1 / 27

A Gentle Introduction to MITRE ATT&CK

A Gentle Introduction to MITRE ATT&CK. Security bsides FredEricton 2018. Jason Keirstead STSM & Lead Architect. November 20 th , 2018. IBM Security. The Five Ws (and an H)…. WHO are you? WHAT is MITRE ATT&CK? WHEN and WHERE would I use MITRE ATT&CK? WHY is it advantageous?

dgolson
Download Presentation

A Gentle Introduction to MITRE ATT&CK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Gentle Introduction to MITRE ATT&CK Security bsidesFredEricton 2018 Jason Keirstead STSM & Lead Architect November 20th , 2018 IBM Security

  2. The Five Ws (and an H)… • WHO are you? • WHAT is MITRE ATT&CK? • WHEN and WHERE would I use MITRE ATT&CK? • WHY is it advantageous? • HOW does it break (challenges)?

  3. WHO Are you?

  4. Who Are You • Working in Security Intelligence arena since 2004 (Q1 Labs/IBM Security) across many domains including SIEM, risk and vulnerability management, security analytics, and cyber threat intelligence (CTI). Currently serves as Lead Architect for the IBM Security Cloud. • Has presented on cybersecurity & CTI sharing matters at several international conferences such as Borderless Cyber, RSA USA, FS-ISAC, IBM THINK. • Working with STIX and TAXII community since 2014; OASIS CTI Technical Committee co-chair since 2016 • Elected to OASIS Board of Directors in 2018 • Loves working on enterprise-scale challenges and interesting new problem domains, but a simple hacker at heart

  5. Credits! • Some of the materials you will see have been shamelessly lifted from an amazing presentation delivered by John Wunder & Katie Nickels from MITRE at BSidesLasVegas 2017

  6. WHAT is MITRE ATT&CK?

  7. Framing the problem What keeps you awake at night? • How effective are my defenses? • Can I detect FriendlyRabidSquirrel, BrokebackHippo, or whatever the latest APT of the hour is? • Is the data I’m collecting actually useful? • Do I have obvious gaps? Do I have overlapping tool coverage? If so, how much? • Will this *shiny new* product from a vendor in the lobby really help my organization’s defenses?

  8. WHAT is ATT&CK? • ATT&CK IS NOT – An open-source (or any other kind of) threat intelligence feed full of IOCs to look for • ATT&CK IS NOT - Yet another kill-chain system that describes an event lifecycle • ATT&CK stands for “Adversarial Tactics, Techniques, and Common Knowledge” • ATT&CK IS - A globally-accessible knowledge base of adversary tactics and techniques, categorized into an easily-consumable model • ATT&CK IS - Based on real-world in-the-wild observations of actual adversary behavior • ATT&CK IS – Purposefully focused on the adversary and the behaviors they exhibit, tools they use, and actions they perform. • ATT&CK IS – Community driven, and updated by MITRE quarterly based on new things being seen and reported in the wild.

  9. How ATT&CK Is Layed Out • ATT&CK is layed out as a series of adversary tactics, each of which are comprised of many techniques. • Techniques are what one wants to detect / mitigate, and emulate when red teaming • This is often layed out in a tabular matrix form for ease of consumption • As part of ATT&CK, MITRE also describes the adversaries (80) and malware/tools (280) who use these various techniques

  10. ATT&CK and the Cyber Kill-Chain • Priority Definition • Planning, Direction • Target Selection • Information Gathering • • Technical, People, Organizational • Weakness Identification • • Technical, People, Organizational • Adversary OpSec • Establish & Maintain Infrastructure • Persona Development • Build Capabilities • Test Capabilities • Stage Capabilities • Initial Access • Execution • Persistence • Privilege Escalation • Defense Evasion • Credential Access • Discovery • Lateral Movement • Collection • Exfiltration • Command and Control

  11. What is a TECHNIQUE in ATT&CK?

  12. What is a GROUP in ATT&CK?

  13. What is SOFTWARE in ATT&CK?

  14. WHEN and WHERE would I use MITRE ATT&CK? Detection & Analytics Measuring Defense Evaluating Tools

  15. Use Case 1: Detection & Analytics

  16. Use Case 1: Detection & Analytics • Analytics lookfor observable events and artifacts that indicate adversary behavior • E.g., if an adversary uses RDP, Windows Event Logs will show a Login with type=RemoteInteractive • Most analytics described in ATT&CK are general purpose and will result in false-positives if deployed in isolation • Environmental context is required to fill in the gaps. • #PROTIP – Only Groups or Chains of successful analytics should lead you to increased confidence

  17. Use Case 1: Detection & Analytics The 3 Steps to developing a successful analytic • Read the ATT&CK page and fully understand the technique • Think about it from an adversary perspective, not as a defender • Try to mentally separate any legitimate usage from malicious usage • Try it • Carry out the attacks via your own testing or pre-written scripts, or leverage open source tools such as Red Canary’s Atomic Red Team or EndGame’sRed Team Automation • What does the result look like in the logs? • Could you write a search / rules / alert to find the behavior? • Write and iterate • Write your first searches / rules / alerts, narrow down false positives, and iterate • Keep testing – make sure you check for a variety of ways it can be used, not just the easiest • If once deployed, the analytic gives false positives, do not give up / disable it, tune it to eliminate them

  18. WHEN and WHERE would I use MITRE ATT&CK? Use Case 2: Measuring Defense

  19. Use Case 2: Measuring Defense • The ATT&CK matrix when combined with MITRE’s online viewer, is a powerful tool to measure current defense coverage • Heat map / Color code techniques based on • Threat actor group • APT malware / software in use • Rule / search / alert coverage deployed • Toolchain capabilities • Log sources monitored • Use to plan where to deploy precious resources (both financial & human)

  20. Use Case 2: Measuring Defense • RED / BLUE teaming works better & is more actionable when planned & actioned using ATT&CK • The red team can make use of ATT&CK to label their post-event activities in a debrief report. • The blue team can then map their gaps back to their analytics and products in the environment can be tuned to address detection gaps.

  21. WHEN and WHERE would I use MITRE ATT&CK? Use Case 3: Evaluating Tools

  22. Use Case 3: Evaluating Tools • Use ATT&CK to plan and execute well-structured and unbiased product evaluations • Provide reports to management (and back to vendors) using the ATT&CK matrix • New vendor-neutral tool evaluation program against APT3 - https://www.mitre.org/news/press-releases/mitre-offers-attck-based-evaluations-of-post-exploit-detection-products - vendors will likely start advertising coverage based on ATT&CK . • You can already see it happening in the market: • EndGame - https://www.endgame.com/mitre-attck-coverage • CrowdStrike - https://www.crowdstrike.com/resources/news/crowdstrike-falcon-endpoint-protection-platform-validated-against-mitre-attck-framework-in-nation-state-emulation-test/

  23. Challenges & Common Pitfalls

  24. Common Pitfalls • Assuming all techniques are created equal • Techniques in ATT&CK do not have any kind of “severity” rating, but they should • Some techniques are more trivial to exploit than others, and some have much more impact than others, while others are entire programming languages (ie. Powershell) • Assuming that “you’re covered” because you can detect a technique in one specific scenario • Technique definitions are purposefully high-level and attackers are always evolving within these techniques • You will never gain and maintain 100% coverage of any technique, let alone all of them • Coverage of techniques is best thought of as a continuum rather than a binary • Assuming you need alerts for every technique • Many techniques have positive uses as well • If you have tools that allow it, it is better to evaluate technique CHAINS than them in isolation

  25. Challenges • Evaluating analytics and chains will require increasing amounts of data • Data marking at ingestion become less useful • Collection and long term storage a challenge • Can ATT&CK help target your data collection? • Can collection be made more agile? • Many analytics will depend on search • How can you scale your search / analytics to become near-time? • How can you prioritize and made effective use of your resources? Can ATT&CK help? • Communities • How to convince parties of the value in bridging the asymmetric information gap • How to develop robust trust communities to create, curate, evaluate, and share analytics

  26. MITRE ATT&CK – https://attack.mitre.org Detection Lab https://github.com/clong/DetectionLab https://medium.com/@clong/introducing-detection-lab-61db34bed6ae Atomic Red Team - https://atomicredteam.io/ Endgame Red Team Automation (RTA) - https://github.com/endgameinc/RTA Cyb3rWard0g Playbooks – https://github.com/Cyb3rWard0g/ThreatHunter-Playbook Linux auditd Events -> ATT&CK - https://github.com/bfuzzy/auditd-attack Palo Alto Unit42 Playbook Viewer - https://github.com/pan-unit42/playbook_viewer Fortiguard Playbook Viewer - https://threatplaybook.fortiguard.com/ Resource Links & Questions

More Related