ATT&CK Your CTI with Lessons Learned from Four Years in the Trenches - SANS CTI Summit 2019 - SANS.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SANS CTI Summit 2019
ATT&CK™ Your CTI
with Lessons Learned
from Four Years in the Trenches
©2019 The MITRE Corporation and Red Canary. ALL RIGHTS RESERVED.
Approved for public release. Distribution unlimited 18-1528-32.
Katie Nickels Brian Beyer
ATT&CK Threat Intelligence Lead Co-founder & CEO
The MITRE Corporation Red Canary
@LiketheCoins
Outline How is ATT&CK useful for CTI? A tale of two ATT&CK mapping approaches What we learned from our data How you can apply this data to improve defenses
ATT&CK: A Knowledge Base of Adversary Behavior
Tactics: the adversary’s technical goals
Techniques: how goals are
Procedures: Specific technique implementation
achieved
Why ATT&CK is Useful for CTI
Adds structure to allow comparison
Moves from IOCs → Behaviors
Makes intel actionable for defense
MITRE-Compiled Data Set
5 years of reviewing and mapping
~400 publicly-available threat intel reports
Mapping to ATT&CK: the Manual, Human Way
Scripting (T1064)
Registry Run Keys / Startup Folder (T1060)
Command-Line Interface (T1059)
Discovery - T1057, T1018,
T1049, T1082, T1016
Cred Dumping (T1003)
Input Capture (T1056)
Pass the Ticket (T1097)
Email Collection (T1114)
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-
and-strong-an-analysis-of-royalcli-and-royaldns/
Methodology Consequences / Biases
~400 publicly-available + Thorough
threat intel reports + Nuanced
+ Able to find techniques that require
human analysis
- Slow and challenging to learn
- Subject to human biases
- Requires reports to input
Collection based on threat intel reportsRed Canary Data Set
5 years of security operations monitoring
+
~200 IR engagementsMapping to ATT&CK: the Detection-Driven Way
Methodology Consequences / Biases
5 years of security
operations monitoring + Able to process large quantities of data
+ + Consistent
~200 IR engagements
+ Fast
+ Highly structured
- Only maps known techniques
- No nuance/interpretation
- Maps only to detection-worthy events
Collection based on day-to-day security operations5 years of security
operations monitoring
~400 publicly-available +
threat intel reports Why don’t we ~200 IR engagements
have both?
KnowYourMeme.com
This data setIF YOU COULD SHOW ME YOUR DATA
THAT WOULD BE GREATTop 20 Techniques Based on MITRE-Compiled Data 1. Standard App Layer Protocol 11. Credential Dumping 2. Remote File Copy 12. Screen Capture 3. System Information Discovery 13. Input Capture 4. Command-Line Interface 14. System Owner/User Discovery 5. File and Directory Discovery 15. Scripting 6. Registry Run Key/Startup Folder 16. Commonly Used Port 7. Obfuscated Files or Information 17. Standard Cryptographic Protocol 8. File Deletion 18. PowerShell 9. Process Discovery 19. Masquerading 10. System Network Configuration Discovery 20. New Service
Top 20 Techniques Based on Red Canary Data 1. PowerShell 11. Disabling Security Tools 2. Scripting 12. Command-Line Interface 3. Regsvr32 13. Account Discovery 4. Connection Proxy 14. Accessibility Features 5. Spearphishing Attachment 15. Scheduled Task 6. Masquerading 16. WMI 7. Credential Dumping 17. Process Injection 8. Registry Run Keys / Start Folder 18. Obfucated Files or Information 9. Rundll32 19. Windows Admin Shares 10. Service Execution 20. Pass the Ticket
MITRE & Red Canary’s Top 20 Techniques by Tactic
Defense
Evasion
Execution
Discovery
Persistence
Credential Lateral
Access Mov’t Collection
Initial
Access Privilege
Escalation C2 Exfil
ATT&CK ChainRed Canary Data: # of Techniques Observed by Tactic / Stage
Defense
Evasion
Execution
Initial Credential C2 Persistence
Access Lateral
Access Discovery
Privilege Mov’t
Escalation Collection Exfil
ATT&CK ChainRed Canary Data: Top Defense Evasion Techniques
Red Canary Data: Top Execution Techniques
Putting it into Action
7 overlapping
techniques - a place
to start for defenseOverlaps in Top 20 Techniques
Red Canary MITRE Red Canary MITRE
Technique Rank Rank Count Count
T1086 PowerShell 1 18 1,774 46
T1064 Scripting 2 15 794 53
T1059 Command-Line Interface 12 4 294 112
T1060 Registry Run Keys / Startup Folder 8 6 377 93
T1036 Masquerading 6 19 419 45
T1027 Obfuscated Files or Information 18 7 120 88
T1003 Credential Dumping 7 11 405 61What Does This Mean for Defense? Powershell ● Implement PowerShell v5 w/enforcement and ScriptBlock logging ● Be really good at collecting command lines and associated detection Scripting ● Monitor parent/child execution related to common phishing attachments ● Deeply monitor activity associated with common script engines Command Line Interface ● Understand common parentage for applications in your org ● Be really good at collecting command lines and associated detection
What Does This Mean for Defense? Registry Run Keys / Startup ● Know your systems: configuration management and system change audit Masquerading ● Validate binary metadata (signing) and execution paths ● Know trusted hash values for common system binaries Obfuscated Files / Info ● Script Block logging, automated decompress/ deobuscuate/decode Credential Dumping ● Dive deep into library loads and execution of system tools (setspn, ntdsutil)
Putting it into Action for Yourself
7 overlapping
techniques
Your data?
Your gaps?Takeaways
As you use ATT&CK...
Know your limitations
Combine approaches and data
Share your data (stay tuned!)Questions? attack.mitre.org redcanary.com attack@mitre.org info@redcanary.com @MITREattack @RedCanaryCo
You can also read
