Detecting the Adversary Post- Compromise with Threat Models and Behavioral Analytics Approved for Public Release; Distribution Unlimited. 16-3058 © 2016 The MITRE Corporation. All rights reserved. © 2016 The MITRE Corporation. All rights reserved. | 2 | Cyber Attack Lifecycle Recon Deliver Control Maintain Weaponize Exploit Execute Traditional CND 146 days - The median time an adversary is in a network before ATT&CK™ being detected -Mandiant, M-Trends 2016 Cyber Attack Lifecycle: The MITRE Corporation https://www.mitre.org/capabilities/cybersecurity/threat-based-defense © 2016 The MITRE Corporation. All rights reserved. | 3 | Threat Based Modeling ATT&CK • Cyber threat • Data sources analysis • Adversary model • Analytics • Research • Post- • Prioritization • Industry reports compromise techniques Adversary Enterprise Behavior Defense © 2016 The MITRE Corporation. All rights reserved. | 4 | ATT&CK: Deconstructing the Lifecycle Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Threat data informed adversary model Exfiltration Command and Control Higher fidelity on right-of-exploit, post-access phases Describes behavior sans adversary tools Working with world-class researchers to improve and expand © 2016 The MITRE Corporation. All rights reserved. | 5 | ATT&CK Matrix Tactics and Techniques (2014) Privilege Lateral Command and Persistence Credential Access Host Enumeration Defense Evasion Exfiltration Escalation Movement Control Exploitation of Credential Process Common protocol, Normal C&C New service Software packing RDP vulnerability dumping enumeration follows standard channel Service file Windows admin Modify existing Service Common protocol, Alternate data permissions User interaction Masquerading shares (C$, service enumeration non-standard channel weakness ADMIN$) Service registry Commonly used Exfiltration over Local network Windows shared DLL Proxying permissions Network sniffing DLL Injection protocol on non- other network config webroot weakness standard port medium Local network Remote Communications Exfiltration over Hypervisor Rookit DLL path hijacking Stored file DLL loading connections vulnerability encrypted physical medium Winlogon Helper Window Standard Communications Encrypted Path interception Logon scripts DLL enumeration protocols are obfuscated separately Application Modification of Account Obfuscated Distributed Compressed Path Interception deployment shortcuts enumeration payload communications separately software Registry run keys / Editing of default Group Taint shared Multiple protocols Startup folder Indicator removal Data staged handlers enumeration content combined addition Access to remote Automated or Modification of Owner/user Scheduled task Indicator blocking services with scripted data shortcuts enumeration valid credentials exfiltration Legitimate Operating system MBR / BIOS rootkit Pass the hash Size limits Credentials enumeration Editing of default Security software Scheduled handlers enumeration transfer File system Scheduled task enumeration © 2016 The MITRE Corporation. All rights reserved. | 6 | ATT&CK MatrixTactics and Techniques (2015) Privilege Defense Credential Host Lateral Persistence Execution C2 Exfiltration Escalation Evasion Access Enumeration Movement Legitimate Credentials Credential Account Application Command Commonly Automated Accessibility Features Binary Dumping enumeration deployment Line used port or scripted Padding software Comm exfiltration AddMonitor DLL Side- Credentials File system Exploitation File Access through Data DLL Search Order Hijack Loading in Files enumeration of PowerShell removable compressed Edit Default File Handlers Disabling Network Group Vulnerability Process media Data Security Logon Custom encrypted New Service Sniffing permission Hollowing Data size Tools enumeration scripts application Path Interception User Pass the Registry limits File System layer Scheduled Task Logical Interaction Local hash Rundll32 Data staged Pass the protocol Service File Permission Offsets Credential network Scheduled Custom Exfil over C2 Weakness ticket Process manipulation connection Peer Task encryption channel Shortcut Modification Hollowing enumeration connections Service cipher Exfil over Web shell Rootkit Local Remote Manipulation Data alternate Bypass UAC networking Desktop Third Party obfuscation channel to BIOS Fallback C2 network DLL Injection enumeration Protocol Software channels Exfil over Hypervisor Indicator Multiband Rootkit Exploitation Operating Windows management other blocking on comm of system instrumentation Multilayer network Logon Scripts Vulnerability host enumeration Indicator Windows remote encryption medium Peer Master Boot removal from Owner/User management Exfil over Record enumeration Remote connections tools Standard app physical Indicator Services medium Mod. Exist’g Process Replication layer Service removal from enumeration through protocol From local host Standard Registry Run Masquerad- Security removable system non-app Keys ing software media From layer Serv. Reg. Perm. NTFS enumeration Shared network protocol Weakness Extended Service webroot resource Attributes Taint shared Standard Windows Mgmt Obfuscated enumeration content encryption From Instr. Event Window Windows removable Subsc. Payload cipher Rundll32 enumeration admin Uncommonly media Winlogon Helper shares DLL Scripting used port Scheduled Software transfer Packing Timestomp © 2016 The MITRE Corporation. All rights reserved. | 7 | ATT&CK MatrixTactics and Techniques (2016) Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Legitimate Credentials Application Window Third-party Software Clipboard Data Data Compressed Communication Through Credential Dumping Accessibility Features Binary Padding Discovery Application Deployment Command-Line Data Staged Data Encrypted Removable Media AppInit DLLs Code Signing Software Execution through API Data from Local System Data Transfer Size Limits Custom Command and Credential Manipulation File and Directory Discovery Local Port Monitor Component Firmware Graphical User Interface Data from Network Shared Exfiltration Over Alternative Control Protocol Exploitation of Vulnerability New Service DLL Side-Loading Credentials in Files Local Network Configuration InstallUtil Drive Protocol Custom Cryptographic Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts PowerShell Protocol Data from Removable Media Exfiltration Over Command Scheduled Task File Deletion Network Sniffing Pass the Hash Process Hollowing Data Obfuscation Local Network Connections and Control Channel Service File Permissions Weakness Discovery Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels File System Logical Offsets Two-Factor Authentication Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Multi-Stage Channels Interception Exfiltration Over Other Web Shell Indicator Blocking Remote File Copy Rundll32 Screen Capture Network Medium Peripheral Device Discovery Multiband Communication Exploitation of Vulnerability Remote Services Scheduled Task Exfiltration Over Physical Basic Input/Output System Bypass User Account Control Replication Through Scripting Medium Multilayer Encryption Permission Groups Discovery Bootkit DLL Injection Removable Media Service Execution Scheduled Transfer Peer Connections Change Default File Indicator Removal from Process Discovery Shared Webroot Windows Management Remote File Copy Association Tools Query Registry Taint Shared Content Instrumentation Standard Application Layer Component Firmware Remote System Discovery Windows Admin Shares Protocol Indicator Removal on Host Hypervisor Standard Cryptographic Security Software Discovery Logon Scripts InstallUtil Protocol Modify Existing Service Masquerading System Information Standard Non-Application Redundant Access Modify Registry Discovery Layer Protocol Registry Run Keys / Start NTFS Extended Attributes System Owner/User Uncommonly Used Port Folder Obfuscated Files or Discovery Web Service Security Support Provider Information System Service Discovery Shortcut Modification Process Hollowing Windows Management Redundant Access Instrumentation Event Regsvcs/Regasm Subscription Regsvr32 Winlogon Helper DLL Rootkit Rundll32 Scripting Software Packing Timestomp © 2016 The MITRE Corporation. All rights reserved. | 8 | The ATT&CK Model . Consists of: 1. Tactic phases derived from Cyber Attack Lifecycle 2. List of techniques available to adversaries for each phase 3. Possible methods of detection and mitigation 4. Documented adversary use of techniques and software 5. Disambiguation of adversary names . Publically available adversary information is a problem – Not granular enough Image source: US Army – Insufficient volume http://www.flickr.com/photos/35703177@N00/3102597630/ Mr. Potato Head is a registered trademark of Hasbro Inc. © 2016 The MITRE Corporation. All rights reserved. | 9 | Example of Technique Details – Persistence: New Service – Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying