ATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework

Transcription

1 ATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework Random Image Taken From:

2 Agenda Introductions The Problem MITRE ATT&CK Tactics & Techniques Benefits Getting Started Scoring Heatmap Testing Resources

3 Introductions Christian Kopacsi CSIRT Consumers Energy Security Monitoring & Threat Intelligence Incident Response & Analysis Vulnerability Management & Penetration Testing Steve Motts Red Team Consumers Energy CSIRT

4 The Problem

5 Dwell Time - Mandiant/FireEye M-Trends Reports Average Dwell Time (Days) Mandiant/FireEye M-Trends Annual Threat Report

6 Cyber Kill Chain vs MITRE ATT&CK

7 MITRE & the ATT&CK Framework MITRE Not-for-profit company operating multiple federally funded research and development centers ATT&CK Adversarial Tactics, Techniques & Common Knowledge Purpose: Model for cyber adversary behavior, reflecting various phases of an adversary s lifecycle and the platforms they are known to target

8 Tactics & Techniques Tactics Derived from cyber attack life cycle Techniques Jan April

9 Technique Detail (Example) Technique Create Account

10 Benefits Helps determine which technologies work/fail Identify gaps to improve security posture/processes Prioritize work on detecting/deterring techniques Evaluate new security technology Low cost testing Open source/free tools Atomic Red Team, Caldera, much more coming! Information sharing Red/Blue team, IT, Management Budget for new technology?

11 Benefits (Continued) 32 Opportunities for Detection!

12 Getting Started Assessment Review of current security capabilities/technologies Set time aside (blocks of hours) to discuss as a team Most input coming from the defenders (blue team) They know the tools and respond to the tools! Red team provide input as well Validation of capabilities during progression Other teams (IT, OT, etc.)

13 Scoring Define YOUR scoring system Set criteria for measuring effectiveness at detecting specific techniques Rating system levels (None, Poor, Fair, Good, Very Good & Excellent) Match specific color and numeric value to each level None 0 = Red, Excellent 5 = Green You are creating a heatmap so colors should be indicative of effectiveness (red bad, green good)

14 Scoring - Continued Assign key focus point for each level None 0 Lacking data to detect a specific adversary technique (Looking for Powershell activity, but only have Windows Security Event Logs). No data or data not centralized, no capability. Poor Fair Good Hunting on one endpoint at a time, (not utilizing a central log location). Creating basic signatures or correlation rules to detect specific activity (two-three correlating events). Threat Intel feeds (IOC Sweeps). Running queries and trying to make sense of the data without automating certain hunting procedures that could make your hunt more effective and efficient. (i.e. After running a few queries in your SIEM you might still have thousands or hundreds of events that you will still need to go through and maybe correlate them with other events to find outliers) Collecting the right data to improve the detection of an adversary technique. Different types of logs being analized (PowerShell, netflow, etc). Need for appropriate tools or processes to aggregate and make sense of all the data. Filtering to reduce the amount of data that is received and needs to be analyzed. Correlating and integrating numerous data types across all your endpoints in order to filter out noise and potential false positives. Here is where you use a few basic Data Science techniques in order to make sense of all the data that you have in your central repository (Better Automation). Very Good Excellent 4 5 Leveraging more than just simple outlier detection techniques. Using advanced data science techniques to detect the known and unknown (data science concepts such as Machine Learning cannot be applied to every single use case or technique that you are trying to detect). If you can validate the detection of an adversary technique by just applying basic data science techniques, then you might be already in the "Very Good" level. Very proficient and effective at detecting adversary techniques, furthermore have a very good understanding of the environment. (Not understanding how certain activity relates to the environment, means activity could be missed).

15 Heatmap

16 Trend Chart Track your journey! Management loves charts/graphs!

17 Testing Your Detections Validate and tune for adversarial techniques Lots of options open source Red Canary Atomic Red Team MITRE Caldera ENDGAME RTA RedHuntLabs RedHunt OS UBER Metta APTSimulator Execute Collect Develop detection

18 Red Canary - Atomic Red Team (Intro) Red Canary Atomic Red Team (open source) Small components that simulate adversarial activities Portable detection tests mapped to MITRE ATT&CK Framework Windows, Mac, & Linux 65+ techniques covered and growing! Consist of scripts, dll s, command line, & more! Options to run locally or remote

19 Red Canary Atomic Red Team (Example) System Service Discovery - MITRE ATT&CK Technique: [T1007]( tasklist.exe sc.exe sc query sc query state= all Start/Stop a service sc start/stop <service name> GUI services.msc WMIC.exe wmic service where (displayname like "%<whatever>%") get name

20 MITRE Caldera (Intro) Automated adversary emulation platform Server runs on Linux Windows Enterprise configured as (Domain only)! Enterprise emulation Operates on Windows (32/64bit) Dynamic operation with variable behavior 30+ techniques built-in You can create more Utilizes agent for communication to server Agent deploys RAT Automatically captures artifacts of the technique used Steps taken, data collected, PIDs, etc. Match information to security technology used for detection

21 Caldera (Example)

22 ENDGAME Red Team Automation (RTA) (Intro) Framework of scripts designed to allow blue teams to test detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK. Composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application. Attempts to perform the actual malicious activity described. Will emulate all or parts of the activity.

23 ENDGAME RTA (Example)

24 RedHuntLabs Red Hunt OS (Intro) Linux based Virtual Machine for Adversary Emulation and Threat Hunting Aims to be a one stop shop for all your threat emulation and hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.

25 RedHuntLabs RedHunt OS (Example)

26 Uber Metta (Intro) Information security preparedness tool. Allows you to test host based defenses, as well as network based detection

27 Uber Metta (Example)

28 APTSimulator (Intro) APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised Use Cases POCs: Endpoint detection agents / compromise assessment tools Test your security monitoring's detection capabilities Test your SOCs response on a threat that isn't EICAR or a port scan Prepare an environment for digital forensics classes

29 APTSimulator (Example)

30 Resources Roberto Rodriguez Amazing blue team work MITRE information galore (Heatmap/Trend) Red Canary Atomic Red Team Portable detection test mapped to MITRE ATT&CK Framework MITRE Caldera Automated adversary emulation

31 Resources - Continued Endgame Red Team Automation (RTA) RedHuntLabs RedHunt-OS Uber Metta Nextron APTSimulator

32 We ll Shut Up Now