View
20
Download
0
Category
Preview:
Citation preview
MITRE ATT&CK Enterprise FrameworkPete White – Senior Sales Engineer
October 2019
2©LogRhythm 2019. All rights reserved. Company Confidential
What is the MITRE ATT&CK Enterprise Framework?
• ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge• MITRE started project in 2013 to document common tactics, techniques, and procedures (TTPs)
that Advanced Persistent Threat (APT) actors use against Windows enterprise networks• Network defence through a predominately endpoint focused lens• Based on real world threat intelligence and Red Team research• Provides contextual understanding of malicious behaviour and focus on how adversaries interact
with systems during an operation• Supports testing and analysis of defence options• Has been expanded to include Linux & MacOS OS coverage• 11 stage framework of Tactics:
• Tactics are further broken down into Techniques (223 as of April, 2019)
Initial Access Execution Persistence Privilege Escalation
DefenseEvasion
Credential Access Discovery Lateral
Movement Collection Exfiltration Command And Control
3©LogRhythm 2019. All rights reserved. Company Confidential
What is the MITRE ATT&CK Enterprise Framework?
Tactics
Techniques
4©LogRhythm 2019. All rights reserved. Company Confidential
What is the MITRE ATT&CK Enterprise Framework?
5©LogRhythm 2019. All rights reserved. Company Confidential
What is the MITRE ATT&CK Enterprise Framework?
6©LogRhythm 2019. All rights reserved. Company Confidential
What the MITRE ATT&CK Enterprise Framework Isn’t
• A silver bullet to security• A replacement for Indicators Of Compromise (IOC) or signature based techniques• A replacement for cyber security best practices e.g.
- Staff education, adequate physical security, good password hygiene, least privilege modelling, security policies and procedures
• A list of fully achievable objectives• A static list• A list of tactics that are followed in a linear order. An adversary could miss out tactics to achieve
their goal• A list of tactics that cover all technologies and/or attack vectors, remember it’s network /
endpoint focused. For Application tactics check out CAPEC (Common Attack Pattern Enumeration and Classification) as a complement:
- https://capec.mitre.org/about/attack_comparison.html• Applicable to all, remember this is APT focused i.e. State sponsored actors
Where Do I Start?
Threat Perspective – What’s Important to your Business?TOP ATTACK VECTORS TOP ADVERSARY GROUPS
Sources: • Deloitte Threat Intelligence & Analysis program• CISO_Threat-Perspectives_Jacky-Fox_Gina-Dollard_AppSecEU2018.pptx
LEVEL OF CONCERNHIGH MED LOW
Ransomware takes
applications hostage
Malware targeting company devices or applications to
reach clients
Data breach
GDPR compliance
Legacy technology fails to provide adequate
protection and stability in the face of new
attacks
Unaddressed Software
Vulnerabilities
Cyber espionage
Phishing
Web Application
Attacks
Spam
Physical actions
Exploit kits
Data breaches
Ransomware
Botnets
Social engineering
Network Devices Misconfiguration
Firewall Misconfiguration
Disruption of Communications
(DDOS)
Malware Corporate espionage groups
Organizedcrime groups
Insider
Nation state entity
Lone-wolf cyber criminals
Hacktivists
Script Kiddie
Researcher/journalist
TOP THREAT SCENARIOS
9©LogRhythm 2019. All rights reserved. Company Confidential
Where Do I Start?
Top 10 ATT&CK Techniques by Prevalence• PowerShell was a component of 1,774 confirmed threats
Source: Red Canary Threat Detection Report - 2019
10©LogRhythm 2019. All rights reserved. Company Confidential
Where Do I Start?
Top 10 ATT&CK Techniques by Industry
Source: Red Canary Threat Detection Report - 2019
11©LogRhythm 2019. All rights reserved. Company Confidential
Log Sources• Windows Event Logs (Security, Powershell)• Linux Event Logs
• MacOS Event Logs (if applicable)
• Windows Sysmon and/or EDR (e.g. Carbon Black / Cylance)• Firewalls & Routers
• IDS/IPS
• Web Proxy
• VPN
• DNS
• DHCP
• Mail Logs
• DLP
• Identity/Authentication (AD/LDAP/Radius) • Anti-Virus• LogRhythm Network Monitor/Netflow or 3rd Party product• LogRhythm File Integrity Monitor and/or 3rd Party product• LogRhythm Process Monitor and/or EDR (e.g. Carbon Black / Cylance)• LogRhythm Registry Monitor (Windows) and/or EDR (e.g. Carbon Black / Cylance)• Database Logs
• Cloud Infrastructure Audit logs (AWS CloudTrail, Azure Event Hubs, Google Cloud)
• Office 365
Minimum requirements for LogRhythm MITRE ATT&CK Module functionality
Going Beyond the Module Content
13©LogRhythm 2019. All rights reserved. Company Confidential
Useful Resources For Windows
From - https://www.malwarearchaeology.com/cheat-sheets
Windows Cheat Sheets• The Windows Logging Cheat Sheet• The Windows Advanced Logging Cheat Sheet• The Windows File Auditing Logging Cheat Sheet• The Windows Registry Auditing Logging Cheat Sheet• The Windows PowerShell Logging Cheat Sheet• The Windows Sysmon Logging Cheat Sheet (coming soon)
MITRE ATT&CK Cheat Sheets• The Windows ATT&CK Logging Cheat Sheet
14©LogRhythm 2019. All rights reserved. Company Confidential
Useful Resources For Windows
15©LogRhythm 2019. All rights reserved. Company Confidential
Useful Resources For Linux
• A Linux Auditd rule set mapped to MITRE's Attack Framework:- https://github.com/bfuzzy/auditd-attack
Testing & Validation
17©LogRhythm 2019. All rights reserved. Company Confidential
Testing & Validation - Overview
• The ATT&CK framework is build upon the notion of validation through regular assessments against ATT&CK tactics to measure the performance of their threat hunting, breach detection and incident response procedures against the latest attack techniques.
• A scenario-based assessment exercise aligned to the MITRE ATT&CK framework will typically follow the process below:
• Red Team1. Identify TTPs to test2. Gather information about technologies and processes in place at target organisation3. Devise attack scenario using select TTPs4. Launch attack to simulate threat
• Blue Team5. Detect and respond to TTPs
• Red & Blue Team Validation Review6. Evaluate performance of both teams and improve processes / detection capabilities
18©LogRhythm 2019. All rights reserved. Company Confidential
Testing & Validation – (Open Source) Tools
Threat Hunter Playbook:• https://github.com/Cyb3rWard0g/ThreatHunter-Playbook
Atomic Red Team:• https://redcanary.com/atomic-red-team/
Mitre Caldera:• https://github.com/mitre/caldera
Endgame Red Team Automation:• https://github.com/endgameinc/RTA
Uber Metta:• https://github.com/uber-common/metta
Disclaimer: LogRhythm does not provide any recommendation as to the suitability of the tools listed above. They are listed here for educational purposes only. Please validate any selected tools according to your own business application security practices.
Links & Resources
20©LogRhythm 2019. All rights reserved. Company Confidential
Links & ResourcesMITRE ATT&CK Website:
https://attack.mitre.org/
MITRE ATT&CK Navigator:
https://mitre-attack.github.io/attack-navigator/enterprise/
Building MITRE ATT&CK Technique Detection into Your Security Monitoring Environment:
• https://logrhythm.com/webcasts/uws-building-mitre-attack-technique-detection/
Prioritizing the Remediation of MITRE ATT&CK Framework Gaps:
• https://blog.netspi.com/prioritizing-the-remediation-of-mitre-attck-framework-gaps/
Red Canary – Threat Detection Report 2019:
• https://redcanary.com/resources/guides/threat-detection-report/
ATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework:
• https://cj.msu.edu/assets/ICC-2018-PPT-Kopacsi.pdf
Verizon Data Breach Investigations Report 2018:
• https://enterprise.verizon.com/verizon-insights-lab/dbir/tool/
ATT&CK Tools:
• https://github.com/nshalabi/ATTACK-Tools
ATT&CK Framework Board:
• https://attack.mitre.org/docs/ATTACK_Framework_Board_4x3.pdf
Utilizing the Framework in LogRhythm
22©LogRhythm 2019. All rights reserved. Company Confidential
LogRhythm Threat Lifecycle -> ATT&CK Tactics Mapping
23©LogRhythm 2019. All rights reserved. Company Confidential
Current Capabilities
• LogRhythm is capable of detecting a high percentage of the ATT&CK techniques*- Dependent on applicable log sources being available- Existing content may detect an ATT&CK technique being executed but most likely the
detection will not be specific to that technique- MITRE define detection in five different ways:
> Telemetry> Indicator of Compromise> Enrichment> General Behavior> Specific Behavior
• Today, we can detect ATT&CK techniques through General Behavior (i.e. Cyberattack Lifecycle aligned), Enrichment, Indicator of Compromise and Telemetry
* Some Techniques are not log based, i.e. System Firmware
LogRhythm MITRE ATT&CK Module
25©LogRhythm 2019. All rights reserved. Company Confidential
The LogRhythm MITRE ATT&CK Module
• Released in April, 2019. Contains 18 new AI Engine rules:AI Rule ID AI Rule Name Log Sources Recommended
1449 Credential Access : Credential Dumping
LogRhythm File Monitor (Windows)LogRhythm Process Monitor (Windows)LogRhythm Registry Integrity MonitorMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9
1452 Discovery : System Service DiscoveryMS Windows Event Logging - PowerShellMS Windows Event Logging XML - SecurityMS Windows Event Logging XML - Sysmon 8/9
1453 Discovery : Query RegistryMS Windows Event Logging - PowerShellMS Windows Event Logging XML - SecurityMS Windows Event Logging XML - Sysmon 8/9
1454 Discovery : System Network Configuration Disc MS Windows Event Logging XML - Security
1455 Discovery : System Owner-User DiscoveryMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9
1456 Exfiltration : Exfiltration Over Alt Protocol Network Devices
1457 Discovery : Remote System DiscoveryLogRhythm File Monitor (Windows)LogRhythm Process Monitor (Windows)MS Windows Event Logging XML - Sysmon 8/9
26©LogRhythm 2019. All rights reserved. Company Confidential
The LogRhythm MITRE ATT&CK Module
AI Rule ID AI Rule Name Log Sources Recommended
1459 Multiple : New ServiceLogRhythm Registry Integrity MonitorMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9
1460 Persistence : Registry Run Keys/Startup Folder MS Windows Event Logging XML - Sysmon 8/9
1461 Multiple : ScriptingMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9
1462 Lateral Movement : Windows Admin Shares MS Windows Event Logging - PowerShell1463 Discovery : System Information Discovery MS Windows Event Logging - PowerShell
1464 Execution : PowerShellMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9
1465 Execution : Execution through API Antivirus, IDS, EDR solutions
1466 Initial Access : Drive-By Compromise LogRhythm File Integrity Monitor
1467 Discovery : Process Discovery MS Windows Event Logging XML - Security
1468 Execution : Windows Mgmt InstrumentationMS Windows Event Logging XML - SecurityMS Windows Event Logging XML - Sysmon 8/9MS Windows Event Logging - PowerShell
1469 Defense Evasion : Timestomp MS Windows Event Logging XML - Sysmon 8/9
Note: Rule names and content may be subject to change prior to release
Recommended