Frameworks and Why We Use Them - SANS InstituteLockheed Martin Cyber Kill Chain When is it useful? –To “bin” the phases of an adversary’s intrusion –To examine what you might

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.

Frameworks and Why We Use Them

Katie Nickels

SANS CTI Summit – CTI 101

January 20, 2019

| 1 |

Why Do We Use Frameworks for CTI?

▪ Miller’s law: the number of objects an average person can hold in working memory is seven (https://en.m.wikipedia.org/wiki/Miller's_law)

▪ What is a framework?

– Structure that we can use to organize CTI

▪ Frameworks can help us make better assessments and produce better intelligence by helping us:

– Hedge against bias

– Identify gaps

– Compare incidents and adversaries

– Find patterns and trends


| 2 |

https://en.m.wikipedia.org/wiki/Miller's_law

Common CTI Frameworks

▪ Diamond Model

▪ Lockheed Martin Cyber Kill Chain®

▪ MITRE ATT&CK™

▪ VERIS

Which one is “best?”

It depends on your requirements!


| 3 |

Remember the Limitations

https://www.lacan.upc.edu/admoreWeb/2019/05/all-models-are-wrong-but-some-are-useful-george-e-p-box/


| 4 |

https://www.lacan.upc.edu/admoreWeb/2018/05/all-models-are-wrong-but-some-are-useful-george-e-p-box/

Diamond Model

▪ When is it useful?

– To compare and group different intrusions

– To examine similarities between seemingly disparate activity

▪ Limitations

– High-level

– Flexible – need to decide among your team how you “bin” information

http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf


| 5 |


Lockheed Martin Cyber Kill Chain


– To “bin” the phases of an adversary’s intrusion

– To examine what you might be missing

▪ Limitations

– High-level

– Flexible – need to decide among your team how you “bin” information

▪ Also examine Courses of Action:

– Detect, Deny, Disrupt, Degrade, Deceive, Destroy

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf


| 6 |

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Other Lifecycle Frameworks

MITRE Cyber Attack Lifecycle

FireEye Attack Lifecycle


| 7 |

Recon

Weaponize

Deliver

Exploit

Control

Execute

Maintain

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds18-technical-s05-att&cking-fin7.pd f

https://www.mitre.org/capabilities/cybersecurity/threat-based-defense

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pd

https://www.mitre.org/capabilities/cybersecurity/threat-based-defense

Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser BookmarkDiscovery

Exploitation of Remote Services

Data from Information Repositories

Exfiltration OverPhysical Medium

Remote Access Tools

Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access

Port Knocking

Supply Chain CompromiseLocal Job Scheduling Access Token Manipulation Network Share

DiscoveryDistributed Component

Object Model

Video CaptureExfiltration OverCommand and

Control Channel

Multi-hop Proxy

Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting

Spearphishing AttachmentLaunchctl Process Injection Hooking Peripheral Device

Discovery

Remote File Copy Automated Collection Data Encoding

Signed Binary Proxy Execution

Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy

Exploit Public-Facing Application

Plist Modification LLMNR/NBT-NSPoisoning

File and Directory Discovery

Replication ThroughRemovable Media

Email Collection Automated Exfiltration Multi-Stage Channels

User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium

Web Service

Replication Through Removable Media

Exploitation forClient Execution

DLL Search Order Hijacking Private Keys Permission GroupsDiscovery

Windows Admin Shares Data StagedStandard

Non-ApplicationLayer Protocol

AppCert DLLs Signed ScriptProxy Execution

Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol

Spearphishing via Service

CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from NetworkShared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network

Connections Discovery

Shared Webroot Data TransferSize Limits

Connection Proxy

Spearphishing Link Mshta Launch Daemon Port KnockingTwo-Factor

AuthenticationInterception

Logon Scripts Data from Local System Multilayer Encryption

Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution

System Owner/UserDiscovery

Windows Remote Management

Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable

Media

Scheduled Transfer

Space after Filename AppInit DLLs BITS Jobs Replication ThroughRemovable Media

System Network Configuration Discovery

Application Deployment Software

Commonly Used Port

Execution through Module Load

Web Shell Control Panel Items Standard CryptographicProtocol

Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery

SSH Hijacking

AppleScript Custom CryptographicProtocol

Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing

InstallUtil File System Permissions Weakness Mshta Credential Dumping Password PolicyDiscovery

Taint Shared Content

Regsvr32 Path Interception Hidden Filesand Directories

Kerberoasting Remote Desktop Protocol

Data Obfuscation

Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services

Rundll32 Kernel Modulesand Extensions

Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery

CommunicationThrough

Removable MediaThird-party Software SID-History Injection HISTCONTROL Credentials in Files

Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust

Provider Hijacking

Setuid and Setgid Clear Command History MultibandCommunication

Command-LineInterface

Exploitation forPrivilege Escalation

Gatekeeper Bypass Network ServiceScanningScreensaver Hidden Window Fallback Channels

Service Execution Browser Extensions Deobfuscate/Decode Files or Information

Remote System Discovery

Uncommonly Used Port

Windows Remote Management

Re-opened Applications

MITRE ATT&CK

| 8 |

Initial

AccessExecution Persistence

Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral

MovementCollection Exfiltration

Command

& Control

Tactics: the adversary’s technical goals

Tec

hn

iqu

es:

ho

w t

he g

oals

are

a

ch

iev

ed Procedures – Specific technique implementation


MITRE ATT&CK


– To track adversary behavior at a detailed level

– To communicate with defenders and with other organizations about specific behaviors in a common language

▪ Limitations

– Doesn’t cover all aspects of CTI or all techniques

– Tactical focus

– Complex – can have a steep learning curve


| 9 |

Initial Access

Drive by Compromise

ploit ublic acin pplication

ardware dditions

eplication Throu h emovable edia

pearphishin ttachment

pearphishin in

pearphishin via ervice

upply Chain Compromise

Trusted elationship

alid ccounts

E ecution

pple cript

C T

Command ine Interface

Control anel Items

Dynamic Data chan e

ecution throu h I

ecution throu h odule oad ploitation for Client ecution

raphical ser Interface

Install til

aunchctl

ocal ob chedulin

Driver

shta

ower hell

e svcs e asm

e svr

undll

cheduled Tas

criptin

ervice ecution

i ned inary ro y ecution i ned cript ro y ecution

ource

pace after ilename

Third party oftware

Trap

Trusted Developer tilities

ser ecution

indows ana ementInstrumentation indows emote ana ement

ersistence

bash profile and bashrc

ccessibility eatures

ppCert D s

ppInit D s

pplication himmin

uthentication ac a e

IT obs

oot it

rowser tensions

Chan e Default ile ssociation

Component irmware

Component b ect odel i ac in

Create ccount

D earch rder i ac in

Dylib i ac in

ternal emote ervices

ile ystem ermissions ea ness

idden iles and Directories

oo in

ypervisor

Ima e ile ecution ptionsIn ection ernel odules and tensions

aunch ent

aunch Daemon

aunchctl

C D D I ddition

ocal ob chedulin

o in Item

o on cripts

Driver

odify istin ervice

etsh elper D

ew ervice

ffice pplication tartup

ath Interception

list odification

ort noc in

ort onitors

c common

e opened pplications

edundant ccess

e istry un eys tart older

cheduled Tas

creensaver

ecurity upport rovider

ervice e istry ermissions ea ness

hortcut odification

I and Trust rovider i ac in

tartup Items

ystem irmware

Time roviders

Trap

alid ccounts

eb hell

indows ana ementInstrumentation vent ubscription

inlo on elper D

rivilege Escalation

ccess To en anipulation


ppCert D s

ppInit D s

pplication himmin

ypass ser ccount Control


Dylib i ac in

ploitation for rivile e scalation tra indow emoryIn ection ile ystem ermissions ea ness

oo in

Ima e ile ecution ptionsIn ection

aunch Daemon

ew ervice

ath Interception

list odification

ort onitors

rocess In ection

cheduled Tas


etuid and et id

ID istory In ection

tartup Items

udo

udo Cachin

alid ccounts

eb hell

efense Evasion


inary addin

IT obs


Clear Command istory

C T

Code i nin

Component irmware


Control anel Items

DC hadow

Deobfuscate Decode iles orInformation

Disablin ecurity Tools


D ide oadin

ploitation for Defense vasion tra indow emoryIn ection

ile Deletion

ile ystem o ical ffsets

ate eeper ypass


idden sers

idden indow

I TC T


Indicator loc in

Indicator emoval from Tools

Indicator emoval on ost

Indirect Command ecution

Install oot Certificate

Install til

aunchctl

C I i ac in

asqueradin

odify e istry

shta

etwor hare Connection emoval

T ile ttributes

bfuscated iles orInformation

list odification

ort noc in

rocess Doppel n in

rocess ollowin

rocess In ection

edundant ccess

e svcs e asm

e svr

oot it

undll

criptin

i ned inary ro y ecution i ned cript ro y ecution I and Trust rovider i ac in

oftware ac in

pace after ilename

Timestomp


alid ccounts

eb ervice

Credential Access

ccount anipulation

ash istory

rute orce

Credential Dumpin

Credentials in iles

Credentials in e istry

ploitation for Credential ccess

orced uthentication

oo in

Input Capture

Input rompt

erberoastin

eychain

T oisonin

etwor niffin

assword ilter D

rivate eys


ecurityd emory

Two actor uthenticationInterception

iscovery

ccount Discovery

pplication indowDiscovery

rowser oo mar Discovery

ile and Directory Discovery

etwor ervice cannin

etwor hare Discovery

assword olicy Discovery

eripheral Device Discovery

ermission roups Discovery

rocess Discovery

uery e istry

emote ystem Discovery

ecurity oftware Discovery

ystem Information Discovery

ystem etwor Confi uration Discovery ystem etwor ConnectionsDiscovery ystem wner serDiscovery

ystem ervice Discovery

ystem Time Discovery

ateral Movement

pple cript

pplication Deployment oftwareDistributed Component b ect odel ploitation of emote ervices

o on cripts

ass the ash

ass the Tic et

emote Des top rotocol

emote ile Copy

emote ervices


hared ebroot

i ac in

Taint hared Content

Third party oftware

indows dmin hares

indows emote ana ement

Collection

udio Capture

utomated Collection

Clipboard Data

Data from Information epositories

Data from ocal ystem

Data from etwor haredDrive

Data from emovable edia

Data ta ed

mail Collection

Input Capture

an in the rowser

creen Capture

ideo Capture

E filtration

utomated filtration

Data Compressed

Data ncrypted

Data Transfer i e imits

filtration ver lternative rotocol filtration ver Commandand Control Channel filtration ver ther etwor edium filtration ver hysical edium

cheduled Transfer

Command And Control

Commonly sed ort

Communication Throu h emovable edia

Connection ro y

Custom Command andControl rotocolCustom Crypto raphic rotocol

Data ncodin

Data bfuscation

Domain rontin

allbac Channels

ulti hop ro y

ulti ta e Channels

ultiband Communication

ultilayer ncryption

ort noc in

emote ccess Tools

emote ile Copy

tandard pplication ayer rotocol tandard Crypto raphic rotocol tandard on pplication ayer rotocol

ncommonly sed ort

eb ervice

APT28 Techniques*

| 10 |

*from open source reporting we’ve mapped

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control


Initial Access

Drive by Compromise


ardware dditions



pearphishin in



Trusted elationship

alid ccounts

E ecution

pple cript

C T


Control anel Items

Dynamic Data chan e

ecution throu h I



Install til

aunchctl

ocal ob chedulin

Driver

shta

ower hell

e svcs e asm

e svr

undll

cheduled Tas

criptin

ervice ecution


ource

pace after ilename

Third party oftware

Trap


ser ecution


ersistence



ppCert D s

ppInit D s

pplication himmin


IT obs

oot it

rowser tensions


Component irmware


Create ccount


Dylib i ac in




oo in

ypervisor


aunch ent

aunch Daemon

aunchctl

C D D I ddition

ocal ob chedulin

o in Item

o on cripts

Driver

odify istin ervice

etsh elper D

ew ervice


ath Interception

list odification

ort noc in

ort onitors

c common


edundant ccess


cheduled Tas

creensaver



hortcut odification


tartup Items

ystem irmware

Time roviders

Trap

alid ccounts

eb hell


inlo on elper D

rivilege Escalation



ppCert D s

ppInit D s

pplication himmin



Dylib i ac in


oo in


aunch Daemon

ew ervice

ath Interception

list odification

ort onitors

rocess In ection

cheduled Tas


etuid and et id

ID istory In ection

tartup Items

udo

udo Cachin

alid ccounts

eb hell

efense Evasion


inary addin

IT obs



C T

Code i nin

Component irmware


Control anel Items

DC hadow




D ide oadin


ile Deletion


ate eeper ypass


idden sers

idden indow

I TC T


Indicator loc in





Install til

aunchctl

C I i ac in

asqueradin

odify e istry

shta


T ile ttributes


list odification

ort noc in

rocess Doppel n in

rocess ollowin

rocess In ection

edundant ccess

e svcs e asm

e svr

oot it

undll

criptin


oftware ac in

pace after ilename

Timestomp


alid ccounts

eb ervice

Credential Access

ccount anipulation

ash istory

rute orce

Credential Dumpin

Credentials in iles



orced uthentication

oo in

Input Capture

Input rompt

erberoastin

eychain

T oisonin

etwor niffin

assword ilter D

rivate eys


ecurityd emory


iscovery

ccount Discovery




etwor ervice cannin





rocess Discovery

uery e istry







ateral Movement

pple cript


o on cripts

ass the ash

ass the Tic et


emote ile Copy

emote ervices


hared ebroot

i ac in

Taint hared Content

Third party oftware

indows dmin hares


Collection

udio Capture

utomated Collection

Clipboard Data





Data ta ed

mail Collection

Input Capture

an in the rowser

creen Capture

ideo Capture

E filtration

utomated filtration

Data Compressed

Data ncrypted



cheduled Transfer

Command And Control

Commonly sed ort


Connection ro y


Data ncodin

Data bfuscation

Domain rontin

allbac Channels

ulti hop ro y

ulti ta e Channels


ultilayer ncryption

ort noc in

emote ccess Tools

emote ile Copy


ncommonly sed ort

eb ervice

APT29 Techniques

| 11 |

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control


Initial Access

Drive by Compromise


ardware dditions



pearphishin in



Trusted elationship

alid ccounts

E ecution

pple cript

C T


Control anel Items

Dynamic Data chan e

ecution throu h I



Install til

aunchctl

ocal ob chedulin

Driver

shta

ower hell

e svcs e asm

e svr

undll

cheduled Tas

criptin

ervice ecution


ource

pace after ilename

Third party oftware

Trap


ser ecution


ersistence



ppCert D s

ppInit D s

pplication himmin


IT obs

oot it

rowser tensions


Component irmware


Create ccount


Dylib i ac in




oo in

ypervisor


aunch ent

aunch Daemon

aunchctl

C D D I ddition

ocal ob chedulin

o in Item

o on cripts

Driver

odify istin ervice

etsh elper D

ew ervice


ath Interception

list odification

ort noc in

ort onitors

c common


edundant ccess


cheduled Tas

creensaver



hortcut odification


tartup Items

ystem irmware

Time roviders

Trap

alid ccounts

eb hell


inlo on elper D

rivilege Escalation



ppCert D s

ppInit D s

pplication himmin



Dylib i ac in


oo in


aunch Daemon

ew ervice

ath Interception

list odification

ort onitors

rocess In ection

cheduled Tas


etuid and et id

ID istory In ection

tartup Items

udo

udo Cachin

alid ccounts

eb hell

efense Evasion


inary addin

IT obs



C T

Code i nin

Component irmware


Control anel Items

DC hadow




D ide oadin


ile Deletion


ate eeper ypass


idden sers

idden indow

I TC T


Indicator loc in





Install til

aunchctl

C I i ac in

asqueradin

odify e istry

shta


T ile ttributes


list odification

ort noc in

rocess Doppel n in

rocess ollowin

rocess In ection

edundant ccess

e svcs e asm

e svr

oot it

undll

criptin


oftware ac in

pace after ilename

Timestomp


alid ccounts

eb ervice

Credential Access

ccount anipulation

ash istory

rute orce

Credential Dumpin

Credentials in iles



orced uthentication

oo in

Input Capture

Input rompt

erberoastin

eychain

T oisonin

etwor niffin

assword ilter D

rivate eys


ecurityd emory


iscovery

ccount Discovery




etwor ervice cannin





rocess Discovery

uery e istry







ateral Movement

pple cript


o on cripts

ass the ash

ass the Tic et


emote ile Copy

emote ervices


hared ebroot

i ac in

Taint hared Content

Third party oftware

indows dmin hares


Collection

udio Capture

utomated Collection

Clipboard Data





Data ta ed

mail Collection

Input Capture

an in the rowser

creen Capture

ideo Capture

E filtration

utomated filtration

Data Compressed

Data ncrypted



cheduled Transfer

Command And Control

Commonly sed ort


Connection ro y


Data ncodin

Data bfuscation

Domain rontin

allbac Channels

ulti hop ro y

ulti ta e Channels


ultilayer ncryption

ort noc in

emote ccess Tools

emote ile Copy


ncommonly sed ort

eb ervice

Comparing APT28 and APT29

| 12 |

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control

Overlay known gaps

APT28

APT29

Both groups©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.

VERIS

▪ Vocabulary for Event Recording and Incident Sharing (VERIS)

– Actors: Whose actions affected the asset?

– Actions: What actions affected the asset?

– Assets: Which assets were affected?

– Attributes: How the asset was affected?


– Organizing incident data - example: Verizon Data Breach Investigations Reports (DBIR) (https://enterprise.verizon.com/resources/reports/DBIR_2019_Report.pdf)

– To track trends and patterns in incidents

▪ Limitations

– Flexible – need to decide amon your team how you “bin” information

http://veriscommunity.net/


| 13 |

https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf

http://veriscommunity.net/

Combining Frameworks: Diamond Model + Kill Chain


| 14 |


Combining Frameworks: Kill Chain + ATT&CK


| 15 |

https://pan-unit42.github.io/playbook_viewer/

Other Structured Tools: Processes

▪ Processes

– Intelligence Cycle

▪ https://en.wikipedia.org/wiki/Intelligence_cycle

– F3EAD - Find, Fix, Finish, Exploit, Analyze

▪ https://medium.com/@sroberts/intelligence-concepts-f3ead-964a0653be13

– SANS Incident Response Cycle

▪ https://medium.com/@sroberts/intelligence-concepts-the-sans-incident-response-process-45e3fa451777


| 16 |

https://en.wikipedia.org/wiki/Intelligence_cycle

https://medium.com/@sroberts/intelligence-concepts-f3ead-964a0653be13

https://medium.com/@sroberts/intelligence-concepts-the-sans-incident-response-process-45e3fa451777

Other Structured Tools: Standards and Models


| 17 |

https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

avid Bianco’s Pyramid of Pain

| 18 |

[email protected]@likethecoins

Slides available athttps://goo.gl/KNumpw


mailto:[email protected]

https://goo.gl/KNumpw

Documents

Frameworks and Why We Use Them - SANS InstituteLockheed Martin Cyber Kill Chain When is it useful? –To “bin” the phases of an adversary’s intrusion –To examine what you might