MITRE ATT&CK Framework
2 likes6,175 views
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
Ad
More Related Content
What's hot (20)
Similar to MITRE ATT&CK Framework (20)
Ad
More from n|u - The Open Security Community (20)
Ad
Recently uploaded (20)
MITRE ATT&CK Framework
- 1. 1 MITRE ATT&CKTM FRAMEWORK Threat Intelligence Detection, Analytics & Hunting f Assessment & Engineering L Threat Emulation L G ARPAN RAVAL null Bangalore & OWASP Bangalore Meet 28th March 2020
- 2. WHOAMI âť–Arpan Raval âť–Senior Threat Analyst @Optiv Inc âť–DFIR and Threat Hunting âť–Twitter @arpanrvl âť–https://www.linkedin.com/in/arpanraval
- 3. Software p i CAR s Threat Actors Y ATT&CK MATRICES PRE ATT&CK MITRE Software observed in adversary behavior Adversaries observed in cyber Knowledgebase of developed analytics Observed TTPs
- 4. MITRE ATT&CKTM ▪MITRE •R&D focused, federally funded non-profit org ▪ATT&CK •Knowledge base of adversary’s behaviors collected based on real world observations and attacks •Describes and Categorize adversarial behavioral in different phases of attack cycle. •Common Language
- 5. CHALLENGING ANNOYING TOUGH! TRIVIAL PYRAMID OF PAIN Courtesy David J Bianco TOOLS TTP SIMPLE EASY
- 6. 6 Tactical Behavioral ▪ Reactive Indicators of Compromise ▪ Doesn’t work for malware-free intrusions ▪ Point in time artifacts ▪ Proactive Indicators of Attack ▪ Defined by adversary's behavior ▪ Real time https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
- 7. Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects MITRE Explained: Tactic 7 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Example An adversary want to achieve credential access.
- 8. MITRE Explained: Technique 9 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
- 9. MITRE Explained: Technique-Metainfo 10 âť–Tactic: Related MITRE Tactic âť–Platform: Required platform for a technique to work in. âť–Permissions Required: Lowest permission for an adversary to implement the technique âť–Effective Permissions: Permission an adversary achieves after successful implementation of the technique âť–Data Sources: Recommended data to be collection for detection of the technique
- 10. MITRE Explained: Procedure 11 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
- 12. MITRE Explained: Sub Technique 13 â–ŞSub-techniques are a way to describe a specific implementation of a technique in more detail. OS Credential Dumping â–Ş LSASS Memory â–Ş Security Account Manager â–Ş NTDS â–Ş DCSync â–Ş Proc File System â–Ş etc/passwd
- 13. MITRE Explained: Enumeration 14 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
- 14. Detection and Analytics Adversary Emulation and Red Teaming Threat Intelligence Assessment and Engineering MITRE ATT&CK Use Cases . T f d
- 15. Improve Detection & Visibility Capability with MITRE ATT&CK 21
- 16. PRIORITIZED MITRE ATT&CK SUBSETS 22 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides are example matrix with dummy data for which not necessarily is true or to promote any tool/technology.
- 17. MITRE DETECTION MAPPING 23 MITRE Enumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
- 18. DATA SOURCE MAPPING 24 MITRE Enumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
- 20. DETECTION MATURITY HEATMAP 26 MITRE Enumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
- 21. 27 If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu -
- 22. Don’t Do This 28 ❖ Use Matrix as a Checklist to Create Alerts for everything ▪ Specific Technique – High Fidelity Alert ▪ Less Specific Technique – Data Enrichment ❖ Believe Matrix is every possible attack behavior ▪ Adversaries probably don’t report their own TTPs to MITRE ❖ Replace fundamentals with MITRE ATT&CK ▪ Term Does not found (404): MITRE COMPLIANT ❖ Make it Green if you detect one command of Technique ▪ There can be N number of procedure to implement a technique.
- 28. Together
- 29. ATT&CK is not juts a Framework, ATT&CK is community!
- 30. References and Awesome Resources 36 â–Ş Indicators of Attack vs Indicators of Compromise â–Ş https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise â–Ş Using ATT&CK for Cyber Threat Intelligence â–Ş https://attack.mitre.org/resources/training/cti/ â–Ş MITRE ATT&CK Getting Started â–Ş https://attack.mitre.org/resources/getting-started/ â–Ş ATT&CK Con Talks â–Ş https://attack.mitre.org/resources/attackcon/ â–Ş ATT&CK 101 â–Ş https://medium.com/mitre-attack/att-ck-101-17074d3bc62 â–Ş ATT&CK Sub Technique Preview â–Şhttps://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a â–Ş 2020 ATT&CK Roadmap â–Şhttps://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba
- 31. THANK YOU