Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Presented by Brent Jones, Senior Systems Engineer ([email protected])
WHAT IS MITRE ATT&CK? June 2019
AGENDA
•Who is MITRE?
•Why do we need ATT&CK?
•What is ATT&CK?
•How can I get ATT&CK?
•What can I use ATT&CK for?
•Additional tools 2 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Who is MITRE
• Started life as a Collaboration with US Airforce and MIT in the 1940s
• MITRE was established in 1958
• Private, not-for-profit company
• Mission: dedication to solving problems for a safer world
• Currently Federally Funded Research and Development Centers (FFRDC)
Defence & Intelligence U.S. Courts
Cybersecurity Healthcare
Aviation Homeland Security
Civil Agency Modernisation
• T
3 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Why do we need ATT&CK?
Copyright © 2018 Exabeam, Inc. All Rights Reserved..
• Security has relied on IOC from the earliest days
• Indicators of Compromise (IOC) is an artifact observed on a network or in an operation system that with high confidence indicates a computer intrusion. (from Wikipedia)
• AV signatures
• Hashes
• Files Names
• IPs
• ULRs/Domains
• IOCs lack context and difficult to determine intent from a single IOC *GRIZZLY STEPPE IOCS (911)
What about TTPs?
• Tactics, Techniques, and Procedures (TTP)
• Tactics: The why. These are the steps the adversary takes to complete their mission.
• Techniques: The how. Defines the action to complete a step.
• Procedures: Detailed repeatable steps required to implement a technique.
• No single repository for TTP data
• Lots of data held privately or in public reports.
• Not easy to extract TTP from public reports. Mostly concerned with IOC data.
Copyright © 2018 Exabeam, Inc. All Rights Reserved.
Pyramid of Pain
6 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
http://4.bp.blogspot.com/-EDLbyYipz_E/UtnWN7fdGcI/AAAAAAAANno/b4UX5wjNdh0/s1600/Pyramid+of+Pain+v2.png
• David Bianco 2013
• Public reports into APT1
• People largely focused on the IOCs
• The pain is relative to the attacker
• As the disruption goes higher the pain it causes the attacker increases
• The bottom layers are trivial for the attacker to change
Lockheed Martin Cyber Kill Chain
• Well referenced
• Gets you thinking about the adversary and their goals
• Can map IOCs and TTPs to get a view of the attack progression
• No meat to it. It isn’t helpful for teams on the ground
• How do I know what the adversary is going to do at each step.
7 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Reconnaissance Weaponization Delivery Exploitation Installation Command
and Control Actions and Objections
Lockheed Martin Cyber Kill Chain
What is MITRE ATT&CK?
• Adversarial Tactics, Techniques and Common Knowledge
• A globally-accessible knowledge base of adversary tactics and techniques
• Open and available to any person or organization for use at no charge
• Collaborative. Anyone, companies, individuals, researchers can contribute.
• Released in 2015, mostly attributed to Blake Strom but many other contributors
• Based on real-world observations of attacker behavior
• Data from collected from public reports, private reports and teams experience
• What happened to the P, probably marketing, ATTP&CK isn’t as cool.
Copyright © 2019 Exabeam, Inc. All Rights Reserved. 8
Why You Should Care: Growing Interest in MITRE ATT&CK
Copyright © 2019 Exabeam, Inc. All Rights Reserved. 9
0
10
20
30
40
50
60
70
80
90
100
WorldwideGoogle Trends
Nuts and Bolts of ATT&CK
10 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
• Organised into technical domains, also know as a matrix
– Enterprise, Mobile, PRE-ATT&CK
• Each technical domain has a set of platforms the adversaries use:
– Enterprise has Windows, Mac and Linux
– Mobile has Android and iOS
• Tactics represent “Why” of a technique.
• Techniques represent ”How” they achieve a tactic.
• Groups represent Adversaries tracked by public or private organisations
– Typically called out in a reports. APT1, APT28, Grizzly Steppe etc.
• Software represents a tool, utility or malware that can instantiate a technique
The ATT&CK Model
11 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
• Defines a taxonomy for thinking and communicating knowledge of campaigns
• Publishes a data model
MITRE ATT&CK: Design and Philosophy (2018) PG 12,13
12
©2018 The MITRE Corporation. All Rights Reserved
Approved for Public Release. Distribution unlimited 18-0944-11.
Description* Field A description of the software based on technical
references or public threat reporting. It may contain
ties to groups known to use the software or other
technical details with appropriate references.
Alias Descriptions Field Section that can be used to describe the software’s
aliases with references to the report used to tie the
alias to the group name.
Techniques Used* Relationship
/ Field
List of techniques that are implemented by the
software with a field to describe details on how the
technique is implemented or used. Each technique
should include a reference.
Groups Relationship
/ Field
List of groups that the software has been reported to
be used by with a field to describe details on how
the software is used. This information is populated
from the associated group entry.
3.7 ATT&CK Object Model Relationships
Each high-level component of ATT&CK is related to other components in some way. The
relationships described in the description fields in the previous section can be visualized in a
diagram:
Figure 2. ATT&CK Model Relationships
An example as applied to a specific persistent threat group where APT28 uses Mimikatz for
credential dumping:
13
©2018 The MITRE Corporation. All Rights Reserved
Approved for Public Release. Distribution unlimited 18-0944-11.
Figure 3. ATT&CK Model Relationships Example
Enterprise Matrix
12 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Tech
niq
ues
Tactics
Mobile and PRE-ATT&CK tactics
13 Copyright © 2019 Exabeam, Inc. All Rights Reserved. .
• Mobile
• PRE-ATT&CK
Techniques
14 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
• Has some of the following
– Name
– ID
– Tactic
– Description
– Platform
– Detection
– Mitigation
– Examples
– References
ATT&CK By The Numbers
15 Copyright © 2019 Exabeam, Inc. All Rights Reserved
• Original Release 2015
– Windows only. 9 Tactics 96 Techniques
• As of the April 2019
– Enterprise: 12 Tactics 214 Techniques
– Mobile: 13 Tactics 67 Techniques
– Pre-ATT&CK: 15 Tactics 174 Techniques
– Groups: 86
– Software: 377
ENTERPRISE and MOBILE
MITRE ATT&CK vs. Lockheed Martin Cyber Kill Chain
Reconnaissance Weaponization Delivery Exploitation Installation Command
and Control Actions and Objections
• ATT&CK resembles Kill Chain, can be used to describe the adversary lifecycle
• Higher-fidelity insight to behavior in post-exploit phases, Enterprise Matrix. 12 vs 5
• Practical information for offensive and defensive security teams
• Iterative updates
Copyright © 2019 Exabeam, Inc. All Rights Reserved.. 16
PRE-ATT&CK
How can I get ATT&CK?
• A human readable version is published online https://attack.mitre.org/
• MITRE created ATT&CK Navigator for human usable interrogation of the data
– https://mitre-attack.github.io/attack-navigator/enterprise/
– Can export from navigator
– Can run your own on premise version. https://github.com/mitre-attack/attack-navigator
• Data has been translated into STIX 2 format and published to a MITRE TAXII server.
– Good for machines and for custom uses. STIX 2 uses JSON so lots of options to parse.
– https://github.com/mitre/cti
– https://medium.com/mitre-attack/att-ck-content-available-in-stix-2-0-via-public-taxii-2-0-server-317e5c41e214
17 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
What can I use ATT&CK for?
• Assessment and Engineering
– Assess your organization’s capabilities and drive engineering decisions like what tools or logging you should implement.
• Detections and Analytics
– Help cyber defenders develop analytics that detect the techniques used by an adversary.
• Adversary Emulation and Red Teaming
– Common language and framework that red teams can use to emulate specific threats and plan their operations.
• Threat Intelligence
– Analysts have a common language to structure, compare, and analyse threat intelligence.
18 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Assess your organization’s capabilities
• What does any organisation wants to know.
– Are we secure
– Do I have too many tools that don’t provide enough value or do the same thing
– Where are our blind spots, data collection, detection products, analytics
– Will this new product improve my defences?
• Do I really know what adversaries are capable of?
• ATT&CK can give you the data to build a heat map
– You have to do the work, no free lunch
– Use ATT&CK Navigator to help
• The heat map should help with funding for new projects
19 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
ATT&CK Navigator – Heat map
• Use colours, can use risk score
– Risk 0 – Got it covered – Green
– Risk 50 – Needs work – Orange
– Risk 100 – No coverage – Red
– Unknown leave blank - White
• There will be lots of red/white. Don’t panic
• Iterate and improve
• Start with the most common techniques
• https://github.com/TravisFSmith/mitre_attack for some useful layers
20 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Assess vendor capabilities
• Do they cover techniques you don’t detect, or can they consolidate detections
• Look at products that can also tag behaviours, IOC, TTPs with ATT&CK tactic and technique IDs. Expect this in SIEM technology.
• MITRE is starting to provide vendor evaluation and testing against ATT&CK
– https://attackevals.mitre.org
– Current evals include Carbon Black, Crowdstrike, Windows Defender ATP, RSA, CounterTack, Endgame, SentinelOne.
– Palo Alto, FireEye, Cyberreason on the next eval
– No scoring or ranking. Up to you to decide.
21 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Finding Cyber Threats using ATT&CK
• Paper published by MITRE team.
• https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf
• Contains Five principals
22 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Include post-compromise
detection
Focus on behavior
Use a threat-based model
Iterate by design
Develop/test in a realistic environment
Adversary Emulation
• It’s essentially what Red teams do
• Emulate an adversary group
• Used to train Blue teams
• MITRE has a sample emulation plan for the APT3 group that you can use as a starting point.
• List objectives, tools, methods and styles.
• These should be detailed enough that the plan can be used as the blueprint for execution.
23 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Additional Tools
• MITRE Red Team Adversay Emulation Plans
– https://attack.mitre.org/resources/adversary-emulation-plans/
• MITRE CAR (Cyber Analytics Repository) – Analytics techniques to run against data
• MITRE CASCADE – Automate investigation work for Blue Team
• Atomic Red Team by Red Canary – Test routines
– https://github.com/redcanaryco/atomic-red-team
• SIGMA builds rules for SIEMs based on ATT&CK
– https://github.com/Neo23x0/sigma
• Exabeam Advanced Analytics – Small plug, will start tagging anomalies with techniques. DGA Technique was added to ATT&CK by Exabeam. Behaviour Analytics
24 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
References
• MITRE ATT&CK™ : Design and Philosophy
– https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
• Finding Cyber Threats with ATT&CK-Based Analytics
– https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf
• MITRE ATT&CKcon 2018: How Did We Get Here?
– https://www.youtube.com/watch?v=u8Fnwb-1kMg&list=PLkTApXQou_8JrhtrFDfAskvMqk97Yu2S2&index=2
• BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK
– https://www.youtube.com/watch?v=p7Hyd7d9k-c 25 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
More References
• MITRE Attack Navigator
– https://github.com/mitre-attack/attack-navigator
– https://mitre-attack.github.io/attack-navigator/enterprise/
• Adversary Emulation Plans
– https://attack.mitre.org/resources/adversary-emulation-plans/
• ATT&CK 101
– https://medium.com/mitre-attack/att-ck-101-17074d3bc62
• ATT&CK CON
– https://attack.mitre.org/resources/attackcon/
• The Pyramid of Pain
– http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
26 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
THANK YOU