4. ▪ I publish things, support open source tools
▪ Former journalist and CTI analyst
▪ A lied in an interview in 2010 and here I am!
Brian Donohue
PONTIFICATOR
RED CANARY
@thebriandonohue
Presenter
5. 1. Who am I?
2. Background
3. Seven lessons learned
4. Questions and answers
Agenda
7. Detector-level (analytics)
▪ Highly scalable
▪ Bad at nuance
Detection-level (human)
▪ Difficult at scale
▪ Good at nuance
Why not both?!
ATT&CK mapping options
11. LESSON ONE
The things Red Canary maps to ATT&CK:
▪ Behavioral analytics for detection
▪ Atomic Red Team tests
▪ Research and educational content
Other things you might map to ATT&CK:
▪ Threat intelligence and other reports
▪ Charts and tables for tracking detection and detection coverage
▪ Various different kinds of security controls
▪ Signatures, rules, IOCs, alerts, etc.
What do you need to remap?
15. LESSON THREETeam vs. individual
Dividing and conquering:
▪ Gets done faster
▪ Less consistency
Assigning to an individual or small team:
▪ Takes longer
▪ More consistency
19. LESSON FOUR
Create a mapping style guide
▪ People interpret techniques in different ways
▪ A style guide will help enforce consistency
▪ Learn on the fly
Review, review, review
▪ A small subset of re-mapppers can review
▪ This will help catch errors and increase consistency
It’s an art, not a science
21. A tale of two analytics
WIN-SUSPECT-SVCHOST-EXECUTED
This detector identifies untrusted binaries
spawning suspicious Windows Service
Host `svchost.exe` processes.
WIN-SVCHOST-SUSPECT-PARENT
This detector identifies `svchost.exe`
executing with a suspect parent process.
26. LESSON SIXConditional Mapping
Mapping at the detection level
▪ Most accurate
Mapping at the analytic level
▪ Fastest
Conditional mapping
▪ Identify ambiguous analytics and require human reviews
35. Using MITRE PRE-ATT&CK and ATT&CK in
Cybercrime Education and Research
2020 ATT&CKcon Power Hour
Aunshul Rege & Rachel Bleiman
CAREER Award # 1453040
SaTC EDU Award # 2032292
36. Agenda
• MITRE PRE-ATT&CK and cybercrime/security education
• MITRE ATT&CK and research datasets
• Summary
37. MITRE PRE-ATT&CK & cybercrime/security education
• Cybercrime course
• Human aspects of cyberattacks/security via social engineering (SE)
• Multidisciplinary composition (8 groups)
• Objectives
• Applications of PRE-ATT&CK to SE
• Conduct threat intelligence
• Understand limitations
• 6 SE case studies with rich details
• Overall mapping to the PRE-ATT&CK matrix
• Specific expansion on tactics and techniques
• Identify PRE-ATT&CK mitigation strategies
• First attempt at this project (Fall 2020)
38. Overall mapping to the PRE-ATT&CK matrix
• What is the mapping %?
• What does this mean for:
• Case study?
• PRE-ATT&CK matrix?
https://attack.mitre.org/versions/v7/matrices/pre/
41. Agenda
• MITRE PRE-ATT&CK and cybercrime/security education
• MITRE ATT&CK and research datasets
• Summary
42. Cybersecurity in Action, Research and Education
• Offer FREE downloadable course projects and datasets
• Sites.temple.edu/care
• Social Engineering (SE) incidents
• Version 5; N=623; 2011 - August 2020
• Critical Infrastructure Ransomware (CIRW) incidents
• Version 10.4; N=747; November 2013 - September 2020
• Both datasets based on publicly disclosed incidents
• Feedback to map CIRW dataset to ATT&CK
• Why not for SE dataset too?
43. Mapping SE dataset to ATT&CK framework
• 50% (461/925) of the tactics
mapped onto the ATT&CK
technique or software
• T1566: Phishing
• T1566.001
• T1566.002
• 23% (23/100) of the attackers
mapped onto the ATT&CK group-
attacker
• G0032
• G0059
• G0092
• G0094
Variables
General Start Date
General End Date
Target
Location
Social Engineering Tactic
MITRE ATT&CK Technique or Software
Monetary Cost
Attacker
MITRE ATT&CK Group - Attacker
Attacker posing as
Ploy
Source
44. Mapping CIRW dataset to ATT&CK framework
Variables
Year
General Date
Organization Name
Location
CIS Targeted
Strain
MITRE ATT&CK Software ID [if exists]
Duration
Duration Rank
Ransom Amount
Local Currency
Ransom Amount Rank
Paid Status
Pay Method
Amount Paid
Source
• V9→ V10
• NotPetya cases
removed – ATT&CK
defined it as wiperware
• 56% of the strains
mapped onto the
ATT&CK software
• S0366
• S0370
• S0372
• S0400
• S0446
• S0449
• S0457
• S0481
45. Mapping limitations/challenges
• Many of the SE techniques do not currently exist (ex: whaling, vishing, etc).
• Bulk of our data is phishing/spear phishing, skews mapping results
• Major strains missing (could only map 56%)
• Revil
• RansomEXX
• DoppelPaymer
46. Agenda
• MITRE PRE-ATT&CK and cybercrime/security education
• MITRE ATT&CK and research datasets
• Summary
47. Summary: PRE-ATT&CK and ATT&CK uses
• Education: PRE-ATT&CK benefits
• Develop ability to map and understand threat intelligence
• Develop ability to understand challenges/limitations
• Map SE cases (not typically done)
• All disciplines can engage
• Research datasets: ATT&CK links
• Educators: Class projects, research, publications
• Students: Course projects, dissertation/thesis
• Government: ICS training classes, raising awareness, assessing
internal responses to CIRW attacks
• Industry: Trends & patterns in TTPs across RW strains,
comparing the data to their own internal datasets, threat
modeling, awareness & training, risk & statistical analysis
48.
49. Summary/future directions
• Merging PRE-ATT&CK and ATT&CK
• Data repository
• Indictments
• SE case studies
• Focus groups/interviews
• Weaving it into Collegiate SE CTF
• Seeking collaboration!
PRE-
ATT&CK/
ATT&CK
Social
Science
Education
& Research
50. Using MITRE PRE-ATT&CK and ATT&CK in
Cybercrime Education and Research
2020 ATT&CKcon Power Hour
Aunshul Rege & Rachel Bleiman
rege@temple.edu; rachel.bleiman@temple.edu
@prof_rege; @rab1928
Q&A
Feedback?
Visit sites.temple.edu/care for downloading
CIRW dataset; SE dataset
- we welcome feedback and would love to engage with the community!
53. Who Am I
● Co-Founder, CEO @ Cymptom
● Security Researcher
● Speaker - Black Hat, BSides, etc.
● Content inspired by true events...
During COVID...
61. Analyzing Exposure By Mitigation
Mitigation What Where Effectiveness
Privileged Account
Management
Credentials overlap SAM, LAPS, PAM solutions Mitigates all PtH scenarios
Update Software KB2871997 patch existence Endpoint, WSUS, VM
solutions
Mitigates local non-
administrative accounts PtH
User Account Control Domain user is admin on both
computers
GPO, AD Mitigates domain user PtH
User Account
Management
PtH UAC restrictions enabled Registry, GPO Mitigates local PtH except of
built-in Administrator (RID
500)
Great read: https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
64. ✓ Coverage
✓ Safety
✓ The real thing
✓ Test people & processes
Adversary Emulation Data Analytics
Pros and Cons
x Business disruption
x Resource intensive
x Miss detective controls
x Miss processes
65. Adversary
Emulation
is essential but should be practiced cautiously
Takeaways
Data
Analytics
is better for assessing defensive coverage
can be assessed using ATT&CK mitigations
Defensive
Coverage
68. TA505
A Study of High End Big
Game Hunting in 2020
Brandon Levene
ATT&CKCON
October 9th, 2020
69. Proprietary + Confidential
Opportunistically targeted
ransomware deployments, aka
Big Game Hunting (BGH), have caused
a distinct disruption in
the mechanics of monetizing
crimeware compromises.
70. Agenda Context and background
Threat actor process
Lessons learned
Operational details
02
01
03
04
72. Who is TA505?
Customer of Dridex banking Trojan as well as Locky and Jaff
Ransomware families from 2014-2017
NOT the developers of the tools above (that would be
‘EvilCorp’)
Shift to backdoors in 2018 which coincides with a decrease
in bespoke banking trojans and non-targeted ransomware
Rapidly shifted through initial loaders and secondary
payloads throughout 2018 and 2019, slowly shifted towards
“in house” tooling
Users* of CLOP ransomware (first seen in Feb 2019) as
primary monetization mechanism
There do not appear to be any other users, so this is likely another in-
house tool
Context and background
74. NETZSCH GROUP BASED IN GERMANY ALLEGEDLY
BREACHED BY COP RANSOMWARE OPERATORS Hackers publish ExecuPharm internal
data after ransomware attack
CL0P Ransomware Breached UK’s
Largest Privately-Owned Logistics
Company--EV Cargo Logistics
Ransomware Hits maastricht
University, all Systems
Taken Down
Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
87. Compliment defense in depth with detection in depth
Study TTPs to seize interdiction opportunities
Detecting the ransomware itself is too late
Attackers use a blend of tools and techniques to get the job done: don’t
overlook open source tools as too “amateur”
Visibility is key