Cyber Threat Intelligence: a Team Sport

Cyber Threat Intelligence: A Team Sport

Collaborative Analytic Development

John Wunder The MITRE Corporation

Member look out for Member Indicators of A this IP, it’s bad! B Ha ha, compromise blocked! ISAO are great attacks Member Member C D Analytics move up the (obligatory) pyramid of pain

David J. Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html What’s an analytic, Indicators Analytics really?

Fewer false positives More false positives More atomic Broader Higher quantity Lower quantity Example analytic: reg.exe called from command shell We need an organizing framework.

Analytics are great, but they need to be put into the context of which adversary technique they detect • How do you know which ones you need? • If you have some analytics shared with you, how do you know whether they’re additive or duplicative? • If you see a new technique being used in a threat report, how do you know if your current set of analytics will cover it? ATT&CK™ is a MITRE-developed, globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of adversaries’ operations against computer networks. What’s in

1. List of techniques used by adversaries for each phase of the kill chain

2. Possible methods of detection and mitigation

3. Published references of adversary use of techniques

Image source: www.hasbro.com Mr. Potato Head is a registered trademark of Hasbro Inc. Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control

DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port

Legitimate Credentials Application Window Third-party Software Automated Collection Data Compressed Communication Through Credential Dumping Discovery Removable Media Accessibility Features Binary Padding Application Deployment Command-Line Clipboard Data Data Encrypted AppInit DLLs Code Signing Software Execution through API Data Staged Data Transfer Size Limits Connection Proxy Credential Manipulation File and Directory Discovery Local Port Monitor Component Firmware Execution through Module Data from Local System Exfiltration Over Alternative Custom Command and Exploitation of Vulnerability Load Protocol Control Protocol New Service DLL Side-Loading Credentials in Files Local Network Configuration Data from Network Shared Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts Graphical User Interface Drive Custom Cryptographic Exfiltration Over Command Protocol Scheduled Task File Deletion Network Sniffing Local Network Connections Pass the Hash InstallUtil Data from Removable Media and Control Channel File System Permissions Weakness Discovery Pass the Ticket MSBuild Data Encoding File System Logical Offsets Two-Factor Authentication Service Registry Permissions Weakness Interception Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Other Data Obfuscation Web Shell Indicator Blocking Remote File Copy Process Hollowing Input Capture Network Medium Fallback Channels Peripheral Device Discovery Exploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Exfiltration Over Physical Multi-Stage Channels Authentication PackageATT&CK is Enables pivoting between red team and blue team Medium Bypass User Account Control Replication Through Regsvr32 Video Capture Permission Groups Discovery Multiband Communication Bootkit DLL Injection Removable Media Rundll32 Scheduled Transfer Component Object Model Component Object Model Process Discovery Shared Webroot Scheduled Task Multilayer Encryption HijackinggroundedHijacking in Query Registry Taint Shared Content Scripting Remote File Copy Basic Input/Output System Indicator Removal from Tools Remote System Discovery Windows Admin Shares Service Execution Standard Application Layer Decouples the problem from the solution Protocol Change Default File Windows Management Indicator Removal on Host Security Software Discovery Association Instrumentation empirical data Standard Cryptographic Component Firmware Install Root Certificate Protocol System Information External Remote Services InstallUtil Discovery Standard Non-Application Hypervisor Masquerading Layer Protocol Logon Scripts from cyberModify Registry TransformsSystem Owner/User thinking by focusing on post-exploit Modify Existing Service MSBuild Discovery Uncommonly Used Port Netsh Helper DLL Network Share Removal adversarySystem Service Discovery behavior Web Service Redundant Access incidentsNTFS Extended Attributes System Time Discovery Registry Run Keys / Start Obfuscated Files or Folder Information Security Support Provider Process Hollowing Shortcut Modification Redundant Access Regsvcs/Regasm Windows Management Instrumentation Event Regsvr32 Subscription Rootkit Winlogon Helper DLL Rundll32 Scripting Software Packing Timestomp Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port

Legitimate Credentials Third-party Software Application Window Automated Collection Data Compressed Communication Through Credential Dumping Discovery Removable Media Accessibility Features Binary Padding Application Deployment Command-Line Clipboard Data Data Encrypted Software AppInit DLLs Code Signing File and Directory Execution through API Data Staged Data Transfer Size Limits Connection Proxy Credential Manipulation Discovery Local Port Monitor Component Firmware Execution through Data from Local System Exploitation of Exfiltration Over Custom Command and Module Vulnerability Alternative Protocol Control Protocol New Service DLL Side-Loading Credentials in Files Local Network Load Data from Network Configuration Discovery Shared Drive Path Interception Disabling Security Tools Input Capture Logon Scripts Graphical User Interface Custom Cryptographic Exfiltration Over Protocol Scheduled Task Command and Control File Deletion Network Sniffing Local Network Pass the Hash InstallUtil Data from Removable Channel Connections Discovery Media File System Permissions Weakness File System Logical Pass the Ticket MSBuild Data Encoding Two-Factor Offsets Service Registry Permissions Weakness Authentication Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Other Data Obfuscation Interception Network Medium Web Shell Indicator Blocking Peripheral Device Remote File Copy Process Hollowing Input Capture Fallback Channels Discovery Exploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Exfiltration Over Physical Multi-Stage Channels Authentication Package Medium Bypass User Account Control Permission Groups Replication Through Regsvr32 Video Capture Multiband Discovery Removable Media Communication Bootkit DLL Injection Rundll32 Scheduled Transfer Use ATT&CK to Component Object Model Component Object Model Process Discovery Shared Webroot Scheduled Task Multilayer Encryption Hijacking Hijacking Basic Input/Output Indicator Removal from Query Registry Taint Shared Content Scripting Remote File Copy System Tools Remote System Discovery Windows Admin Shares Service Execution Standard Application Layer Protocol Change Default File Indicator Removal on Security Software Windows Management Association Host Discovery Instrumentation understandStandard Cryptographic your Component Firmware Install Root Certificate Protocol System Information External Remote Services InstallUtil Discovery Standard Non- Hypervisor Masquerading Application Layer Protocol Logon Scripts Modify Registry System Owner/User Modify Existing Service MSBuild Discovery Uncommonly Used Port Netsh Helper DLL Network Share Removal System Service Discovery Web Service defense Redundant Access NTFS Extended Attributes System Time Discovery Registry Run Keys / Start Obfuscated Files or Folder Information Security Support Provider Process Hollowing Shortcut Modification Redundant Access Windows Management Regsvcs/Regasm Instrumentation Event Regsvr32 Subscription Rootkit Winlogon Helper DLL Rundll32 Scripting Software Packing Timestomp

Document and Define your assess your Identify gaps Fill gaps threat model coverage Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port

Legitimate Credentials Third-party Software Automated Collection Data Compressed Communication Application Window Credential Dumping Through Removable Discovery Accessibility Features Binary Padding Command-Line Clipboard Data Data Encrypted Media Application Deployment Software AppInit DLLs Code Signing Execution through API Data Staged Data Transfer Size Limits Connection Proxy Credential File and Directory Manipulation Discovery Local Port Monitor Component Firmware Execution through Data from Local System Exploitation of Exfiltration Over Custom Command Module Vulnerability Alternative Protocol and Control Protocol New Service DLL Side-Loading Credentials in Files Local Network Load Data from Network Configuration Shared Drive Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts Graphical User Interface Custom Cryptographic Exfiltration Over Protocol Scheduled Task File Deletion Network Sniffing Local Network Pass the Hash InstallUtil Command and Data from Removable Connections Control Channel Media File System Permissions Weakness Discovery Pass the Ticket MSBuild Data Encoding File System Logical Two-Factor Offsets Service Registry Permissions Weakness Authentication Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Data Obfuscation Interception Other Network Web Shell Indicator Blocking Remote File Copy Process Hollowing Input Capture Medium Fallback Channels Peripheral Device Discovery Exploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Multi-Stage Channels Authentication Exfiltration Over Package Physical Medium BypassBypass User User Account Account Control Control Regsvr32 Video Capture Example: Permission Groups Replication Through Multiband Discovery Removable Media Communication Bootkit DLL Injection Rundll32 Scheduled Transfer Component Object Model Component Object Model Process Discovery Shared Webroot Scheduled Task Multilayer Encryption Hijacking Hijacking Query Registry Taint Shared Content Scripting Remote File Copy Basic Input/ Output Indicator Removal System from Tools Remote System Discovery Windows Admin Shares Service Execution Standard Application Bypass User Layer Protocol Windows Change Default Indicator Removal on Security Software Management File Association Host Discovery Standard Instrumentation Cryptographic Protocol Component Firmware Install Root Certificate System Information External Remote Services InstallUtil Discovery Standard Non- Hypervisor Masquerading Application Layer Account Control Logon Scripts Modify Registry System Owner/User Protocol Discovery Modify Existing Service MSBuild Uncommonly Used Port Netsh Helper DLL Network Share Removal System Service Discovery Web Service Redundant Access NTFS Extended Attributes System Time Discovery Registry Run Keys / Obfuscated Files or (T1088) Start Folder Information Security Support Provider Process Hollowing Shortcut Modification Redundant Access Regsvcs/Regasm Windows Regsvr32 Management Instrumentation Event Subscription Rootkit

Winlogon Helper DLL Rundll32 Scripting Software Packing Timestomp Example: Bypass User Account Control (T1088)

A Windows security feature that limits application software to standard user privileges until an administrator authorizes an increase or elevation

• Seen used by APT29, Patchwork, BlackEnergy, and others • Some issues are patched by Microsoft, some are not Example: Bypass User Account Control (T1088)

UACME - List of specific procedures to carry out this technique https://github.com/hfiref0x/UACME

There are... 41! Filling the gaps is hard, time-consuming, and expensive.

• There are a lot of prevalent techniques • Adversary practices are always evolving • Techniques have a wide set of procedures • We all have limited resources • Requires in-depth expertise of system internals We’re making this a team Tackling the problem together is the only way we can keep up • More brainpower = faster progress sport. • A broader array of expertise = broader coverage

But there are some sensitivities you should be aware of… • The analytics you write and share can have operational security impacts

Multi-faceted approach • Start out in small working groups • Not everyone is a producer, feedback is just as important • Combined with public, open-source, sharing NH-ISAC Working Group: Building out and sharing analytics to cover techniques in the ATT&CK matrix Challenge: Sensor Analytic 1 Analytic 2

process coverage network varies. file

Org A Org B Org C

process process • Organizations have different file types of sensors file registry file registry key key network network • Organizations have different Org A Org B Org C sensors even for the same data Analytic 1 ✓ ✓ ✗ Analytic 2 ✓ ✗ ✓ • Sensors are not enough, you need to be able to collect data from your sensors Challenge: Operational environments vary.

Org A Org B Org C

Analytic 1 Analytic 1 Analytic 1 Each environment is unique and will have unique false positives • Lots of developers vs. few • Use of Tool A vs. Tool B Analytic 2 Analytic 2 Analytic 2 Configurations of OS or other tools differ and cause analytics targeting them to differ False positive True positive Challenge: There is no common language or taxonomy.

Analytic 1 No common • Query language process • Data taxonomy file Manual conversions are tractable, for now Org A Org B • Simpler analytics process • Lower volume process file registry file Need to look to key Registry key the future network Where we’re going

• Validating that what we’re doing works and helps

• Putting analytics in context • How do you assess your threat model and your coverage? How do you track it over time? • Need tooling

• Increasing our pace via standardization and automation Take action Figure out where you are • Define your threat model in ATT&CK. • Assess your gaps. Ask your vendors. • Are you where you want to be? Figure out where to go and how to participate • Can you use analytics now? • Can you create analytics yourself? Find a community to join • Talk to your ISAO/ISAC, vendors, partners, friends • Talk to me • Find open source analytics (look at CAR!) Making it easy ATT&CK https://attack.mitre.org CAR https://car.mitre.org Unfetter https://github.com/unfetter-discover/unfetter Me [email protected]