WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Similar documents
SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

WHITEPAPER DECEPTION TO ENHANCE ENDPOINT DETECTION AND RESPONSE

Checklist for Evaluating Deception Platforms

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

Introduction to Threat Deception for Modern Cyber Warfare

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

CyberArk Privileged Threat Analytics

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

WHITEPAPER DECEPTION FOR A SWIFT DEFENSE

Building Resilience in a Digital Enterprise

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

RiskSense Attack Surface Validation for IoT Systems

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Privileged Account Security: A Balanced Approach to Securing Unix Environments

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RiskSense Attack Surface Validation for Web Applications

RSA INCIDENT RESPONSE SERVICES

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

RSA INCIDENT RESPONSE SERVICES

CloudSOC and Security.cloud for Microsoft Office 365

Incident Scale

the SWIFT Customer Security

Live Adversary Simulation: Red and Blue Team Tactics

Hunting Threats In your Enterprise

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

PrecisionAccess Trusted Access Control

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

The Mechanics of Cyber Threat Information Sharing

Building a Threat-Based Cyber Team

Mapping BeyondTrust Solutions to

Reducing the Cost of Incident Response

Colin Gibbens Director, Product Management

ANATOMY OF AN ATTACK!

Modern Realities of Securing Active Directory & the Need for AI

RSA NetWitness Suite Respond in Minutes, Not Months

ForeScout ControlFabric TM Architecture

Are we breached? Deloitte's Cyber Threat Hunting

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

ESG Lab Review High-fidelity Breach Detection with Acalvio Autonomous Deception

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

SOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

10 FOCUS AREAS FOR BREACH PREVENTION

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Seceon s Open Threat Management software

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Critical Hygiene for Preventing Major Breaches

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Microsoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Cyber Threat Intelligence Standards - A high-level overview

Acalvio Deception and the NIST Cybersecurity Framework 1.1

Part 2: How to Detect Insider Threats

A Game between Adversary and AI Scientist

Understanding Cisco Cybersecurity Fundamentals

Symantec Ransomware Protection

SIEM Solutions from McAfee

Put an end to cyberthreats

MEETING ISO STANDARDS

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Advanced Endpoint Protection

Managing an Active Incident Response Case. Paul Underwood, COO

Traditional Security Solutions Have Reached Their Limit

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

Tactics, Techniques, and Procedures

AKAMAI CLOUD SECURITY SOLUTIONS

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

The Kill Chain for the Advanced Persistent Threat

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

align security instill confidence

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

IoT & SCADA Cyber Security Services

HP 2012 Cyber Security Risk Report Overview

Speed Up Incident Response with Actionable Forensic Analytics

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

ForeScout Extended Module for Carbon Black

68 Insider Threat Red Flags

Sandboxing and the SOC

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Transcription:

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1

INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model for cyber adversary behavior, reflecting various phases of an adversary s lifecycle and the platforms they are known to target. Initiated five years ago, it is designed to help determine which technologies work or fail, identify gaps to improve security posture and processes, prioritize work on detecting and deterring techniques, and to evaluate new security technology. ATT&CK is useful for understanding security risk against known adversary behavior, planning security improvements, and verifying defenses work as expected. The goal of ATT&CK is to break down and classify attacks in a consistent and clear manner that can make it easier to compare them to find how the attacker exploited networks and endpoints in a successful compromise. More information is available at https://attack.mitre.org/wiki/. THE ATT&CK MATRIX ATT&CK for Enterprise is an adversary model and framework for describing the actions an adversary may take to compromise and operate within an enterprise network. The model can be used to better characterize and describe post-compromise adversary behavior. It both expands the knowledge of network defenders and assists in prioritizing network defense by detailing the tactics, techniques, and procedures (TTPs) cyber threats use to gain access and execute their objectives while operating inside a network. ATT&CK for Enterprise is an adversary model and framework for describing the actions an adversary may take to compromise and operate within an enterprise network. The 11 tactic categories within ATT&CK for Enterprise were derived from the later stages (exploit, control, maintain, and execute) of the Lockheed Martin Cyber Kill Chain (Exploit, Control, Execute, Maintain). These are: Initial Access Discovery Execution Persistence Privilege Escalation Defense Evasion Lateral Movement Collection Exfiltration Command and Control Credential Access 2

Each category contains a list of techniques that an adversary could use to perform that tactic. Techniques are broken down to provide a technical description, indicators, useful defensive sensor data, detection analytics, and potential mitigations. Applying intrusion data to the model then helps focus defense on the commonly used techniques across groups of activity and helps identify gaps in security. ATT&CK for Enterprise incorporates details from multiple operating system platforms commonly found within enterprise networks, including Microsoft Windows, macos, and Linux. ATT&CK provides a matrix for each of these systems, as well as a separate matrix for mobile systems. The framework and higher-level categories may also be applied to other platforms and environments. There is also a PRE-ATT&CK Matrix that covers the early stages of the Lockheed Martin Cyber Kill Chain (Recon, Weaponize, Deliver). This matrix is a growing common reference for pre-compromise techniques that brings greater awareness of what actions may be seen prior to a network intrusion. It enables a comprehensive evaluation of computer network defense (CND) technologies, data, processes, and policies against a common enterprise threat model. It is based off publicly available and submitted data, and not meant to be comprehensive. Deception Technology is a powerful threat detection mechanism that bridges gaps left open and exploitable by attackers when adversaries successfully penetrate a perimeter defense. ATTIVO NETWORKS SUPPORT FOR THE MITRE ATT&CK MATRIX The Attivo Networks ThreatDefend Deception and Response Platform provides extensive capabilities to detect many of the techniques outlined in the ATT&CK Matrix. It is comprised of the Attivo BOTsink Deception server, ThreatStrike Endpoint Deception Suite, ThreatPath Visibility solution, DecoyDocs for Data Loss Tracking, and ThreatOps Incident Response Playbooks. With the most comprehensive deception solution covering the widest attack surfaces, the ThreatDefend Platform efficiently and accurately detects attackers already inside the network, early in the attack cycle through network, endpoint, application, and data decoys. These deceptions are projected to user networks, datacenters, and specialized networks such as ICS-SCADA, IoT, or POS whether on premises, in the cloud, or at remote or branch offices. The platform automatically learns the environment and crafts mirror-match decoys for the highest authenticity. 3

The Attivo Networks solution is easy to deploy and operate, requiring little effort to manage, while providing unparalleled visibility to credential-based attacks, Man-in-the-Middle activity, Active Directory attacks, reconnaissance, and attacker lateral movement. It can detect known and unknown attacks with engagement-based, forensic-backed alerts that reduce mean-time-to-detect with high fidelity and accuracy. The platform s numerous third-party integrations reduce mean-time-to-respond, accelerating the incident response process while providing offense-based intelligence for a proactive defense. In evaluating the ThreatDefend Platform against the ATT&CK Matrix, Attivo Networks compared the solution against the techniques to identify how the solution would detect each one. The table below contains the analysis as of 2Q 2018, mapping to the techniques the ThreatDefend Platform can successfully detect and how the Platform can detect it. PRIVILEGE ESCALATION File System Permissions Weakness Path Interception Service Registry Permissions Weakness Attivo ThreatPath can detect if legitimate service binaries are replaced with malicious binaries. Attivo ThreatPath will detect if the attacker starts services exploiting path interception. Attivo ThreatPath will detect endpoints which can be targeted by attackers who can exploit weakness in service registry permissions. LATERAL MOVEMENT AppleScript Distributed Component Object Model Exploitation of Remote Services Logon Scripts (roadmap) Pass the Hash Pass the Ticket (roadmap) The ThreatStrike Suite and BOTsink appliance decoys can detect lateral movement when performed using Apple scripts against the decoys. The BOTsink appliance allows for loading custom images with Office software installed as decoys. Customers can submit phishing mail and documents to these decoys. Attivo monitors and alerts on DDE execution from malicious documents The BOTsink appliance hosts real operating systems as decoys which are as vulnerable as production systems. Customers can also deploy unpatched versions of vulnerable operating systems to engage and detect attacks inside the network. The BOTsink appliance decoys can be deployed as part of an enterprise domain and added to Active directory. The BOTsink appliance decoys are vulnerable to pass-the-hash methods. Attackers using pass-thehash on decoys will be detected. The ThreatStrike Suite can deploy deceptive kerberos tickets in user machines. Attacker dumping memory or kerberos tickets will see deceptive kerberos tickets. 4

LATERAL MOVEMENT CONT. Remote Desktop Protocol Remote File Copy Remote Services Shared Webroot Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management The BOTsink appliance supports hosting Windows decoys with RDP. The ThreatStrike Suite can install RDP credentials to decoys in endpoint caches and lure attackers to decoy systems. The ThreatPath solution can monitor and raise an alert for all active sessions that are under Domain Admin or Privileged Admin. The BOTsink appliance decoys allows users to perform remote file copy operations. The ThreatStrike Suite leaves deceptive lures to the BOTsink appliance decoy file and ftp servers in user endpoints to redirect attackers towards the decoys. The BOTsink appliance decoys hosts production applications (for example, SSH Servers, VNC, RDP servers, and others). The ThreatStrike Suite distributes SSH keys and credentials to these decoy servers. The ThreatPath solution will detect open and misconfigured network file shares that could lead to this attack specifically. The ThreatStrike Suite can deploy decoy network shares on endpoints mapping to decoy servers. These redirect attackers to tamper with decoy shares instead of production shares. The BOTsink appliance decoy systems can be added to software deployment tools like SCCM, Altris, and others. The adversary can execute malicious code on endpoint systems. The BOTsink appliance decoys will detect remote code execution and provide an early detection mechanism. ThreatPath solution will detect open and misconfigured network shares (C$, ADMIN$, and such). Customers can deploy decoy SMB servers with such open shares to detect attackers targeting them. The BOTsink appliance decoys allows remote connection attempts using WinRM. Users can deploy decoys or ThreatDirect forwarders and engage attackers exploiting WinRM commands for persistence and lateral movement. DISCOVERY System Time Discovery Network Share Discovery The BOTsink appliance decoys can be queried to gather time and time zone information. The BOTsink appliance detects remote activity and attempts to install scheduled tasks on its decoys. The ThreatStrike Suite installs decoy network shares. The network shares are customizable, and users can upload custom folders and files to the shares. On Windows, the ThreatPath solution can be used to monitor and detect the exposure of data on various folders and systems that are important and key to the Enterprise s business. System Network Configuration Discovery Remote System Discovery The BOTsink decoy resources (IPs, SMB shares, DNS entries, AD entries, and such) can be discovered as part of a network discovery process. Similarly, BOTsink decoys send multicast and broadcast traffic as standard images. The BOTsink decoy resource (IPs, SMB shares, DNS entries, AD entries, and such) can be discovered as part of a network discovery process. Similarly, BOTsink decoys send multicast and broadcast traffic as standard images. 5

DISCOVERY CONT. File and Directory Discovery Browser Bookmark Discovery The ThreatPath solution can be used to monitor and detect the exposure of data on various folders and systems that are important and key to the Enterprise s business. The ThreatStrike Suite can install bookmarks to the browser s profile that point to decoys. An attacker will be detected if (s)he follows these bookmark lures. Bookmark lures can also cache the credentials that will pointing to customer production images which are imported as decoys. Network Service Scanning Account Discovery Permission Groups Discovery Installing network decoys across VLANs is a very important step in detecting network scans. Any attempt to discover services on a decoy hosted by the Attivo ThreatDefend platform will identify the attackers during the network fingerprinting phase. Attivo offers a tight integration with Active Directory. The BOTsink platform in combination with the ThreatStrike Endpoint Suite can lead attackers to use high value accounts and lead them to decoys. The ThreatPath solution will flag an alert if a domain user is part of the local admin group. CREDENTIAL ACCESS Brute Force Credential Dumping The Attivo ThreatDefend Platform monitors attempts to login for any deceptive credentials by integrating with SIEM technologies within the enterprise. Any brute force attempt using deceptive users will be detected as stolen credentials attack. The ThreatStrike Suite is used to inject deceptive credentials across the enterprise at the real endpoints. These credentials are cached/ saved/injected to be discovered by attackers which can lead the attackers towards decoys. The ThreatPath solution will scan and report on the endpoints that store cleartext credentials in LSA memory. Credentials in Files Forced Authentication Kerberoasting Data from Information Repositories Data from Local System ThreatStrike Suite can deploy scripts, configuration files, passwords in text files, and documents across the endpoints. The ThreatPath solution scans and alerts if WebDAV is enabled at any endpoint. WebDAV is prone to several attacks and vulnerabilities. The Attivo ThreatDefend Platform will deploy lures that alerts against Kerberoasting attacks. Attivo Decoy Documents can be leveraged to detect attempts to exflitrate data from repositories. Attivo Decoy Documents can be leveraged to detect collection of such information. Customers can deploy document decoys in key repositories like Sharepoint, Confluence, File Servers, Box.com, and others, and monitor if the documents are exflitrated outside of these systems. Data from Network Shared Drive Attivo Decoy Documents can be leveraged to detect collection of such information. Customers can deploy document decoys in key repositories like network shared drives and monitor if the documents exflitrated outside of these systems. 6

SUMMARY Deception Technology is a powerful threat detection mechanism that bridges gaps left open and exploitable by attackers when adversaries successfully penetrate a perimeter defense. By adding the Attivo Networks ThreatDefend Platform to the security stack, organizations gain early and accurate eyes-inside-the-network visibility to attack techniques documented in the MITRE ATT&CK Matrix, that either bypass existing controls or are perpetrated by malicious actors already inside the network. ABOUT ATTIVO NETWORKS Attivo Networks provides real-time detection and analysis of inside-the-network threats. The Attivo ThreatDefend Deception and Response Platform detects stolen credentials, ransomware, and targeted attacks within user networks, data centers, clouds, SCADA, IoT, and other specialized attack surfaces by deceiving an attacker into revealing themselves. Comprehensive attack analysis and forensics provide actionable alerts, and native integrations automate the blocking, quarantine, and threat hunting of attacks for accelerated incident response. The company has won over 50 awards for its technology innovation and leadership. For more information, visit www.attivonetworks.com. 2018 Attivo Networks. All rights reserved. Attivo Networks, ThreatDefend, and ThreatPath are registered trademarks of Attivo Networks, Inc. 100218 www.attivonetworks.com Follow us on Twitter @attivonetworks

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback