MITRE ATT&CK Combining APTs, TTPs & GRC to Build a Realistic Security Program - William J. Nowik, CISA, CISSP, PCIP, QSA March 11, 2021 - Western ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
MITRE ATT&CK® Combining APTs, TTPs & GRC to Build a Realistic Security Program William J. Nowik, CISA, CISSP, PCIP, QSA March 11, 2021 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C.
Presenter
WILLIAM J. NOWIK,
CISA, CISSP, PCIP, QSA
Principal & Chief Information Security Officer
Wolf & Company, P.C.
Direct: (617) 428-5469
wnowik@wolfandco.com
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 2
About Wolf & Company, P.C.
1911 Wolf & Co. established
300+ Professionals
4 Offices in:
• Boston, MA
• Springfield, MA
• Albany, NY
• Livingston, NJ
Services Offered in:
• Assurance
• Tax
• Risk Management
• Business Consulting
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 3
© 2021 Wolf & Company, P.C.
CrowdStrike Services
Cyber Front Lines Report
Percent of incidents investigated in Ransomware Involved in Financially
63% 2020 involved financially motivated
threat actors
Motivated eCrime Attacks 2020
Other eCrime
Antivirus solutions failed to provide 19%
40% protection in which either malware was
undetected, or a portion of the attack
sequence was missed
Antivirus or endpoint detection and
30% response tools were not fully deployed,
were improperly configured or were not
supported on the operating system
Organizations studied post-IR
68% encounter another sophisticated
intrusion attempt within the next 12
Ransomware
months 81%
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 4
Ransomware Transformation
2019/2020 – Human-
2013 – CryptoLocker
Controlled Ransomware
2016/2017 – WannaCry
2017 – (Not)Petya
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 5
eCrime is Big Business
✓ Big Game Hunters (BGH)
✓ Ransomware-as-a-Service
✓ Wide and Broad Scope
✓ Attackers don’t discriminate and adapt to
the environment
o Shift tools, payloads, and activities
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 6
© 2021 Wolf & Company, P.C.
Pyramid of Pain
Source:
https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 7
MITRE ATT&CK®
✓ MITRE ATT&CK® is a community driven
platform
o Tracks threat actors through
observable data
o Tactics, Techniques, and
Procedures (TTPs)
o Post compromise focus
o 14 Tactics, 178 Techniques, 352
Sub-Techniques and growing
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 8Meet the Opponent
✓ Advanced Persistent Threats (APTs) and Threat Groups
o GOLD SOUTHFIELD observed to operate REvil Ransomware
o Wizard Spider observed to operate Ryuk Ransomware
✓ These groups orchestrate and provide Ransomware-as-a-Service
✓ Financially motivated and calculated
✓ Sweep the internet to identify vulnerabilities
o Includes brute forcing, leveraging perimeter misconfigurations, and phishing
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 9It’s a Race
Credential Lateral
Initial Access Execution Payload
Access Movement
Incident Response Timeline
Detect Understand Contain Eradicate
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 10Tracking the Adversary – Initial Access
✓ We have the attacker’s playbook
✓ Shift focus to assume compromise
✓ Using ATT&CK®, we can track relevant groups using real data
o Example: Wizard Spider has been seen performing T1566.002
o We may not be able to fully prevent a technique, but we can better
train and detect this
Phishing: Spearphishing Link Wizard Spider has sent phishing
emails containing a link to an actor-
controlled Google Drive document or
other free online file hosting
[2][8]
services.
Source:
MITRE ATT&CK® https://attack.mitre.org/groups/G0102/
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 11Wizard Spider – Execution
✓ Sub-techniques can be reviewed and understood
✓ PowerShell is known to be used by Wizard Spider
✓ Can we disable PowerShell or log all command line
usage?
✓ Understand the behavior to strengthen defenses
Command and Scripting Wizard Spider has used macros to
Interpreter: PowerShell execute PowerShell scripts to
download malware on victim's
[5]
machines. It has also used
PowerShell to execute commands
and move laterally through a victim
[2][3][7]
network.
Source:
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. https://attack.mitre.org/groups/G0102/ 12Wizard Spider – Credential Access
✓ Assume Compromise: Adversary will pivot and achieve
persistence
✓ Some techniques easy to detect and prevent
✓ Implement defenses:
o Local Administrator Password Solution (LAPS)
o Credential Guard
o Disable Legacy Protocols (LLMNR/NBT-NS)
o SMB Hardening
Man-in-the-Middle: LLMNR/NBT-NS Wizard Spider has used the Invoke-
Poisoning and SMB Relay Inveigh PowerShell cmdlets, likely for
[3]
name service poisoning.
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 13Wizard Spider – Lateral Movement
✓ The adversary will pivot and enumerate
assets
✓ Use real data to build your playbook
✓ Implement defenses:
o Windows firewall hardening
o Limit and detect administrative tool usage
o Segment hosts in the network
[5][2][8]
Remote Services: Remote Desktop Protocol Wizard Spider has used RDP for lateral movement.
Remote Services: SMB/Windows Admin Shares Wizard Spider has used SMB to drop Cobalt Strike Beacon on a
[8][6]
domain controller for lateral movement.
Remote Services: Windows Remote Management Wizard Spider has used Window Remote Management to move
[2]
laterally through a victim network.
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 14Wizard Spider – Payload
✓ The adversary is attempting to learn your network
✓ They will spend several days obtaining persistence, pivoting in the network, and making
changes
✓ Understand their behavior to build detections before they can achieve the objective
o Attacker Goal: Execute the payload → Ransomware
o Defender Goal: Detection, prevent if possible
Data Encrypted for Impact Ryuk has used a combination of symmetric (AES) and
asymmetric (RSA) encryption to encrypt files. Files have
been encrypted with their own AES key and given a file
extension of .RYK. Encrypted directories have had a
[1]
ransom note of RyukReadMe.txt written to the directory.
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 15Key Takeaways
✓ The attacker will attempt to “live off the land”
o They will abuse your environment after
learning it
✓ The attackers are humans so we can learn
from their behavior
✓ We need to build and tune our defenses to
the attacker's playbook
o Real attack data exists, use it
✓ How much confidence do we have in our
detection and prevention capabilities?
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 16Building Your Threat Model
✓ Identify your adversaries
✓ Create a layer and assign a score
(i.e. color) to techniques used by each
adversary
o Start small
o Combine layers to combine multiple
adversary techniques
✓ Export to a working format
✓ Test and document your controls
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 17Wizard Spider Techniques
abo t domain filters le end
in mac Windows
Wi ard pider nterprise ffice re
nterprise
techni es sed by Wi ard
pider TT ro p v
TT v aa
W
etwork
re
nknown Tracked
Reconna ssance Reso ce e e o ent In t a ccess ec t on e s stence e e sca at on e ense as on edent a ccess sco e ate a o e ent o ect on o and and ont o t at on I act
ommand and b se levation b se levation ploitation pplication
ctive cannin c ire nfrastr ct re rive by ompromise criptin nterpreter
cco nt anip lation
ontrol echanism ontrol echanism r te orce cco nt iscovery of emote ervices
rchive ollected ata
ayer rotocol
tomated filtration cco nt ccess emoval
ather
ictim ost nformation ompromise cco nts ploit blic acin
pplication ower hell T obs ccess
Token anip lation
ccess
Token anip lation
redentials
from assword tores ocal cco nt nternal pearphishin dio apt re Web rotocols ata
Transfer i e imits ata estr ction
ather ictim ompromise ternal oot or o on oot or o on ploitation ile Transfer filtration ver ata
dentity nformation nfrastr ct re emote ervices pple cript tostart ec tion tostart ec tion T obs for redential ccess omain cco nt ateral Tool Transfer tomated ollection rotocols lternative rotocol ncrypted for mpact
ather ictim evelop apabilities ardware dditions Windows e istry n eys e istry n eys eobf scate ecode orced thentication mail cco nt emote ervice lipboard ata ail rotocols
f ilt r at ion
ver ym m et r ic ata anip lation
etwork nformation ommand hell tart p older tart p older iles or nformation ession i ackin ncr ypt ed on r ot ocol
ather ni hell thentication thentication emote ervices ata from f ilt r at ion
ictim r nformation
stablish cco nts hishin acka e acka e
irect ol me ccess or e Web redentials lo d cco nt lo d tora e b ect
ver sym m et r ic
ncr ypt ed on r ot ocol efacement
hishin pearphishin omain
np t apt re pplication emote ata from onfi ration omm nication f ilt r at ion ver
for nformation
btain apabilities ttachment
is al asic Time roviders Time roviders olicy odification Window iscovery esktop rotocol epository Thro h emovable edia
nencr ypt ed bf scat ed
on r ot ocol
isk Wipe
earch losed o rces alware pearphishin
ink ython Winlo on
elper
Winlo on
elper ec tion ardrails an in the iddle rowser
ookmark iscovery
Windows
dmin hares
ata from nformation
epositories ata ncodin filtration
ver hannel
ndpoint
enial of ervice
earch pen pearphishin ec rity ec rity ploitation T ois onin lo d nfrastr ct re i s tri b te d o m p o n e n t filtration ver
Technical atabases Tool via ervice
ava cript cript
pport rovider pport rovider for efense vasion and elay iscovery b ec t odel ata from ocal ystem ata bf scation ther etwork edi m
irmware orr ption
earch ode i nin eplication etwork ernel od les ernel od les ile and irectory lo d ervice ashboard ata from ynamic esol tion filtration nhibit ystem ecovery
pen Websites omains ertificates Thro h emovable edia evice and tensions and tensions ermissions odification ache oisonin etwork hared rive ver hysical edi m
earch i ital ploitation e opened e opened Windows ile and ir ect or y odify ata filtration etwork
ictim wned Websites ertificates
pply hain ompromise
for lient ec tion pplications pplications er m issions odif icat ion thentication rocess
lo d ervice iscovery
from emovable edia
ncrypted hannel ver Web ervice enial of ervice
nter rocess in
Windows
ploits Tr sted elationship
omm nication
river river and ac ile and ir ect or y
er m issions odif c
i at ion
etwork niffin omain Tr st iscovery
emote ana ement ata ta ed allback hannels ched led Transfer eso rce i ackin
hortc t hortc t ile eplication Transfer
lnerabilities alid cco nts ative odification odification
ide rtifacts redential mpin
and irectory iscovery Thro h emovable edia
mail ollection n ress Tool Transfer
ata to lo d cco nt ervice top
efa lt cco nts ched led Task ob ort onitors ort onitors i ack ec tion low emory etwork
ervice cannin
oftware
eployment Tools np t apt re lti ta e hannels ystem h tdown eboot
list list ec rity on pplication
omain cco nts t Windows odification odification mpair efenses cco nt ana er etwork hare iscovery Taint hared ontent an in the rowser ayer rotocol
isable se lternate
ocal cco nts ched led Task rint rocessors rint rocessors
or odify Tools T etwork niffin thentication aterial
an in the iddle on tandard ort
oot or o on oot or o on isable Windows assword T ois onin
lo d cco nts t in nitiali ation cripts nitiali ation cripts vent o in ync olicy iscovery and elay rotocol T nnelin
reate or mpair ommand eripheral
a nchd rowser tensions odify ystem rocess istory o in
roc ilesystem
evice iscovery ache oisonin ro y
ompromise isable or odify etc passwd ermission
ron lient oftware inary
a nch ent ystem irewall and etc shadow ro ps iscovery
creen apt re emote ccess oftware
ystemd Timers reate cco nt ystemd ervice
ndicator
lockin
ached omain
redentials
omain ro ps ideo apt re Traffic i nalin
reate or isable or odify
hared od les odify ystem rocess Windows ervice lo d irewall ecrets lo d ro ps Web ervice
oftware isable teal pplication
eployment Tools
a nch ent a nch aemon lo d o s ccess Token
ocal ro ps
omain ndicator teal or
ystem ervices ystemd ervice olicy odification emoval on ost or e erberos Tickets rocess iscovery
vent lear Windows
a nchctl Windows ervice Tri ered ec tion vent o s olden Ticket ery e istry
ervice ec tion a nch aemon ploitation for lear in or ilver Ticket emote ystem iscovery
rivile e scalation ac ystem o s
vent lear
ser ec tion Tri ered ec tion i ack ec tion low ommand istory erberoastin oftware iscovery
alicio s ink ternal rocess n ection ile eletion oastin ec rity oftware
emote ervices iscovery
alicio s ile i ack ec tion low ynamic link etwork hare teal ystem
ibrary n ection onnection emoval Web ession ookie nformation iscovery
Windows ana ement ystem etwork
nstr mentation
mplant ontainer ma e o rta b l e
n e c ti o n
e c ta b l e
Timestomp Two a c to r
n te rc e p ti o n
th e n ti c a ti o n
onfi ration iscovery
ffice Thread ec tion ndirect nsec red redentials ystem etwork
pplication tart p i ackin ommand ec tion onnections iscovery
synchrono s ystem
re oot roced re all as eradin wner ser iscovery
ched led Task ob Thread nvalid ystem
ocal tora e ode i nat re ervice iscovery
trace i ht to eft
t Windows ystem alls verride
ystem Time iscovery
ename irt ali ation andbo
ched led Task roc emory ystem tilities vasion
tra Window as erade
t in emory n ection Task or ervice
rocess atch e itimate
a nchd oppel n in ame or ocation
pace
ron rocess ollowin
after ilename
odify
ystemd Timers i ackin thentication rocess
erver odify lo d
oftware omponent ched led Task ob omp te nfrastr ct re
Traffic i nalin t Windows odify e istry
alid cco nts ched led Task odify ystem ma e
efa lt cco nts t in etwork
o ndary rid in
bf scated
omain cco nts a nchd iles or nformation
ocal cco nts ron re oot
lo d cco nts ystemd Timers rocess n ection
ynamic link
alid cco nts ibrary n ection
o rta b l e e c ta b l e
efa lt cco nts
n e c ti o n
Thread ec tion
omain cco nts
i ackin
synchrono s
ocal cco nts roced re all
Thread
lo d cco nts ocal tora e
trace
ystem alls
roc emory
tra Window
emory n ection
rocess
oppel n in
rocess ollowin
i ackin
o e omain ontroller
ootkit
i ned
inary ro y ec tion
i ned
cript ro y ec tion
bvert Tr st ontrols
atekeeper ypass
ode i nin
and Tr st
rovider i ackin
nstall
oot ertificate
Template n ection
Traffic i nalin
Tr s te d ev eloper
ti l i ti e s ro y e c ti o n
n sed ns pported
lo d e ions
se lternate
thentication aterial
alid cco nts
efa lt cco nts
omain cco nts
ocal cco nts
lo d cco nts
irt ali ation andbo
vasion
Weaken ncryption
cript rocessin
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 18Document Your Defense Capabilities
abo t domain filters le end
in mac Windows
Wi ard pider nterprise ffice re
efense TT v aa
W
etwork
re
ap etection overed
Reso ce In t a e e e ense edent a ate a o and
Reconna ssance
e e o ent ccess
ec t on e s stence
sca at on as on ccess
sco e o e ent
o ect on and ont o
t at on I act
c ire ommand ploitation of rchive pplication cco nt
ctive rive by cco nt b se levation b se levation cco nt tomated
nfrastr ct re
and criptin r te orce emote ervices ollected ata ayer rotocol ccess emoval
cannin ompromise nterpreter anip lation ontrol echanism ontrol echanism iscovery filtration
ather ictim ompromise ploit ploitation for ccess Token ccess Token redentials from pplication nternal dio omm nication ata Transfer ata
ost nformation cco nts
blic acin
lient ec tion
T obs anip lation anip lation assword tores Window iscovery pearphishin apt re
Thro h
i e imits estr ction
pplication emovable edia
ather ompromise ternal nter rocess oot or oot or ploitation for rowser ookmark ateral Tool tomated ata filtration ata ncrypted
ictim dentity
nfrastr ct re emote ervices omm nication
o on tostart o on tostart T obs redential ccess iscovery Transfer ollection ncodin
ver lternative
for mpact
nformation ec tion ec tion rotocol
ather evelop ardware oot or o on oot or o on eobf scate ecode orced lo d emote ervice lipboard ata filtration ata
ictim etwork
apabilities dditions
ativ e nitiali ation nitiali ation iles
thentication
nfrastr ct re
ession i ackin ata bf scation ver hannel anip lation
nformation cripts cripts or nformation iscovery
ather ictim stablish ched led rowser reate or odify irect or e Web lo d ervice emote ata from lo d ynamic filtration
r nformation cco nts
hishin Task ob tensions ystem rocess ol me ccess redentials ashboard ervices tora e b ect esol tion
ver ther
etwork edi m
ef acement
hishin for btain eplication hared ompromise lient omain olicy omain olicy np t lo d ervice eplication ata from ncrypted filtration ver
nformation apabilities
Thro h
emovable edia od les oftware inary odification odification apt re iscovery
Thro h
emovable edia
onfi ration
epository hannel hysical edi m
isk Wipe
earch losed pply hain oftware reate vent Tri ered ec tion omain Tr st oftware ata allback filtration ndpoint enial
an in the iddle from nformation
o rces ompromise eployment Tools cco nt ec tion ardrails iscovery eployment Tools epositories hannels ver Web ervice of ervice
earch Tr sted ystem reate or odify ploitation ploitation for odify ile Taint hared ata from n ress Tool ched led irmware
pen Technical for rivile e thentication and irectory
atabases elationship ervices ystem rocess scalation efense vasion rocess iscovery ontent ocal ystem Transfer Transfer orr ption
earch pen alid ser vent Tri ered i ack ile and irectory etwork etwork ervice se lternate ata from etwork lti ta e Transfer ata nhibit ystem
ermissions thentication
Websites omains cco nts ec tion ec tion ec tion low odification niffin cannin aterial hared rive hannels to lo d cco nt ecovery
earch Windows ternal rocess ide redential etwork hare ata from on pplication etwork enial
ictim wned ana ement
Websites nstr mentation emote ervices n ection rtifacts mpin iscovery emovable edia ayer rotocol of ervice
i ack ched led i ack teal pplication etwork on tandard eso rce
ec tion low ec tion low
ata ta ed
Task ob ccess Token niffin ort i ackin
mplant alid mpair teal or or e assword olicy mail rotocol ervice
ontainer ma e cco nts efenses erberos Tickets iscovery ollection T nnelin top
ffice ndicator teal Web eripheral np t ystem
pplication
tart p emoval on ost ession ookie evice iscovery apt re
ro y h tdown eboot
ndirect ommand Two actor ermission an in emote ccess
re oot thentication
oftware
ec tion nterception ro ps iscovery the rowser
ched led nsec red rocess Traffic
as eradin an in the iddle
Task ob redentials iscovery i nalin
erver oftware odify redentials ery creen
omponent
thentication
n iles
Web ervice
rocess e istry apt re
Traffic odify redentials emote ystem ideo
lo d omp te
i nalin nfrastr ct re in e istry iscovery apt re
alid odify ash oftware
cco nts e istry istory iscovery
ystem
odify rivate nformation
ystem ma e eys iscovery
etwork o ndary lo d ystem etwork
nstance onfi ration
rid in etadata iscovery
bf scated iles ro p olicy ystem etwork
onnections
or nformation references iscovery
ystem wner ser
re oot iscovery
rocess ystem ervice
n ection iscovery
o e omain ystem Time
ontroller iscovery
ootkit
irt ali ation andbo
vasion
i ned inary
ro y ec tion
i ned cript
ro y ec tion
bvert Tr st
ontrols
Template
n ection
Traffic
i nalin
Tr sted eveloper
tilities
ro y ec tion
n sed ns pported
lo d e ions
se lternate
thentication
aterial
alid
cco nts
irt ali ation andbo
vasion
Weaken
ncryption
cript
rocessin
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C.Testing and Tracking ATT&CK®
• Examples of automated tools:
– Atomic Red Team
– CALDERA
• Continuously test tools and detection
mechanisms
• Track gaps through a collaborative approach
• Convey relevant risks that impact the
business, leverage working processes
Source:
https://redcanary.com/blog/testing-endpoint-solutions-atomic-red-team/
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 20Cybersecurity Testing & Response Maturity
VULNERABILITY PENETRATION PURPLE RED TEAM
MANAGEMENT TESTING TEAM
BLUE TEAM
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 21Keep Your Threat Models Up to Date
Overlay Adversary Testing Coverage to Document Control Remediate,
Techniques Confirm Controls Coverage Track Gaps
✓ Additional adversaries
✓ New techniques
observed by existing
adversaries
MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 22
© 2021 Wolf & Company, P.C.Questions? MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2021 Wolf & Company, P.C. 23
You can also read
