Detecting Cyber Threats with

ATT&CK™️-Based Analytics
Session 123, March 7, 2018
Denise Anderson, President, National Health Information Sharing & Analysis Center (NH-ISAC)
Julie Connolly, Principal Cybersecurity Engineer, MITRE

1
This technical data was developed using contract funds under Basic Contract No. W15P7T-13-C-A802 Approved for Public Release; Distribution Unlimited. Case Numbers 18-0075, 17-4293-4 ©2018 The MITRE Corporation. All Rights Reserved.
Conflict of Interest
Denise Anderson, M.B.A.
Julie Connolly, B.S., CISSP

Have no real or apparent conflicts of interest to report.

2
 2018 The MITRE Corporation
Agenda
• The Threat Landscape
• Adversarial Tactics, Techniques, & Common Knowledge
(ATT&CK™️) family of models
• Using ATT&CK™️
• Collaborative ATT&CK™️ Analytics Development Effort

3
 2018 The MITRE Corporation
Learning Objectives
• Explain the Adversarial Tactics, Techniques, & Common
Knowledge (ATT&CK™️) for Enterprise framework, as well as
the broader family of ATT&CK™️ models, for characterizing
post-compromise adversary behavior
• Describe how to use the ATT&CK™️ family of models and the
Cyber Analytics Repository (CAR) knowledge base to help
identify and mitigate adversary behavior on an enterprise
network
• Characterize the collaborative effort for developing
ATT&CK™️- based analytics to detect post-compromise cyber
attackers on healthcare systems and networks
4
 2018 The MITRE Corporation
Remember This?

5
Threat Landscape
Actors + Motivations + Attack Trends + Threat Surface
RISK

6
Threat Actors

Nation State Hactivist

Insiders/ Third Criminal

Party Providers
Media/Vendors 7 Terrorists
Motivation
– Advantage: IP Theft,
Infiltration – create future
vulnerabilities, Data Theft, Political
Blackmail;
– Ego: Prowess, Revenge, Notoriety;
– Ideology: Religious, Cultural,
Social, Political
– Greed: Money/Power

8
Motivation

Advantage/Greed Ideology/Ego

Ideology/Ego Greed

Greed 9
Ideology/Greed
Vectors

• Botnets: Phishing, Spearphishing • Vulnerability Scanning, Exploit Kits – Zero Day

• Viruses, Worms • Drive By Downloads, Watering Holes
• Rootkits, Remote Access • Browser exploits
• Ransomware • Point of Sale Malware
• Wipers • Mobile
• Trojans • Control Systems
• DDoS

10
Vectors - Actions
– Remote Access (Infiltration/resource)
– Resource Harvesting (Criminal - Bots)
– Extortion (Criminals)
– Credential Harvesting (Criminals)
– Data Exfiltration (Criminals, Nation State)
– Because it’s there (Hacktivist/Terrorist -
Defacement, Make Statement, Embarrass)
– Escalate Privilege (Nation State - Infiltration,
Criminal)
– Geopolitical Fallout (Nation State – WannaCry,
Petya)

11
The Cyber Attack Lifecycle:
Where are we looking?

Recon Deliver Control Maintain

Weaponize Exploit Execute

Traditional Defense
ATT&CK™

99 days - The median time an

adversary is in a network before being
detected
-Mandiant, M-Trends 2017

Cyber Attack Lifecycle: The MITRE Corporation https://www.mitre.org/capabilities/cybersecurity/threat-based-defense

12
 2018 The MITRE Corporation
Bianco’s Pyramid of Pain

*TTPs= Tactics Techniques & Procedures

13
Source: David J. Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html  2018 The MITRE Corporation
Hard Questions

• How do I implement TTP-based detection?

• How effective is my defense?

• What is my detection coverage against APT29?

• Is the data I’m collecting useful?

• Do I have overlapping sensor coverage?

• Is the new product from vendor XYZ of any benefit to my

organization?

14
 2018 The MITRE Corporation
Adversarial Tactics, Techniques &
Common Knowledge (ATT&CK™)

ATT&CK™ is a MITRE-developed,
globally-accessible knowledge base of adversary tactics
and techniques based on real-world observations of
adversaries’ operations against computer networks.

attack.mitre.org

15
 2018 The MITRE Corporation
 Privilege Defense Credential Lateral Command
Persistence Discovery Execution Collection Exfiltration
Escalation Evasion Access Movement & Control

 2018 The MITRE Corporation

Breaking Apart
the ATT&CK™️ Model

Recon Deliver Control Maintain Adversary Tactics

Weaponize Exploit Execute • Persistence
• Privilege Escalation
• Defense Evasion
Traditional Defense
• Credential Access
ATT&CK™ • Discovery
• Lateral Movement
• Execution

What’s in ATT&CK? • Collection

• Exfiltration
• Command and Control
• Tactics – High level, time-agnostic adversary tactical goals
• Techniques – Methods that adversaries use to achieve tactical goals
• Groups – Threat actors, including techniques and software they use
• Software – Built-in utilities and custom malware, linked to techniques

Full framework at attack.mitre.org

17
 2018 The MITRE Corporation
The ATT&CK™️ Model
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port
Legitimate Credentials Application Window Third-party Software Automated Collection Data Compressed Communication Through
Credential Dumping
Accessibility Features Binary Padding Discovery Application Deployment Command-Line Clipboard Data Data Encrypted Removable Media
AppInit DLLs Code Signing Software Execution through API Data Staged Data Transfer Size Limits Connection Proxy
Credential Manipulation File and Directory Discovery
Local Port Monitor Component Firmware Execution through Module Data from Local System Exfiltration Over Alternative Custom Command and
Exploitation of Vulnerability
New Service DLL Side-Loading Credentials in Files Local Network Load Data from Network Shared Protocol Control Protocol
Path Interception Disabling Security Tools Input Capture Configuration Discovery Logon Scripts Graphical User Interface Drive Custom Cryptographic
Exfiltration Over Command Protocol
Scheduled Task File Deletion Network Sniffing Local Network Connections Pass the Hash InstallUtil Data from Removable and Control Channel
Discovery Media
Grounded in real data from cyber incidents
File System Permissions Weakness Pass the Ticket MSBuild Data Encoding
File System Logical Offsets Two-Factor Authentication
Service Registry Permissions Weakness Interception Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Other Data Obfuscation
Web Shell Indicator Blocking Remote File Copy Process Hollowing Input Capture Network Medium Fallback Channels
Peripheral Device Discovery
Exploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Exfiltration Over Physical Multi-Stage Channels
Authentication Package
Bypass User Account Control Permission Groups Replication Through Regsvr32 Video Capture Medium
Multiband Communication
Bootkit DLL Injection Discovery Removable Media Rundll32 Scheduled Transfer
Component Object Model
Hijacking
Component Object Model
Hijacking
Indicator Removal from
Process Discovery

Query Registry
Enables pivoting between red team and
Shared Webroot

Taint Shared Content

Scheduled Task

Scripting
Multilayer Encryption

Remote File Copy

Basic Input/Output System

Change Default File

Tools

Indicator Removal on Host

Remote System Discovery
blue team
Security Software Discovery
Windows Admin Shares Service Execution
Windows Management
Standard Application Layer
Protocol
Association Instrumentation Standard Cryptographic
Component Firmware Install Root Certificate Protocol
System Information
External Remote Services InstallUtil Discovery Standard Non-Application

Decouples the problem from the solution

Hypervisor Masquerading Layer Protocol
Logon Scripts Modify Registry System Owner/User
Modify Existing Service MSBuild Discovery Uncommonly Used Port
Netsh Helper DLL Network Share Removal System Service Discovery Web Service
Redundant Access NTFS Extended Attributes System Time Discovery
Registry Run Keys / Start Obfuscated Files or
Folder Information
Security Support Provider
Shortcut Modification
Process Hollowing
Redundant Access
Transforms thinking by focusing on
Windows Management
Instrumentation Event
Subscription
Regsvcs/Regasm
Regsvr32
Rootkit
post-exploit adversary behavior
Winlogon Helper DLL Rundll32
Scripting
Software Packing
Timestomp

18
 2018 The MITRE Corporation
Example of Technique Details –
Persistence: New Service
Description: When operating systems boot up, they can start programs or
applications called services that perform background system functions. …
Adversaries may install a new service which will be executed at startup by directly
modifying the registry or by using tools.
Platform: Windows
Permissions required: Administrator, SYSTEM
Effective permissions: SYSTEM
Detection:
– Monitor service creation through changes in the Registry and common utilities
using command-line invocation
– Tools such as Sysinternals Autoruns may be used to detect system changes that
could be attempts at persistence
– Monitor processes and command-line arguments for actions that could create
services 19
 2018 The MITRE Corporation
Persistence: New Service example
(Continued)

Mitigation:
Limit privileges of user accounts and remediate Privilege Escalation vectors
Identify and block unnecessary system utilities or potentially malicious
software that may be used to create services
Data Sources: Windows Registry, process monitoring, command-line parameters
Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke,
hcdLoader, …

20
 2018 The MITRE Corporation
 ATT&CK™️ Use Cases

• Improve security posture through

gap analysis, prioritization, and
Threat Intelligence
remediation
– Use ATT&CK to guide threat
hunting campaigns
– Emulate adversaries to measure Detection
Measuring
defenses against relevant threats Defenses
and
Hunting
– Leverage threat intelligence to
prioritize technique detection
– Remediate gaps by mapping
solutions back to the ATT&CK Security Engineering
threat model
21
 2018 The MITRE Corporation
Threat Intel: What do you need
to worry about? (NOTIONAL)
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control

DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port

Legitimate Credentials Third-party Software Clipboard Data Data Compressed Communication Through
Credential Dumping Application Window Discovery
Removable Media
Accessibility Features Binary Padding Application Deployment Command-Line Data Staged Data Encrypted
AppInit DLLs Code Signing Software Execution through API Data from Local System Data Transfer Size Limits Custom Command and
Credential Manipulation File and Directory Discovery
Local Port Monitor Component Firmware Graphical User Interface Data from Network Shared Exfiltration Over Alternative Control Protocol
Exploitation of Vulnerability
New Service DLL Side-Loading Credentials in Files Local Network Configuration InstallUtil Drive Protocol Custom Cryptographic
Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts PowerShell Protocol
Data from Removable Media Exfiltration Over Command and
Scheduled Task File Deletion Network Sniffing Local Network Connections Pass the Hash Process Hollowing Data Obfuscation
Control Channel
Discovery
Service File Permissions Weakness Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
File System Logical Offsets Two-Factor Authentication
Service Registry Permissions Weakness Interception Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Multi-Stage Channels
Web Shell Indicator Blocking Remote File Copy Rundll32 Screen Capture Medium
Peripheral Device Discovery Multiband Communication
Exploitation of Vulnerability Remote Services Scheduled Task Exfiltration Over Physical
Basic Input/Output System
Bypass User Account Control Replication Through Removable Scripting Medium Multilayer Encryption
Permission Groups Discovery
Bootkit DLL Injection Media Service Execution Scheduled Transfer Peer Connections
Process Discovery Shared Webroot Windows Management Remote File Copy
Change Default File Association Indicator Removal from Tools
Query Registry Taint Shared Content Instrumentation Standard Application Layer
Component Firmware Remote System Discovery Windows Admin Shares Protocol
Indicator Removal on Host
Hypervisor Standard Cryptographic
Security Software Discovery
Logon Scripts InstallUtil Protocol

Modify Existing Service Masquerading Standard Non-Application

System Information Discovery
Layer Protocol
Redundant Access Modify Registry
NTFS Extended Attributes Uncommonly Used Port
Registry Run Keys / Start Folder System Owner/User Discovery
Obfuscated Files or Web Service
Security Support Provider Information System Service Discovery
Shortcut Modification Process Hollowing

Windows Management
Instrumentation Event
Redundant Access
White-shaded cells have no usage; darker cells have more.
Subscription Regsvcs/Regasm
Regsvr32

Based on threat intelligence (internal, government-source, open-source).

Winlogon Helper DLL Rootkit
Rundll32
Scripting
Software Packing
Timestomp
22
 2018 The MITRE Corporation
Measuring Defense: What can
you cover? (NOTIONAL)
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate Credentials Third-party Software Clipboard Data Data Compressed Communication Through
Credential Dumping Application Window Discovery
Accessibility Features Binary Padding Application Deployment Command-Line Data Staged Data Encrypted Removable Media
AppInit DLLs Code Signing Software Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control
Credential Manipulation File and Directory Discovery
Local Port Monitor Component Firmware Graphical User Interface Data from Network Shared Exfiltration Over Alternative Protocol
Exploitation of Vulnerability
New Service DLL Side-Loading Credentials in Files Local Network Configuration InstallUtil Drive Protocol
Custom Cryptographic Protocol
Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts PowerShell
Data from Removable Media Exfiltration Over Command and
Scheduled Task File Deletion Network Sniffing Local Network Connections Pass the Hash Process Hollowing Data Obfuscation
Control Channel
File System Permissions Weakness Discovery Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
File System Logical Offsets Two-Factor Authentication
Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Network Multi-Stage Channels
Interception
Web Shell Indicator Blocking Remote File Copy Rundll32 Screen Capture Medium
Peripheral Device Discovery Multiband Communication
Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
Basic Input/Output System
Bypass User Account Control Replication Through Removable Scripting Video Capture Medium Multilayer Encryption
Permission Groups Discovery
Bootkit DLL Injection Media Service Execution Scheduled Transfer Peer Connections
Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Remote File Copy
Change Default File Association
Query Registry Taint Shared Content Instrumentation Standard Application Layer
Indicator Removal from Tools
Component Firmware Remote System Discovery Windows Admin Shares MSBuild Protocol
Execution through Module
Hypervisor Standard Cryptographic
Indicator Removal on Host Security Software Discovery Load
Protocol
Logon Scripts
Modify Existing Service InstallUtil Standard Non-Application Layer
System Information Discovery
Redundant Access Masquerading Protocol
Modify Registry Uncommonly Used Port
Registry Run Keys / Start Folder System Owner/User Discovery
NTFS Extended Attributes Web Service
Security Support Provider System Service Discovery Data Encoding
Obfuscated Files or Information
Shortcut Modification System Time Discovery

Windows Management Process Hollowing

Instrumentation Event Redundant Access
Subscription Regsvcs/Regasm
Winlogon Helper DLL Regsvr32
Netsh Helper DLL
Authentication Package
Rootkit
Rundll32
Scripting
High Med No
External Remote Services
Software Packing
Timestomp
Confidence Confidence Confidence
MSBuild
Network Share Removal
Install Root Certificate
23
 2018 The MITRE Corporation
Prioritized ATT&CK Coverage
Matrix (NOTIONAL)
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate Credentials Third-party Software Clipboard Data Data Compressed Communication Through
Credential Dumping Application Window Discovery
Accessibility Features Binary Padding Application Deployment Command-Line Data Staged Data Encrypted Removable Media
AppInit DLLs Code Signing Software Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control
Credential Manipulation File and Directory Discovery
Local Port Monitor Component Firmware Graphical User Interface Data from Network Shared Exfiltration Over Alternative Protocol
Exploitation of Vulnerability
New Service DLL Side-Loading Credentials in Files Local Network Configuration InstallUtil Drive Protocol
Custom Cryptographic Protocol
Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts PowerShell
Data from Removable Media Exfiltration Over Command
Scheduled Task File Deletion Network Sniffing Local Network Connections Pass the Hash Process Hollowing Data Obfuscation
and Control Channel
File System Permissions Weakness Discovery Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
File System Logical Offsets Two-Factor Authentication
Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Multi-Stage Channels
Interception
Web Shell Indicator Blocking Remote File Copy Rundll32 Screen Capture Network Medium
Peripheral Device Discovery Multiband Communication
Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
Basic Input/Output System
Bypass User Account Control Replication Through Scripting Video Capture Medium Multilayer Encryption
Permission Groups Discovery
Bootkit DLL Injection Removable Media Service Execution Scheduled Transfer Peer Connections
Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Remote File Copy
Change Default File Association
Query Registry Taint Shared Content Instrumentation Standard Application Layer
Indicator Removal from Tools
Component Firmware Remote System Discovery Windows Admin Shares MSBuild Protocol
Execution through Module
Hypervisor Standard Cryptographic
Indicator Removal on Host Security Software Discovery Load
Protocol
Logon Scripts
Modify Existing Service InstallUtil Standard Non-Application
System Information Discovery
Redundant Access Masquerading Layer Protocol

Registry Run Keys / Start Folder

Modify Registry
System Owner/User Discovery
IOC Coverage Uncommonly Used Port
NTFS Extended Attributes Web Service

High Confidence of Detection

Security Support Provider
Obfuscated Files or System Service Discovery Data Encoding
Shortcut Modification Information
System Time Discovery
Process Hollowing
Moderate Confidence of Detection
Windows Management
Instrumentation Event Redundant Access
Subscription Regsvcs/Regasm
Winlogon Helper DLL Regsvr32
Netsh Helper DLL Rootkit Low Confidence of Detection
Authentication Package Rundll32

Prioritized Adversary Techniques

External Remote Services Scripting
Software Packing
Timestomp
MSBuild
Network Share Removal Legend
Install Root Certificate 24
 2018 The MITRE Corporation
Using ATT&CK™️ to Improve Threat
Intelligence-based Cyber Defense
Challenges
• Indicators without
Vendor context are almost
useless
APIs
– Provide context!
SIEM or • Manual effort makes
Manual analysts miserable
other tools
effort – Automate your
feeds!
• Adversaries switch
indicators constantly,
detecting TTPs is more
resilient
– Add analytic
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html sharing
25
 2018 The MITRE Corporation
Sounds great, but how do
I do this?

Data Compressed Data from Network Shared Drive

Command-Line Interface
File and Directory Discovery

26
 2018 The MITRE Corporation
Implementation Tips
• Tailor your existing threat intel repository
– The MISP threat sharing platform has an ATT&CK taxonomy
http://www.misp-project.org
– ATT&CK API
– ATT&CK in Structured Threat Information eXpression 2.0
(STIX) : https://github.com/mitre/cti
• Have the threat intel originator do it
• Start at the tactic level
• Use existing website examples
• Choose appropriate information
• Work as a team
• Remember it’s still human analysis
27
 2018 The MITRE Corporation
Look at all those gaps!
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate Credentials Application Window Third-party Software Clipboard Data Data Compressed Communication Through
Credential Dumping
Accessibility Features Binary Padding Discovery Application Deployment Command-Line Data Staged Data Encrypted Removable Media
AppInit DLLs Code Signing Software Execution through API Data from Local System Data Transfer Size Limits Custom Command and
Credential Manipulation File and Directory Discovery
Local Port Monitor Component Firmware Graphical User Interface Data from Network Shared Exfiltration Over Alternative Control Protocol
Exploitation of Vulnerability
New Service DLL Side-Loading Credentials in Files Local Network Configuration InstallUtil Drive Protocol Custom Cryptographic
Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts PowerShell Protocol
Data from Removable Media Exfiltration Over Command
Scheduled Task File Deletion Network Sniffing Local Network Connections Pass the Hash Process Hollowing Data Obfuscation
and Control Channel
File System Permissions Weakness Discovery Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
File System Logical Offsets Two-Factor Authentication
Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other Multi-Stage Channels
Interception
Web Shell Indicator Blocking Remote File Copy Rundll32 Screen Capture Network Medium
Peripheral Device Discovery Multiband Communication
Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
Basic Input/Output System
Bypass User Account Control Replication Through Scripting Video Capture Medium Multilayer Encryption
Permission Groups Discovery
Bootkit DLL Injection Removable Media Service Execution Scheduled Transfer Peer Connections
Change Default File Component Object Model Hijacking Process Discovery Shared Webroot Windows Management Remote File Copy
Association Query Registry Taint Shared Content Instrumentation Standard Application Layer
Indicator Removal from Tools
Component Firmware Remote System Discovery Windows Admin Shares MSBuild Protocol
Execution through Module
Hypervisor Standard Cryptographic
Indicator Removal on Host Security Software Discovery Load
Protocol
Logon Scripts
Modify Existing Service InstallUtil System Information Standard Non-Application
Redundant Access Masquerading Discovery Layer Protocol
Registry Run Keys / Start Modify Registry System Owner/User Uncommonly Used Port
Folder NTFS Extended Attributes Discovery Web Service
Security Support Provider Obfuscated Files or System Service Discovery Data Encoding
Shortcut Modification Information System Time Discovery
Windows Management Process Hollowing
Instrumentation Event Redundant Access
Subscription Regsvcs/Regasm
Winlogon Helper DLL Regsvr32
Netsh Helper DLL Rootkit
Authentication Package Rundll32
Assess
External Remote Services
Define your Scripting
Identify
your Fill gaps
Software Packing

threat model gaps

Timestomp

coverage
MSBuild
Network Share Removal
Install Root Certificate

28
 2018 The MITRE Corporation
Start somewhere
Command and
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration
Control
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port

Legitimate Credentials Third-party Software Automated Collection Data Compressed Communication

Application Window
Credential Dumping Through Removable
Discovery
Accessibility Features Binary Padding Application Command-Line Clipboard Data Data Encrypted Media
Deployment
AppInit DLLs Code Signing Software Execution through API Data Staged Data Transfer Size Limits Connection Proxy
Credential File and Directory
Manipulation Discovery
Local Port Monitor Component Firmware Execution through Data from Local System
Exploitation of Exfiltration Over Custom Command
Module
Vulnerability Alternative Protocol and Control Protocol
New Service DLL Side-Loading Credentials in Files Local Network Load
Data from Network

Example:
Configuration
Shared Drive
Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts Graphical User Interface Custom
Exfiltration Over Cryptographic
Scheduled Task File Deletion Network Sniffing Local Network Pass the Hash InstallUtil Command and Protocol
Data from
Connections Control Channel
Removable Media
File System Permissions Weakness Discovery Pass the Ticket MSBuild Data Encoding
File System Logical
Two-Factor
Offsets

Bypass User
Service Registry Permissions Weakness Authentication Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Data Obfuscation
Interception Other Network
Web Shell Indicator Blocking Remote File Copy Process Hollowing Input Capture Medium Fallback Channels
Peripheral Device
Discovery
Authentication
Bypass User Account
Exploitation Control
of Vulnerability Remote Services Regsvcs/Regasm Screen Capture
Exfiltration Over
Multi-Stage Channels
Package Physical Medium
Bypass User Account Control Regsvr32 Video Capture
Permission Groups Replication Through Multiband

Account Control
Discovery Removable Media Communication
Bootkit DLL Injection Rundll32 Scheduled Transfer
Component Object Model Component Object Model
Process Discovery Shared Webroot Scheduled Task Multilayer Encryption
Hijacking Hijacking
Query Registry Taint Shared Content Scripting Remote File Copy
Basic Input/ Output Indicator Removal
System from Tools Remote System Discovery Windows Admin Shares Service Execution Standard Application
Layer Protocol

(T1088)
Windows
Change Default Indicator Removal Security Software
Management Standard
File Association on Host Discovery
Instrumentation Cryptographic
Protocol
Component Firmware Install Root Certificate
System Information
External Remote Services InstallUtil
Discovery Standard Non-
Hypervisor Masquerading Application Layer
Logon Scripts Modify Registry System Owner/User Protocol
Discovery
Modify Existing Service MSBuild Uncommonly Used Port
Netsh Helper DLL Network Share Removal System Service Discovery Web Service
Redundant Access NTFS Extended Attributes System Time Discovery
Registry Run Keys / Obfuscated Files or
Start Folder Information
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
Regsvcs/Regasm
Windows
Management Regsvr32
Instrumentation
Rootkit
Event Subscription
Winlogon Helper DLL Rundll32
Scripting
Software Packing
Timestomp
29
 2018 The MITRE Corporation
Use what you have

• You probably already have a SIEM platform

– Think back: where does ATT&CK focus? Where can we get
the most gain?
– What logs do you already have that can help?
• Can you collect more? What’s the biggest bang for your
buck?
– Don’t turn on everything at once – focus on filling those gaps
• Read, talk, and work together

30
 2018 The MITRE Corporation
Building an analytic
• Read the ATT&CK page and understand the attack
– Look at references for who’s using it and how
– Think from an adversary perspective
– Try to mentally separate legitimate usage from malicious usage
• Try it
– Focus on detection
– Carry out the attacks via your own testing or pre-written scripts
– What does it look like in the logs?
• Write and iterate
– Write your first search, narrow down false positives, and iterate
– Keep testing – make sure you check for a variety of ways it can be
used, not just the easiest 31
 2018 The MITRE Corporation
 Filling the gaps is hard,
time-consuming, and
expensive.
• There are a lot of prevalent techniques
• Adversary practices are always evolving
• Techniques have a wide set of procedures
• We all have limited resources
• Requires in-depth expertise of system
internals

 2018 The MITRE Corporation

Make it a team sport
Tackling the problem together is the only way we can keep up
– More brainpower = faster progress
– A broader array of expertise = broader coverage
Multi-faceted approach
– Start out in small working groups
– Not everyone is a producer, feedback is just as important
– Combined with public, open-source, sharing

33
 2018 The MITRE Corporation
 NH-ISAC
Working Group:
Building out and
sharing analytics
to cover
techniques in the
ATT&CK™️ matrix
34
 2018 The MITRE Corporation
NH-ISAC Analytics Working Group

• January 2017 kickoff

• Mission: Work together to develop analytics to detect
ATT&CK techniques
• How it works:
– Each organization commits to
• developing analytics and sharing them or
• testing and providing feedback on shared analytics

35
 2018 The MITRE Corporation
NH-ISAC Analytics Working Group
(Continued)

• Regular interactions:
– Teleconference every 2 weeks to talk about an analytic
– Annual face-to-face meetings
– Meet-ups during NH-ISAC summits
• How it’s going:
– Shared analytics
– Shared best practices and tips on how to better collect data
required for analytics

36
 2018 The MITRE Corporation
NH-ISAC Analytics Working Group
Next Steps

Continue
Development

Development – 19
Peer Review – 2

37
 2018 The MITRE Corporation
Future Vision:
Threat-Informed Defense
CTI in ATT&CK Realistic Threat Model

Intelligence-Driven Adversary Emulation An ever-improving and well-validated defense

38
 2018 The MITRE Corporation
Take action
Figure out where you are
– Define your threat model in ATT&CK™️.
– Assess your gaps. Ask your vendors.
– Are you where you want to be?
Figure out where to go and how to participate
– Can you use analytics now?
– Can you create analytics yourself?
Find a community to join
– Talk to your Information Sharing Analysis
Organization/Center (ISAO/ISAC), vendors, partners,
friends
– Find open source analytics 39
 2018 The MITRE Corporation
Resources
https://attack.mitre.org What’s next for ATT&CK™️
[email protected] https://www.mitre.org/capabilities/cybersecurity/
overview/cybersecurity-blog/whats-next-for-
Twitter: @MITREAttack
attck™
Analytic Repositories
• MITRE Cyber Analytic Repository: https://car.mitre.org
• ThreatHunter-Playbook: https://github.com/Cyb3rWard0g/ThreatHunter-
Playbook
• Sigma: https://github.com/Neo23x0/sigma
Validation and Testing
• Atomic Red Team: https://github.com/redcanaryco/atomic-red-team
• Adversary Emulation Plans:
https://attack.mitre.org/wiki/Adversary_Emulation_Plans
40
 2018 The MITRE Corporation
Questions
• Denise Anderson, President, NH-ISAC
www.nhisac.org

• Julie Connolly, CISSP, MITRE

[email protected] www.mitre.org

41
 2018 The MITRE Corporation