Cyber Threat Intelligence: A Team Sport Collaborative Analytic Development John Wunder The MITRE Corporation © 2017 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 17-4328 attacks attacks Member look out for Member Indicators of A this IP, it’s bad! B Ha ha, compromise blocked! ISAO are great attacks Member Member C D Analytics move up the (obligatory) pyramid of pain David J. Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html What’s an analytic, Indicators Analytics really? Fewer false positives More false positives More atomic Broader Higher quantity Lower quantity Example analytic: reg.exe called from command shell We need an organizing framework. Analytics are great, but they need to be put into the context of which adversary technique they detect • How do you know which ones you need? • If you have some analytics shared with you, how do you know whether they’re additive or duplicative? • If you see a new technique being used in a threat report, how do you know if your current set of analytics will cover it? ATT&CK™ is a MITRE-developed, globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of adversaries’ operations against computer networks. What’s in 1. List of techniques used by adversaries for each phase of the kill chain 2. Possible methods of detection and mitigation 3. Published references of adversary use of techniques Image source: www.hasbro.com Mr. Potato Head is a registered trademark of Hasbro Inc. Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port Legitimate Credentials Application Window Third-party Software Automated Collection Data Compressed Communication Through Credential Dumping Discovery Removable Media Accessibility Features Binary Padding Application Deployment Command-Line Clipboard Data Data Encrypted AppInit DLLs Code Signing Software Execution through API Data Staged Data Transfer Size Limits Connection Proxy Credential Manipulation File and Directory Discovery Local Port Monitor Component Firmware Execution through Module Data from Local System Exfiltration Over Alternative Custom Command and Exploitation of Vulnerability Load Protocol Control Protocol New Service DLL Side-Loading Credentials in Files Local Network Configuration Data from Network Shared Path Interception Disabling Security Tools Input Capture Discovery Logon Scripts Graphical User Interface Drive Custom Cryptographic Exfiltration Over Command Protocol Scheduled Task File Deletion Network Sniffing Local Network Connections Pass the Hash InstallUtil Data from Removable Media and Control Channel File System Permissions Weakness Discovery Pass the Ticket MSBuild Data Encoding File System Logical Offsets Two-Factor Authentication Service Registry Permissions Weakness Interception Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Other Data Obfuscation Web Shell Indicator Blocking Remote File Copy Process Hollowing Input Capture Network Medium Fallback Channels Peripheral Device Discovery Exploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Exfiltration Over Physical Multi-Stage Channels Authentication PackageATT&CK is Enables pivoting between red team and blue team Medium Bypass User Account Control Replication Through Regsvr32 Video Capture Permission Groups Discovery Multiband Communication Bootkit DLL Injection Removable Media Rundll32 Scheduled Transfer Component Object Model Component Object Model Process Discovery Shared Webroot Scheduled Task Multilayer Encryption HijackinggroundedHijacking in Query Registry Taint Shared Content Scripting Remote File Copy Basic Input/Output System Indicator Removal from Tools Remote System Discovery Windows Admin Shares Service Execution Standard Application Layer Decouples the problem from the solution Protocol Change Default File Windows Management Indicator Removal on Host Security Software Discovery Association Instrumentation empirical data Standard Cryptographic Component Firmware Install Root Certificate Protocol System Information External Remote Services InstallUtil Discovery Standard Non-Application Hypervisor Masquerading Layer Protocol Logon Scripts from cyberModify Registry TransformsSystem Owner/User thinking by focusing on post-exploit Modify Existing Service MSBuild Discovery Uncommonly Used Port Netsh Helper DLL Network Share Removal adversarySystem Service Discovery behavior Web Service Redundant Access incidentsNTFS Extended Attributes System Time Discovery Registry Run Keys / Start Obfuscated Files or Folder Information Security Support Provider Process Hollowing Shortcut Modification Redundant Access Regsvcs/Regasm Windows Management Instrumentation Event Regsvr32 Subscription Rootkit Winlogon Helper DLL Rundll32 Scripting Software Packing Timestomp Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port Legitimate Credentials Third-party Software Application Window Automated Collection Data Compressed Communication Through Credential Dumping Discovery Removable Media Accessibility Features Binary Padding Application Deployment Command-Line Clipboard Data Data Encrypted Software AppInit DLLs Code Signing File and Directory Execution through API Data Staged Data Transfer Size Limits Connection Proxy Credential Manipulation Discovery Local Port Monitor Component Firmware Execution through Data from Local System Exploitation of Exfiltration Over Custom Command and Module Vulnerability Alternative Protocol Control Protocol New Service DLL Side-Loading Credentials in Files Local Network Load Data from Network Configuration Discovery Shared Drive Path Interception Disabling Security Tools Input Capture Logon Scripts Graphical User Interface Custom Cryptographic Exfiltration Over Protocol Scheduled Task Command and Control File Deletion Network Sniffing Local Network Pass the Hash InstallUtil Data from Removable Channel Connections Discovery Media File System Permissions Weakness File System Logical Pass the Ticket MSBuild Data Encoding Two-Factor Offsets Service Registry Permissions Weakness Authentication Network Service Scanning Remote Desktop Protocol PowerShell Email Collection Exfiltration Over Other Data Obfuscation Interception Network Medium Web Shell Indicator Blocking Peripheral Device Remote File Copy Process Hollowing Input Capture Fallback Channels Discovery Exploitation of Vulnerability Remote Services Regsvcs/Regasm Screen Capture Exfiltration Over Physical Multi-Stage Channels Authentication Package Medium Bypass User Account Control Permission Groups Replication Through Regsvr32 Video Capture Multiband Discovery Removable Media Communication Bootkit DLL Injection Rundll32 Scheduled Transfer Use ATT&CK to Component Object Model Component Object Model Process Discovery Shared Webroot Scheduled Task Multilayer Encryption Hijacking Hijacking Basic Input/Output Indicator Removal from Query Registry Taint Shared Content Scripting Remote File Copy System Tools Remote System Discovery Windows Admin Shares Service Execution Standard Application Layer Protocol Change Default File Indicator Removal on Security Software Windows Management Association Host Discovery Instrumentation understandStandard Cryptographic your Component Firmware Install Root Certificate Protocol System Information External Remote Services InstallUtil Discovery Standard Non- Hypervisor Masquerading Application Layer Protocol Logon Scripts Modify Registry System Owner/User Modify Existing Service MSBuild Discovery Uncommonly Used Port Netsh Helper DLL Network Share Removal System Service Discovery Web Service defense Redundant Access NTFS Extended Attributes System Time Discovery Registry Run Keys / Start Obfuscated Files or Folder Information Security Support Provider Process Hollowing Shortcut Modification Redundant Access Windows Management Regsvcs/Regasm Instrumentation Event Regsvr32 Subscription Rootkit Winlogon Helper DLL Rundll32 Scripting Software Packing Timestomp Document and Define your assess your Identify gaps Fill gaps threat model coverage Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Audio Capture Automated Exfiltration Commonly Used Port Legitimate Credentials Third-party Software Automated Collection Data Compressed Communication Application Window Credential Dumping Through Removable Discovery Accessibility Features Binary Padding Command-Line Clipboard Data Data Encrypted Media Application Deployment Software AppInit DLLs Code Signing Execution through API Data Staged Data Transfer Size Limits Connection Proxy Credential File and Directory Manipulation Discovery Local Port Monitor Component Firmware Execution through Data from Local System Exploitation of Exfiltration Over Custom Command Module Vulnerability Alternative Protocol and Control Protocol New Service DLL Side-Loading Credentials in Files Local Network Load Data from Network