 2. Extract Actionable Techniques and M.O. – Look for adversary behaviors – Look for tool functionality – Establish the adversary’s goal – Think about the what, why, and how  In ATT&CK - Technique, Tactic, Procedure Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 19. | 19 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - What does it really say? https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1094 - Custom Command and Control Protocol Approved for public release. Distribution unlimited 18-0944-10
  • 20. | 20 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binary Strings https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1059 - Command-Line Interface T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception? Approved for public release. Distribution unlimited 18-0944-10
  • 21. | 21 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binaries T1056 - Input Capture T1027 - Obfuscated Files or Information T1016 - System Network Configuration Discovery T1077 - Windows Admin Shares T1035 - Service Execution T1003 - Credential Dumping T1055 - Process Injection https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Approved for public release. Distribution unlimited 18-0944-10
  • 22. | 22 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Adversary M.O. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11- identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. Approved for public release. Distribution unlimited 18-0944-10
  • 23. | 23 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan  This is the hardest part of the puzzle  No plan will be perfect, so approximate where needed  This isn’t a replay of an incident - variation is OK Approved for public release. Distribution unlimited 18-0944-10
  • 24. | 24 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 3. Develop Tools if needed to emulate behaviors – What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools?  Can you extend them?  Can you modify them? – Do you need to develop something specific?  Delivery mechanisms  Command and Control  Capabilities Approved for public release. Distribution unlimited 18-0944-10
  • 25. | 25 | © 2018 The MITRE Corporation. All rights reserved. What is behavior emulation for TTPs?  Performing adversary techniques with variations – Adversary created “C:aos.exe” for Priv Esc via path interception  You intercept any service path that runs under higher privileges – Adversary used “PSExec” for Lateral Movement  You do it manually with “sc.exe” or via PowerShell – Adversary runs “whoami” for Discovery  You do it with environment variables “%USERDOMAIN%%USERNAME%”  Thinking about what you’re trying to accomplish – Technique in ATT&CK – And Why you’re trying to accomplish it  Tactic in ATT&CK Approved for public release. Distribution unlimited 18-0944-10
  • 26. | 26 | © 2018 The MITRE Corporation. All rights reserved. Defining Your Toolset  Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc  Do stay within the behavior boundaries Approved for public release. Distribution unlimited 18-0944-10
  • 27. | 27 | © 2018 The MITRE Corporation. All rights reserved. Create an Adversary Emulation Field Manual Discovery T1069 - Permission Groups Discovery net localgroup net group /domain dsquery group T1087 - Account Discovery net user /domain wmic user dsquery user  Provides multiple implementations across toolsets  Provides offensive command-line examples  Create this as you go, and use for reference later Approved for public release. Distribution unlimited 18-0944-10
  • 28. | 28 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 4. Set up offensive infrastructure – Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks – Create Payloads ”inspired by” the adversary’s tradecraft  Modify IoCs and behaviors if possible  Obfuscate with purpose, NOT all the things – Over obfuscation is itself suspicious Approved for public release. Distribution unlimited 18-0944-10
  • 29. | 29 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan 5. Emulate the Adversary – Follow the M.O. of your target adversary – “Domain Admin” most likely isn’t your goal – Keep the ‘speed of the adversary’ in mind  Low and slow vs smash and grab Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated- Adversary-Emulation-System-CALDERA.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 30. | 30 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-10
  • 31. | 31 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans  CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera Approved for public release. Distribution unlimited 18-0944-10
  • 32. | 32 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org

Notes de l'éditeur

  1. *
  2. Person 1
  3. Person 1
  4. This slide comes up a lot for defenders to change how they’re approaching the problem of identifying the adversary. This is helpful to change the red teamer’s frame of mind as well. As a red teamer, you need to be thinking, refining, expanding your TTPs and Tools rather than simply thinking about domain names, hash values, binary strings, etc. These are important to consider when creating payloads and planning operations, but they should be second nature by now to randomize them all the time.
  5. Person 1 What is needed for this kind of language to work well for purple teaming? It means that red and blue need to be able to communicate effectively to articulate what happened in a test and the results It means that there needs to be a way to talk about what was done during a test so that it’s repeatable And it means that the language needs some way to measure improvement between tests
  6. We like to use ATT&CK for purple teaming. ATT&CK is Adversary Tactics, Techniques, and Common Knowledge We have a small sample of it here. There are currently 11 Tactics across the top - each one refers to a ‘goal’ of the attacker. This equates to the reason why an attacker is doing any given technique. Down each column are different techniques that achieve that tactic. These techniques equate to what the adversary is doing (creating services, using WMI for persistence, dumping credentials, etc). If you just glance across the different techniques we have listed, you’ll notice something start to jump out - these are descriptions of adversary behaviors, not indicators of compromise. The same holds true for the information we capture about different threat groups on ATT&CK - we tie everything back to behaviors. We focus on adversary TTPs and behaviors because that’s the hardest thing for an adversary to change.
  7. *Person 2 Ok, so we talked about a common language to use, but ATT&CK is getting pretty big! We’ve scoped the realm of the possible down to the realm of the probable, but can we start to prioritize a bit more from there? We sure can! This is where we start doing Adversary Emulation, or sometimes called Threat-based Red Teaming. In our case, we don’t want to just look like advanced adversaries, we want to look like a very specific adversary. We want to look like the adversary you’re most likely going to face (based on your industry, your company, your past incidents, etc) so that we can prioritize working on defenses for those techniques first. Remember, this is a prioritization mechanism to help frame where you should start working on defenses and forcing your offense and defense to work together to build stronger behavior-based defensive measures. Ok, this is cool, but how can I do this adversary emulation thing you describe?
  8. Person 2 We like ATT&CK, so we do this adversary emulation thing with ATT&CK (and we already have one example here for you). More emulation plans to come, and we welcome all community additions or edits to the emulation plans (email attack@mitre.org)
  9. We break it down into 5 steps for doing adversary emulation. For this first step, Threat intel acquisition, consider the following Start by simply googling the name, but then start following the leads You should also gather info on the tools that adversary uses Aliases is a really hot topic in the threat intel community right now, and I'm not going to throw that into the mix of what we're covering today, but just keep that in mind as you start searching for reporting. Threat intel is also binned into broad categories like campaigns, so be sure to look into those as well. Lastly, keep in mind when these reports are released. Reports about an adversary 5 years ago shouldn't carry as much weight as a report released yesterday. Lets take a few examples to see how this looks in practice.
  10. Here's a report on APT3, and you'll see right here at the beginning it refers to them as Buckeye. Lots of times these aliases are indicated front and center in reporting. Remember when I said to not forget campaigns? Operation Double Tap and Operation Clandestine Fox are both attributed to APT3, or UPS. Sometimes these aliases start to get a little conflated though, so you need to be careful Here we see the APT3 group referred to as 'Pirpi', which is actually the name of one of their tools. Because of this, it's sometimes hard to differentiate between what the behavior of the group is vs the behavior of a tool
  11. So, we've gathered a bunch of threat intel. Cool. Now what? In step 2, we need to actually go through that threat intel to figure out what the behaviors are, determine capabilities, and establish motives. There are a few things to keep in mind as we go through this next piece: the what, the why, and the how This is one reason why it's nice to use ATT&CK because it captures a lot of this information already in its TTP format
  12. There are three main kinds of reporting I see with information needed for Adversary Emulation: Prose writing in paragraphs (like you see here) In-depth analysis of specific malware samples (which you'll see next) Prose writing of specific malware samples (somewhere between the two and that's our last example) So, how do you approach something like this, and what is interesting for you as a red teamer wanting to do adversary emulation
  13. Person 2