Presented by Brent Jones, Senior Systems Engineer (brent@exabeam.com)

WHAT IS MITRE ATT&CK? June 2019

AGENDA

•Who is MITRE?

•Why do we need ATT&CK?

•What is ATT&CK?

•How can I get ATT&CK?

•What can I use ATT&CK for?

•Additional tools 2 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Who is MITRE

• Started life as a Collaboration with US Airforce and MIT in the 1940s

• MITRE was established in 1958

• Private, not-for-profit company

• Mission: dedication to solving problems for a safer world

• Currently Federally Funded Research and Development Centers (FFRDC)

Defence & Intelligence U.S. Courts

Cybersecurity Healthcare

Aviation Homeland Security

Civil Agency Modernisation

• T

3 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Why do we need ATT&CK?

Copyright © 2018 Exabeam, Inc. All Rights Reserved..

• Security has relied on IOC from the earliest days

• Indicators of Compromise (IOC) is an artifact observed on a network or in an operation system that with high confidence indicates a computer intrusion. (from Wikipedia)

• AV signatures

• Hashes

• Files Names

• IPs

• ULRs/Domains

• IOCs lack context and difficult to determine intent from a single IOC *GRIZZLY STEPPE IOCS (911)

What about TTPs?

• Tactics, Techniques, and Procedures (TTP)

• Tactics: The why. These are the steps the adversary takes to complete their mission.

• Techniques: The how. Defines the action to complete a step.

• Procedures: Detailed repeatable steps required to implement a technique.

• No single repository for TTP data

• Lots of data held privately or in public reports.

• Not easy to extract TTP from public reports. Mostly concerned with IOC data.

Copyright © 2018 Exabeam, Inc. All Rights Reserved.

Pyramid of Pain

6 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

http://4.bp.blogspot.com/-EDLbyYipz_E/UtnWN7fdGcI/AAAAAAAANno/b4UX5wjNdh0/s1600/Pyramid+of+Pain+v2.png

• David Bianco 2013

• Public reports into APT1

• People largely focused on the IOCs

• The pain is relative to the attacker

• As the disruption goes higher the pain it causes the attacker increases

• The bottom layers are trivial for the attacker to change

Lockheed Martin Cyber Kill Chain

• Well referenced

• Gets you thinking about the adversary and their goals

• Can map IOCs and TTPs to get a view of the attack progression

• No meat to it. It isn’t helpful for teams on the ground

• How do I know what the adversary is going to do at each step.

7 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Reconnaissance Weaponization Delivery Exploitation Installation Command

and Control Actions and Objections

Lockheed Martin Cyber Kill Chain

What is MITRE ATT&CK?

• Adversarial Tactics, Techniques and Common Knowledge

• A globally-accessible knowledge base of adversary tactics and techniques

• Open and available to any person or organization for use at no charge

• Collaborative. Anyone, companies, individuals, researchers can contribute.

• Released in 2015, mostly attributed to Blake Strom but many other contributors

• Based on real-world observations of attacker behavior

• Data from collected from public reports, private reports and teams experience

• What happened to the P, probably marketing, ATTP&CK isn’t as cool.

Copyright © 2019 Exabeam, Inc. All Rights Reserved. 8

Why You Should Care: Growing Interest in MITRE ATT&CK

Copyright © 2019 Exabeam, Inc. All Rights Reserved. 9

0

10

20

30

40

50

60

70

80

90

100

WorldwideGoogle Trends

Nuts and Bolts of ATT&CK

10 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

• Organised into technical domains, also know as a matrix

– Enterprise, Mobile, PRE-ATT&CK

• Each technical domain has a set of platforms the adversaries use:

– Enterprise has Windows, Mac and Linux

– Mobile has Android and iOS

• Tactics represent “Why” of a technique.

• Techniques represent ”How” they achieve a tactic.

• Groups represent Adversaries tracked by public or private organisations

– Typically called out in a reports. APT1, APT28, Grizzly Steppe etc.

• Software represents a tool, utility or malware that can instantiate a technique

The ATT&CK Model

11 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

• Defines a taxonomy for thinking and communicating knowledge of campaigns

• Publishes a data model

MITRE ATT&CK: Design and Philosophy (2018) PG 12,13

12

©2018 The MITRE Corporation. All Rights Reserved

Approved for Public Release. Distribution unlimited 18-0944-11.

Description* Field A description of the software based on technical

references or public threat reporting. It may contain

ties to groups known to use the software or other

technical details with appropriate references.

Alias Descriptions Field Section that can be used to describe the software’s

aliases with references to the report used to tie the

alias to the group name.

Techniques Used* Relationship

/ Field

List of techniques that are implemented by the

software with a field to describe details on how the

technique is implemented or used. Each technique

should include a reference.

Groups Relationship

/ Field

List of groups that the software has been reported to

be used by with a field to describe details on how

the software is used. This information is populated

from the associated group entry.

3.7 ATT&CK Object Model Relationships

Each high-level component of ATT&CK is related to other components in some way. The

relationships described in the description fields in the previous section can be visualized in a

diagram:

Figure 2. ATT&CK Model Relationships

An example as applied to a specific persistent threat group where APT28 uses Mimikatz for

credential dumping:

13

©2018 The MITRE Corporation. All Rights Reserved

Approved for Public Release. Distribution unlimited 18-0944-11.

Figure 3. ATT&CK Model Relationships Example

Enterprise Matrix

12 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Tech

niq

ues

Tactics

Mobile and PRE-ATT&CK tactics

13 Copyright © 2019 Exabeam, Inc. All Rights Reserved. .

• Mobile

• PRE-ATT&CK

Techniques

14 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

• Has some of the following

– Name

– ID

– Tactic

– Description

– Platform

– Detection

– Mitigation

– Examples

– References

ATT&CK By The Numbers

15 Copyright © 2019 Exabeam, Inc. All Rights Reserved

• Original Release 2015

– Windows only. 9 Tactics 96 Techniques

• As of the April 2019

– Enterprise: 12 Tactics 214 Techniques

– Mobile: 13 Tactics 67 Techniques

– Pre-ATT&CK: 15 Tactics 174 Techniques

– Groups: 86

– Software: 377

ENTERPRISE and MOBILE

MITRE ATT&CK vs. Lockheed Martin Cyber Kill Chain

Reconnaissance Weaponization Delivery Exploitation Installation Command

and Control Actions and Objections

• ATT&CK resembles Kill Chain, can be used to describe the adversary lifecycle

• Higher-fidelity insight to behavior in post-exploit phases, Enterprise Matrix. 12 vs 5

• Practical information for offensive and defensive security teams

• Iterative updates

Copyright © 2019 Exabeam, Inc. All Rights Reserved.. 16

PRE-ATT&CK

How can I get ATT&CK?

• A human readable version is published online https://attack.mitre.org/

• MITRE created ATT&CK Navigator for human usable interrogation of the data

– https://mitre-attack.github.io/attack-navigator/enterprise/

– More on this later

– Can export from navigator

– Can run your own on premise version. https://github.com/mitre-attack/attack-navigator

• Data has been translated into STIX 2 format and published to a MITRE TAXII server.

– Good for machines and for custom uses. STIX 2 uses JSON so lots of options to parse.

– https://github.com/mitre/cti

– https://medium.com/mitre-attack/att-ck-content-available-in-stix-2-0-via-public-taxii-2-0-server-317e5c41e214

17 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

What can I use ATT&CK for?

• Assessment and Engineering

– Assess your organization’s capabilities and drive engineering decisions like what tools or logging you should implement.

• Detections and Analytics

– Help cyber defenders develop analytics that detect the techniques used by an adversary.

• Adversary Emulation and Red Teaming

– Common language and framework that red teams can use to emulate specific threats and plan their operations.

• Threat Intelligence

– Analysts have a common language to structure, compare, and analyse threat intelligence.

18 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Assess your organization’s capabilities

• What does any organisation wants to know.

– Are we secure

– Do I have too many tools that don’t provide enough value or do the same thing

– Where are our blind spots, data collection, detection products, analytics

– Will this new product improve my defences?

• Do I really know what adversaries are capable of?

• ATT&CK can give you the data to build a heat map

– You have to do the work, no free lunch

– Use ATT&CK Navigator to help

• The heat map should help with funding for new projects

19 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

ATT&CK Navigator – Heat map

• Use colours, can use risk score

– Risk 0 – Got it covered – Green

– Risk 50 – Needs work – Orange

– Risk 100 – No coverage – Red

– Unknown leave blank - White

• There will be lots of red/white. Don’t panic

• Iterate and improve

• Start with the most common techniques

• https://github.com/TravisFSmith/mitre_attack for some useful layers

20 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Assess vendor capabilities

• Do they cover techniques you don’t detect, or can they consolidate detections

• Look at products that can also tag behaviours, IOC, TTPs with ATT&CK tactic and technique IDs. Expect this in SIEM technology.

• MITRE is starting to provide vendor evaluation and testing against ATT&CK

– https://attackevals.mitre.org

– Current evals include Carbon Black, Crowdstrike, Windows Defender ATP, RSA, CounterTack, Endgame, SentinelOne.

– Palo Alto, FireEye, Cyberreason on the next eval

– No scoring or ranking. Up to you to decide.

21 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Finding Cyber Threats using ATT&CK

• Paper published by MITRE team.

• https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf

• Contains Five principals

22 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Include post-compromise

detection

Focus on behavior

Use a threat-based model

Iterate by design

Develop/test in a realistic environment

Adversary Emulation

• It’s essentially what Red teams do

• Emulate an adversary group

• Used to train Blue teams

• MITRE has a sample emulation plan for the APT3 group that you can use as a starting point.

• List objectives, tools, methods and styles.

• These should be detailed enough that the plan can be used as the blueprint for execution.

23 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Additional Tools

• MITRE Red Team Adversay Emulation Plans

– https://attack.mitre.org/resources/adversary-emulation-plans/

• MITRE CAR (Cyber Analytics Repository) – Analytics techniques to run against data

• MITRE CASCADE – Automate investigation work for Blue Team

• Atomic Red Team by Red Canary – Test routines

– https://github.com/redcanaryco/atomic-red-team

• SIGMA builds rules for SIEMs based on ATT&CK

– https://github.com/Neo23x0/sigma

• Exabeam Advanced Analytics – Small plug, will start tagging anomalies with techniques. DGA Technique was added to ATT&CK by Exabeam. Behaviour Analytics

24 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

References

• MITRE ATT&CK™ : Design and Philosophy

– https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

• Finding Cyber Threats with ATT&CK-Based Analytics

– https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf

• MITRE ATT&CKcon 2018: How Did We Get Here?

– https://www.youtube.com/watch?v=u8Fnwb-1kMg&list=PLkTApXQou_8JrhtrFDfAskvMqk97Yu2S2&index=2

• BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK

– https://www.youtube.com/watch?v=p7Hyd7d9k-c 25 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

More References

• MITRE Attack Navigator

– https://github.com/mitre-attack/attack-navigator

– https://mitre-attack.github.io/attack-navigator/enterprise/

• Adversary Emulation Plans

– https://attack.mitre.org/resources/adversary-emulation-plans/

• ATT&CK 101

– https://medium.com/mitre-attack/att-ck-101-17074d3bc62

• ATT&CK CON

– https://attack.mitre.org/resources/attackcon/

• The Pyramid of Pain

– http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

26 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

THANK YOU