Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Frameworks and Why We Use Them
Katie Nickels
SANS CTI Summit – CTI 101
January 20, 2019
| 1 |
Why Do We Use Frameworks for CTI?
▪ Miller’s law: the number of objects an average person can hold in working memory is seven (https://en.m.wikipedia.org/wiki/Miller's_law)
▪ What is a framework?
– Structure that we can use to organize CTI
▪ Frameworks can help us make better assessments and produce better intelligence by helping us:
– Hedge against bias
– Identify gaps
– Compare incidents and adversaries
– Find patterns and trends
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 2 |
Common CTI Frameworks
▪ Diamond Model
▪ Lockheed Martin Cyber Kill Chain®
▪ MITRE ATT&CK™
▪ VERIS
Which one is “best?”
It depends on your requirements!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 3 |
Remember the Limitations
https://www.lacan.upc.edu/admoreWeb/2019/05/all-models-are-wrong-but-some-are-useful-george-e-p-box/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 4 |
Diamond Model
▪ When is it useful?
– To compare and group different intrusions
– To examine similarities between seemingly disparate activity
▪ Limitations
– High-level
– Flexible – need to decide among your team how you “bin” information
http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 5 |
Lockheed Martin Cyber Kill Chain
▪ When is it useful?
– To “bin” the phases of an adversary’s intrusion
– To examine what you might be missing
▪ Limitations
– High-level
– Flexible – need to decide among your team how you “bin” information
▪ Also examine Courses of Action:
– Detect, Deny, Disrupt, Degrade, Deceive, Destroy
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 6 |
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Other Lifecycle Frameworks
MITRE Cyber Attack Lifecycle
FireEye Attack Lifecycle
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 7 |
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds18-technical-s05-att&cking-fin7.pd f
https://www.mitre.org/capabilities/cybersecurity/threat-based-defense
Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser BookmarkDiscovery
Exploitation of Remote Services
Data from Information Repositories
Exfiltration OverPhysical Medium
Remote Access Tools
Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access
Port Knocking
Supply Chain CompromiseLocal Job Scheduling Access Token Manipulation Network Share
DiscoveryDistributed Component
Object Model
Video CaptureExfiltration OverCommand and
Control Channel
Multi-hop Proxy
Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting
Spearphishing AttachmentLaunchctl Process Injection Hooking Peripheral Device
Discovery
Remote File Copy Automated Collection Data Encoding
Signed Binary Proxy Execution
Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy
Exploit Public-Facing Application
Plist Modification LLMNR/NBT-NSPoisoning
File and Directory Discovery
Replication ThroughRemovable Media
Email Collection Automated Exfiltration Multi-Stage Channels
User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium
Web Service
Replication Through Removable Media
Exploitation forClient Execution
DLL Search Order Hijacking Private Keys Permission GroupsDiscovery
Windows Admin Shares Data StagedStandard
Non-ApplicationLayer Protocol
AppCert DLLs Signed ScriptProxy Execution
Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol
Spearphishing via Service
CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from NetworkShared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network
Connections Discovery
Shared Webroot Data TransferSize Limits
Connection Proxy
Spearphishing Link Mshta Launch Daemon Port KnockingTwo-Factor
AuthenticationInterception
Logon Scripts Data from Local System Multilayer Encryption
Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution
System Owner/UserDiscovery
Windows Remote Management
Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable
Media
Scheduled Transfer
Space after Filename AppInit DLLs BITS Jobs Replication ThroughRemovable Media
System Network Configuration Discovery
Application Deployment Software
Commonly Used Port
Execution through Module Load
Web Shell Control Panel Items Standard CryptographicProtocol
Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery
SSH Hijacking
AppleScript Custom CryptographicProtocol
Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing
InstallUtil File System Permissions Weakness Mshta Credential Dumping Password PolicyDiscovery
Taint Shared Content
Regsvr32 Path Interception Hidden Filesand Directories
Kerberoasting Remote Desktop Protocol
Data Obfuscation
Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services
Rundll32 Kernel Modulesand Extensions
Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery
CommunicationThrough
Removable MediaThird-party Software SID-History Injection HISTCONTROL Credentials in Files
Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust
Provider Hijacking
Setuid and Setgid Clear Command History MultibandCommunication
Command-LineInterface
Exploitation forPrivilege Escalation
Gatekeeper Bypass Network ServiceScanningScreensaver Hidden Window Fallback Channels
Service Execution Browser Extensions Deobfuscate/Decode Files or Information
Remote System Discovery
Uncommonly Used Port
Windows Remote Management
Re-opened Applications
MITRE ATT&CK
| 8 |
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
& Control
Tactics: the adversary’s technical goals
Tec
hn
iqu
es:
ho
w t
he g
oals
are
a
ch
iev
ed Procedures – Specific technique implementation
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
MITRE ATT&CK
▪ When is it useful?
– To track adversary behavior at a detailed level
– To communicate with defenders and with other organizations about specific behaviors in a common language
▪ Limitations
– Doesn’t cover all aspects of CTI or all techniques
– Tactical focus
– Complex – can have a steep learning curve
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 9 |
Initial Access
Drive by Compromise
ploit ublic acin pplication
ardware dditions
eplication Throu h emovable edia
pearphishin ttachment
pearphishin in
pearphishin via ervice
upply Chain Compromise
Trusted elationship
alid ccounts
E ecution
pple cript
C T
Command ine Interface
Control anel Items
Dynamic Data chan e
ecution throu h I
ecution throu h odule oad ploitation for Client ecution
raphical ser Interface
Install til
aunchctl
ocal ob chedulin
Driver
shta
ower hell
e svcs e asm
e svr
undll
cheduled Tas
criptin
ervice ecution
i ned inary ro y ecution i ned cript ro y ecution
ource
pace after ilename
Third party oftware
Trap
Trusted Developer tilities
ser ecution
indows ana ementInstrumentation indows emote ana ement
ersistence
bash profile and bashrc
ccessibility eatures
ppCert D s
ppInit D s
pplication himmin
uthentication ac a e
IT obs
oot it
rowser tensions
Chan e Default ile ssociation
Component irmware
Component b ect odel i ac in
Create ccount
D earch rder i ac in
Dylib i ac in
ternal emote ervices
ile ystem ermissions ea ness
idden iles and Directories
oo in
ypervisor
Ima e ile ecution ptionsIn ection ernel odules and tensions
aunch ent
aunch Daemon
aunchctl
C D D I ddition
ocal ob chedulin
o in Item
o on cripts
Driver
odify istin ervice
etsh elper D
ew ervice
ffice pplication tartup
ath Interception
list odification
ort noc in
ort onitors
c common
e opened pplications
edundant ccess
e istry un eys tart older
cheduled Tas
creensaver
ecurity upport rovider
ervice e istry ermissions ea ness
hortcut odification
I and Trust rovider i ac in
tartup Items
ystem irmware
Time roviders
Trap
alid ccounts
eb hell
indows ana ementInstrumentation vent ubscription
inlo on elper D
rivilege Escalation
ccess To en anipulation
ccessibility eatures
ppCert D s
ppInit D s
pplication himmin
ypass ser ccount Control
D earch rder i ac in
Dylib i ac in
ploitation for rivile e scalation tra indow emoryIn ection ile ystem ermissions ea ness
oo in
Ima e ile ecution ptionsIn ection
aunch Daemon
ew ervice
ath Interception
list odification
ort onitors
rocess In ection
cheduled Tas
ervice e istry ermissions ea ness
etuid and et id
ID istory In ection
tartup Items
udo
udo Cachin
alid ccounts
eb hell
efense Evasion
ccess To en anipulation
inary addin
IT obs
ypass ser ccount Control
Clear Command istory
C T
Code i nin
Component irmware
Component b ect odel i ac in
Control anel Items
DC hadow
Deobfuscate Decode iles orInformation
Disablin ecurity Tools
D earch rder i ac in
D ide oadin
ploitation for Defense vasion tra indow emoryIn ection
ile Deletion
ile ystem o ical ffsets
ate eeper ypass
idden iles and Directories
idden sers
idden indow
I TC T
Ima e ile ecution ptionsIn ection
Indicator loc in
Indicator emoval from Tools
Indicator emoval on ost
Indirect Command ecution
Install oot Certificate
Install til
aunchctl
C I i ac in
asqueradin
odify e istry
shta
etwor hare Connection emoval
T ile ttributes
bfuscated iles orInformation
list odification
ort noc in
rocess Doppel n in
rocess ollowin
rocess In ection
edundant ccess
e svcs e asm
e svr
oot it
undll
criptin
i ned inary ro y ecution i ned cript ro y ecution I and Trust rovider i ac in
oftware ac in
pace after ilename
Timestomp
Trusted Developer tilities
alid ccounts
eb ervice
Credential Access
ccount anipulation
ash istory
rute orce
Credential Dumpin
Credentials in iles
Credentials in e istry
ploitation for Credential ccess
orced uthentication
oo in
Input Capture
Input rompt
erberoastin
eychain
T oisonin
etwor niffin
assword ilter D
rivate eys
eplication Throu h emovable edia
ecurityd emory
Two actor uthenticationInterception
iscovery
ccount Discovery
pplication indowDiscovery
rowser oo mar Discovery
ile and Directory Discovery
etwor ervice cannin
etwor hare Discovery
assword olicy Discovery
eripheral Device Discovery
ermission roups Discovery
rocess Discovery
uery e istry
emote ystem Discovery
ecurity oftware Discovery
ystem Information Discovery
ystem etwor Confi uration Discovery ystem etwor ConnectionsDiscovery ystem wner serDiscovery
ystem ervice Discovery
ystem Time Discovery
ateral Movement
pple cript
pplication Deployment oftwareDistributed Component b ect odel ploitation of emote ervices
o on cripts
ass the ash
ass the Tic et
emote Des top rotocol
emote ile Copy
emote ervices
eplication Throu h emovable edia
hared ebroot
i ac in
Taint hared Content
Third party oftware
indows dmin hares
indows emote ana ement
Collection
udio Capture
utomated Collection
Clipboard Data
Data from Information epositories
Data from ocal ystem
Data from etwor haredDrive
Data from emovable edia
Data ta ed
mail Collection
Input Capture
an in the rowser
creen Capture
ideo Capture
E filtration
utomated filtration
Data Compressed
Data ncrypted
Data Transfer i e imits
filtration ver lternative rotocol filtration ver Commandand Control Channel filtration ver ther etwor edium filtration ver hysical edium
cheduled Transfer
Command And Control
Commonly sed ort
Communication Throu h emovable edia
Connection ro y
Custom Command andControl rotocolCustom Crypto raphic rotocol
Data ncodin
Data bfuscation
Domain rontin
allbac Channels
ulti hop ro y
ulti ta e Channels
ultiband Communication
ultilayer ncryption
ort noc in
emote ccess Tools
emote ile Copy
tandard pplication ayer rotocol tandard Crypto raphic rotocol tandard on pplication ayer rotocol
ncommonly sed ort
eb ervice
APT28 Techniques*
| 10 |
*from open source reporting we’ve mapped
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Initial Access
Drive by Compromise
ploit ublic acin pplication
ardware dditions
eplication Throu h emovable edia
pearphishin ttachment
pearphishin in
pearphishin via ervice
upply Chain Compromise
Trusted elationship
alid ccounts
E ecution
pple cript
C T
Command ine Interface
Control anel Items
Dynamic Data chan e
ecution throu h I
ecution throu h odule oad ploitation for Client ecution
raphical ser Interface
Install til
aunchctl
ocal ob chedulin
Driver
shta
ower hell
e svcs e asm
e svr
undll
cheduled Tas
criptin
ervice ecution
i ned inary ro y ecution i ned cript ro y ecution
ource
pace after ilename
Third party oftware
Trap
Trusted Developer tilities
ser ecution
indows ana ementInstrumentation indows emote ana ement
ersistence
bash profile and bashrc
ccessibility eatures
ppCert D s
ppInit D s
pplication himmin
uthentication ac a e
IT obs
oot it
rowser tensions
Chan e Default ile ssociation
Component irmware
Component b ect odel i ac in
Create ccount
D earch rder i ac in
Dylib i ac in
ternal emote ervices
ile ystem ermissions ea ness
idden iles and Directories
oo in
ypervisor
Ima e ile ecution ptionsIn ection ernel odules and tensions
aunch ent
aunch Daemon
aunchctl
C D D I ddition
ocal ob chedulin
o in Item
o on cripts
Driver
odify istin ervice
etsh elper D
ew ervice
ffice pplication tartup
ath Interception
list odification
ort noc in
ort onitors
c common
e opened pplications
edundant ccess
e istry un eys tart older
cheduled Tas
creensaver
ecurity upport rovider
ervice e istry ermissions ea ness
hortcut odification
I and Trust rovider i ac in
tartup Items
ystem irmware
Time roviders
Trap
alid ccounts
eb hell
indows ana ementInstrumentation vent ubscription
inlo on elper D
rivilege Escalation
ccess To en anipulation
ccessibility eatures
ppCert D s
ppInit D s
pplication himmin
ypass ser ccount Control
D earch rder i ac in
Dylib i ac in
ploitation for rivile e scalation tra indow emoryIn ection ile ystem ermissions ea ness
oo in
Ima e ile ecution ptionsIn ection
aunch Daemon
ew ervice
ath Interception
list odification
ort onitors
rocess In ection
cheduled Tas
ervice e istry ermissions ea ness
etuid and et id
ID istory In ection
tartup Items
udo
udo Cachin
alid ccounts
eb hell
efense Evasion
ccess To en anipulation
inary addin
IT obs
ypass ser ccount Control
Clear Command istory
C T
Code i nin
Component irmware
Component b ect odel i ac in
Control anel Items
DC hadow
Deobfuscate Decode iles orInformation
Disablin ecurity Tools
D earch rder i ac in
D ide oadin
ploitation for Defense vasion tra indow emoryIn ection
ile Deletion
ile ystem o ical ffsets
ate eeper ypass
idden iles and Directories
idden sers
idden indow
I TC T
Ima e ile ecution ptionsIn ection
Indicator loc in
Indicator emoval from Tools
Indicator emoval on ost
Indirect Command ecution
Install oot Certificate
Install til
aunchctl
C I i ac in
asqueradin
odify e istry
shta
etwor hare Connection emoval
T ile ttributes
bfuscated iles orInformation
list odification
ort noc in
rocess Doppel n in
rocess ollowin
rocess In ection
edundant ccess
e svcs e asm
e svr
oot it
undll
criptin
i ned inary ro y ecution i ned cript ro y ecution I and Trust rovider i ac in
oftware ac in
pace after ilename
Timestomp
Trusted Developer tilities
alid ccounts
eb ervice
Credential Access
ccount anipulation
ash istory
rute orce
Credential Dumpin
Credentials in iles
Credentials in e istry
ploitation for Credential ccess
orced uthentication
oo in
Input Capture
Input rompt
erberoastin
eychain
T oisonin
etwor niffin
assword ilter D
rivate eys
eplication Throu h emovable edia
ecurityd emory
Two actor uthenticationInterception
iscovery
ccount Discovery
pplication indowDiscovery
rowser oo mar Discovery
ile and Directory Discovery
etwor ervice cannin
etwor hare Discovery
assword olicy Discovery
eripheral Device Discovery
ermission roups Discovery
rocess Discovery
uery e istry
emote ystem Discovery
ecurity oftware Discovery
ystem Information Discovery
ystem etwor Confi uration Discovery ystem etwor ConnectionsDiscovery ystem wner serDiscovery
ystem ervice Discovery
ystem Time Discovery
ateral Movement
pple cript
pplication Deployment oftwareDistributed Component b ect odel ploitation of emote ervices
o on cripts
ass the ash
ass the Tic et
emote Des top rotocol
emote ile Copy
emote ervices
eplication Throu h emovable edia
hared ebroot
i ac in
Taint hared Content
Third party oftware
indows dmin hares
indows emote ana ement
Collection
udio Capture
utomated Collection
Clipboard Data
Data from Information epositories
Data from ocal ystem
Data from etwor haredDrive
Data from emovable edia
Data ta ed
mail Collection
Input Capture
an in the rowser
creen Capture
ideo Capture
E filtration
utomated filtration
Data Compressed
Data ncrypted
Data Transfer i e imits
filtration ver lternative rotocol filtration ver Commandand Control Channel filtration ver ther etwor edium filtration ver hysical edium
cheduled Transfer
Command And Control
Commonly sed ort
Communication Throu h emovable edia
Connection ro y
Custom Command andControl rotocolCustom Crypto raphic rotocol
Data ncodin
Data bfuscation
Domain rontin
allbac Channels
ulti hop ro y
ulti ta e Channels
ultiband Communication
ultilayer ncryption
ort noc in
emote ccess Tools
emote ile Copy
tandard pplication ayer rotocol tandard Crypto raphic rotocol tandard on pplication ayer rotocol
ncommonly sed ort
eb ervice
APT29 Techniques
| 11 |
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Initial Access
Drive by Compromise
ploit ublic acin pplication
ardware dditions
eplication Throu h emovable edia
pearphishin ttachment
pearphishin in
pearphishin via ervice
upply Chain Compromise
Trusted elationship
alid ccounts
E ecution
pple cript
C T
Command ine Interface
Control anel Items
Dynamic Data chan e
ecution throu h I
ecution throu h odule oad ploitation for Client ecution
raphical ser Interface
Install til
aunchctl
ocal ob chedulin
Driver
shta
ower hell
e svcs e asm
e svr
undll
cheduled Tas
criptin
ervice ecution
i ned inary ro y ecution i ned cript ro y ecution
ource
pace after ilename
Third party oftware
Trap
Trusted Developer tilities
ser ecution
indows ana ementInstrumentation indows emote ana ement
ersistence
bash profile and bashrc
ccessibility eatures
ppCert D s
ppInit D s
pplication himmin
uthentication ac a e
IT obs
oot it
rowser tensions
Chan e Default ile ssociation
Component irmware
Component b ect odel i ac in
Create ccount
D earch rder i ac in
Dylib i ac in
ternal emote ervices
ile ystem ermissions ea ness
idden iles and Directories
oo in
ypervisor
Ima e ile ecution ptionsIn ection ernel odules and tensions
aunch ent
aunch Daemon
aunchctl
C D D I ddition
ocal ob chedulin
o in Item
o on cripts
Driver
odify istin ervice
etsh elper D
ew ervice
ffice pplication tartup
ath Interception
list odification
ort noc in
ort onitors
c common
e opened pplications
edundant ccess
e istry un eys tart older
cheduled Tas
creensaver
ecurity upport rovider
ervice e istry ermissions ea ness
hortcut odification
I and Trust rovider i ac in
tartup Items
ystem irmware
Time roviders
Trap
alid ccounts
eb hell
indows ana ementInstrumentation vent ubscription
inlo on elper D
rivilege Escalation
ccess To en anipulation
ccessibility eatures
ppCert D s
ppInit D s
pplication himmin
ypass ser ccount Control
D earch rder i ac in
Dylib i ac in
ploitation for rivile e scalation tra indow emoryIn ection ile ystem ermissions ea ness
oo in
Ima e ile ecution ptionsIn ection
aunch Daemon
ew ervice
ath Interception
list odification
ort onitors
rocess In ection
cheduled Tas
ervice e istry ermissions ea ness
etuid and et id
ID istory In ection
tartup Items
udo
udo Cachin
alid ccounts
eb hell
efense Evasion
ccess To en anipulation
inary addin
IT obs
ypass ser ccount Control
Clear Command istory
C T
Code i nin
Component irmware
Component b ect odel i ac in
Control anel Items
DC hadow
Deobfuscate Decode iles orInformation
Disablin ecurity Tools
D earch rder i ac in
D ide oadin
ploitation for Defense vasion tra indow emoryIn ection
ile Deletion
ile ystem o ical ffsets
ate eeper ypass
idden iles and Directories
idden sers
idden indow
I TC T
Ima e ile ecution ptionsIn ection
Indicator loc in
Indicator emoval from Tools
Indicator emoval on ost
Indirect Command ecution
Install oot Certificate
Install til
aunchctl
C I i ac in
asqueradin
odify e istry
shta
etwor hare Connection emoval
T ile ttributes
bfuscated iles orInformation
list odification
ort noc in
rocess Doppel n in
rocess ollowin
rocess In ection
edundant ccess
e svcs e asm
e svr
oot it
undll
criptin
i ned inary ro y ecution i ned cript ro y ecution I and Trust rovider i ac in
oftware ac in
pace after ilename
Timestomp
Trusted Developer tilities
alid ccounts
eb ervice
Credential Access
ccount anipulation
ash istory
rute orce
Credential Dumpin
Credentials in iles
Credentials in e istry
ploitation for Credential ccess
orced uthentication
oo in
Input Capture
Input rompt
erberoastin
eychain
T oisonin
etwor niffin
assword ilter D
rivate eys
eplication Throu h emovable edia
ecurityd emory
Two actor uthenticationInterception
iscovery
ccount Discovery
pplication indowDiscovery
rowser oo mar Discovery
ile and Directory Discovery
etwor ervice cannin
etwor hare Discovery
assword olicy Discovery
eripheral Device Discovery
ermission roups Discovery
rocess Discovery
uery e istry
emote ystem Discovery
ecurity oftware Discovery
ystem Information Discovery
ystem etwor Confi uration Discovery ystem etwor ConnectionsDiscovery ystem wner serDiscovery
ystem ervice Discovery
ystem Time Discovery
ateral Movement
pple cript
pplication Deployment oftwareDistributed Component b ect odel ploitation of emote ervices
o on cripts
ass the ash
ass the Tic et
emote Des top rotocol
emote ile Copy
emote ervices
eplication Throu h emovable edia
hared ebroot
i ac in
Taint hared Content
Third party oftware
indows dmin hares
indows emote ana ement
Collection
udio Capture
utomated Collection
Clipboard Data
Data from Information epositories
Data from ocal ystem
Data from etwor haredDrive
Data from emovable edia
Data ta ed
mail Collection
Input Capture
an in the rowser
creen Capture
ideo Capture
E filtration
utomated filtration
Data Compressed
Data ncrypted
Data Transfer i e imits
filtration ver lternative rotocol filtration ver Commandand Control Channel filtration ver ther etwor edium filtration ver hysical edium
cheduled Transfer
Command And Control
Commonly sed ort
Communication Throu h emovable edia
Connection ro y
Custom Command andControl rotocolCustom Crypto raphic rotocol
Data ncodin
Data bfuscation
Domain rontin
allbac Channels
ulti hop ro y
ulti ta e Channels
ultiband Communication
ultilayer ncryption
ort noc in
emote ccess Tools
emote ile Copy
tandard pplication ayer rotocol tandard Crypto raphic rotocol tandard on pplication ayer rotocol
ncommonly sed ort
eb ervice
Comparing APT28 and APT29
| 12 |
Initial
AccessExecution Persistence
Privilege
Escalation
Defense
Evasion
Credential
AccessDiscovery
Lateral
MovementCollection Exfiltration
Command
and Control
Overlay known gaps
APT28
APT29
Both groups©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
VERIS
▪ Vocabulary for Event Recording and Incident Sharing (VERIS)
– Actors: Whose actions affected the asset?
– Actions: What actions affected the asset?
– Assets: Which assets were affected?
– Attributes: How the asset was affected?
▪ When is it useful?
– Organizing incident data - example: Verizon Data Breach Investigations Reports (DBIR) (https://enterprise.verizon.com/resources/reports/DBIR_2019_Report.pdf)
– To track trends and patterns in incidents
▪ Limitations
– Flexible – need to decide amon your team how you “bin” information
http://veriscommunity.net/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 13 |
Combining Frameworks: Diamond Model + Kill Chain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 14 |
http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
Combining Frameworks: Kill Chain + ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 15 |
https://pan-unit42.github.io/playbook_viewer/
Other Structured Tools: Processes
▪ Processes
– Intelligence Cycle
▪ https://en.wikipedia.org/wiki/Intelligence_cycle
– F3EAD - Find, Fix, Finish, Exploit, Analyze
▪ https://medium.com/@sroberts/intelligence-concepts-f3ead-964a0653be13
– SANS Incident Response Cycle
▪ https://medium.com/@sroberts/intelligence-concepts-the-sans-incident-response-process-45e3fa451777
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 16 |
Other Structured Tools: Standards and Models
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 17 |
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
avid Bianco’s Pyramid of Pain
| 18 |
[email protected]@likethecoins
Slides available athttps://goo.gl/KNumpw
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.