MITRE AttACK framework it is time you took notice_v1.0
1. Mitre ATT&CK is for all of us, and it
is time to pay attention to it
Michael Gough – Co-Founder
IMFSecurity.com
LOG-MD.com
2. Whoami
• Blue Team Defender Ninja, Incident Responder, Logaholic
• Creator of all those “Windows Logging Cheat Sheets” and the
Malware Management Framework
• Including LOG-MD and Windows Logging ATT&CK cheat sheets
• Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool
• Co-Host
– “Brakeing Down Incident Response”
LOG-MD.com
4. There is more than this talk
• But we only have 50 minutes
• Brakeing Down Incident Response Podcast
– Episode 007 BDIRPodcast.com
– https://www.imfsecurity.com/podcasts/2018/9/16/bd
ir-podcast-episode-007
• SANS Threat Hunting and Incident Response
Summit New Orleans 2018
– My talk and many others covered ATT&CK, find the
PDF’s and videos as SANS releases them
• MITRE ATT&CKcon is this week !!!
– I was invited, but I am here educating my peeps
LOG-MD.com
5. Why do we care?
• People ask me all the time
• “How do you know what to look for”?
– Experience
– Because Hacker Hurricane said so ;-)
– The Malware Management Framework
• Reports that show what the bad guys actually did
• So how or what do we map our defenses to?
– PCI?
– OWASP?
– Compliance XYZ?
– Because InfoSec or WebAppSec says so?
LOG-MD.com
6. Why do we care?
• If you can identify your gaps
• Whether a consultant or an employee
• You can define potential budget needs
• You may have to admit a tool is not mapping
well, so an opportunity to recommend a
replacement that has better coverage
• Budget re-allocation is always a bonus
• The goal is to IMPROVE your security posture
LOG-MD.com
7. Why do we care?
• ATT&CK is your new baseline
• You heard me
• We FINALLY have a goal of what to achieve
• Map to ATT&CK and you WILL pass or exceed any and
all compliance requirements if you are doing them!
• Forget the Cyber Kill Chain
– https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html
• ATT&CK is more detailed at what you should detect…
along the Cyber Kill Chain
LOG-MD.com
9. MITRE ATT&CK
• MITRE’s Adversarial Tactics, Techniques, &
Common Knowledge (ATT&CK™) is a curated
knowledge base and model for cyber adversary
behavior, reflecting the various phases of an
adversary’s lifecycle and the platforms they are
known to target.
• ATT&CK is useful for understanding security risk
against known adversary behavior, for planning
security improvements, and verifying defenses
work as expected.
LOG-MD.com
10. ATT&CK Tactics and Techniques
• 11 Tactics
• 283 Techniques
• Covers the following Operating Systems
– Windows
– MAC OS
– Linux
LOG-MD.com
11
11. Why care about ATT&CK
• It is HUGE… extensive information of what the
adversaries actually do to YOUR systems
LOG-MD.com
13. Achieve Totality
Coverage - Asset Management
• Can you see every host?
• Do you have ghost assets?
• Remote systems (Road Warriors)
• Powered down VM’s/Systems
• IP Scan all devices and identify the OS
Completeness - Deployment
• Are your agent(s) installed and running properly
Configuration – System Settings
• Are the systems configured correctly
• Enable all that you want and expect
MalwareArchaeology.com
Coverage
Completeness
Configuration
14. 80/20 rule
• A VERY important point is we need to ignore or not worry
about the 20% that you don’t, or can’t cover.
• Don’t get hung up on the 20% or you will continue to
flounder
• Worry about the 80% you CAN or COULD do
• You have to learn to walk before you worry about trying to
be, or cover 100% (run)
• Being good at 80% should be a goal
• You will improve over time as you get better
• It’s really more 74%-26%
– You must accept more false positives to reach 80% or higher
(Devon Kerr EndGame)
MalwareArchaeology.com
17. Technique – Brute Force
• Technique ID – T1110
• Tactic – Credential Access
• Lists Platforms
• Shows Data Sources
LOG-MD.com
18. Examples – More Data
• Groups that used it
• Tools or kits
• Good for background information
• Read the reports (aka Malware Management)
and on the actors campaign(s)
LOG-MD.com
19. ATT&CK Provides Guidance
• Mitigation examples
• Detection examples
• References
• You must translate them into what Processes,
Procedures, Products you have
LOG-MD.com
21. Map your capabilities to ATT&CK
• Map the tools you have to the ATT&CK Matrix
• This will give you a place to start and a way to
track and rate your activities
MalwareArchaeology.com
23. Mitre Att@ck
• This is a good place to start and map all your detection, prevention,
and hunt activities to
• Not enough details as to how
– You will need to map them
– Or find someone that has, maybe a product(s)
• Add your Web Proxy
• Add your WAF
• Add your IPS
• Add Network tools
• Add code scanners
• Fill any other gaps
• Of course…. ADD YOUR LOGGING !!!
MalwareArchaeology.com
24. Mitre Att@ck - Logging
Let’s look at Windows Logging, my personal favorite
• Most Techniques can be mapped to logging
• Add Log Management
• Add some Sysmon or WLS to the logs for more
details
• Add LOG-MD-Pro, and other tools or script(s)
• Add a solution to query the OS ( I love BigFix)
• Add Network tools
• Fill other gaps
• See the previous slide for application stuff
MalwareArchaeology.com
25. Map your capabilities to ATT&CK
• The Windows ATT&CK Logging Cheat Sheet
• 11 Tactics and 187 Techniques mapped to
Windows Event IDs
MalwareArchaeology.com
26. Map your capabilities to ATT&CK
• The Windows LOG-MD ATT&CK Cheat Sheet
• 11 Tactics and 187 Techniques mapped to
Windows Event IDs, LOG-MD, and Sysmon
MalwareArchaeology.com
27. Find your Gaps, and Strengths
• By filling out the ATT&CK matrix to YOUR
capabilities, you begin to understand what you
CAN and CAN NOT do against the actual tactics
and techniques the bad guys use against you
• I was shocked, I mean SHOCKED at how much I
do in Windows logging mapped to actual tactics
and techniques
• But then again I have been practicing Malware
Management since I created it over 6 years ago
LOG-MD.com
34. SOCPrime
• TDM – Threat Detection Marketplace
• SIGMA Rules
– Generic Signature Format for SIEM Systems
• ATT&CK mappings
• Lots of log solution options
• Convert from one platform to another
• SIGMA rule convertor
• Subscription service to gain access
• Some free SIGMA based rules
LOG-MD.com
36. API
• MITRE has an API for ATT&CK
– https://attack.mitre.org/wiki/Using_the_API
• Cyb3rWarD0g – Invoke-ATTACKAPI
– https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI
• https://github.com/annamcabee/Mitre-Attack-API
Mitre Pre-ATT&CK Mappings
• https://github.com/rmusser01/Infosec_Reference/tree/master/Dra
ft/ATT%26CK-Stuff
• Blog on Brute Force example with ATT&CK
– https://thehackerwhorolls.blogspot.com/2018/10/home-lab-att-use-
case.html
LOG-MD.com
38. HUNT !
• Some say create a hypothesis
• I say start by eliminating things you CAN hunt
for and know you do NOT have
• Then build more hypothesis
• Map your capabilities to ATT&CK
• For Windows logging and LOG-MD there are 2
Cheat Sheets mapped to ATT&CK
– MalwareArchaeology.com/cheat-sheets
LOG-MD.com
39. Conclusion
• MITRE ATT&CK is GREAT stuff
• It gives you a way to measure what you have and can
detect, based on what your adversaries ACTUALLY do,
not what compliance, an auditor or consultant says
• You don’t have to get very detailed at first
• Use simple coloring at first
– Green (good), Yellow (needs work), Red (poor), no color
(we got nuttin)
• Expand it once you map it
• Then expand as you rate your capabilities
• But get to know this framework!
LOG-MD.com
40. Additional Reading
This Is the Fastest Way to Hunt Windows Endpoints
– https://www.slideshare.net/Hackerhurricane/mwarch-
fastestwaytohuntonwindowsv101
– SANS will post the video at some point
SANS THIR 2018 PDF’s and videos
Most of the talks had ATT&CK involved
Quantify your hunt not your parents red teaming Devon Kerr
– https://www.youtube.com/watch?v=w_kByDwB6J0
Quantify Your Hunt: Not Your Parents' Red Team– Devon and Roberto
– https://www.sans.org/summit-archives/file/summit-archive-
1536351477.pdf
Finding Related ATT&CK Techniques
– https://medium.com/mitre-attack/finding-related-att-ck-techniques-
f1a4e8dfe2b6
LOG-MD.com
41. Questions
• You can find us on the Twitters
– @HackerHurricane
• LOG-MD.com
• MalwareArchaeology.com
• Preso will be on SlideShare and linked on
MalwareArchaeology.com
• Listen to the PodCast to hear the rest of this topic
– BDIRPodcast.com
LOG-MD.com