adversarial tactics, techniques and common knowledge · 1. decomposed post-exploit phases of cyber...
TRANSCRIPT
© 2015 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited. Case Number 15-1288
Blake Strom
August 2015
Adversarial Tactics, Techniques and Common Knowledge (ATT&CK™)
| 2 |
Cyber Attack Lifecycle
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Traditional CND
ATT&CK
Better understand tactics used by the adversary already
operating within a network
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 3 |
Threat Based Modeling
• Cyber threat analysis
• Research
• Industry reports
Adversary Behavior
• Adversary model
• Post-access techniques
ATT&CK• Data sources
• Analytics
• Prioritization
Enterprise Defense
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 4 |
Cyber Attack Lifecycle – Enhanced
Threat data informed adversary model
Higher fidelity on right-of-exploit, post-access phases
Describes behavior sans adversary tools
Persistence Privilege Escalation Credential Access Host Enumeration Defense Evasion Lateral Movement Execution Command and Control Exfiltration
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 5 |
ATT&CK Adversary Model
Consists of:
1. Decomposed post-exploit phases of Cyber Attack Lifecycle
2. List of techniques available to adversaries for each phase
3. Possible methods of detection and mitigation
4. Apply documented adversary use of techniques
Publically available adversary information is a problem
– Not granular enough
– Insufficient volume
Image source: www.mrpotatohead.net
Mr. Potato Head is a registered trademark of Hasbro Inc.
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 6 |
Use of Public Adversary Information
Publicly reported adversary group and tool coverage:
– 16 groups and counting
Examples: APT28, APT30, DarkHotel, Hurricane Panda, Ke3chang,
Cleaver, Axiom
– 30 tools and counting
Examples: Mimikatz, PsExec, dsquery, Hikit, PlugX, Poison Ivy
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 7 |
Technique Details
Persistence –New Service
– Description: Installation of a new service. May use service name from previous or newer OS or create entirely new service name.
– Platform: Windows
– Permissions required: Administrator, SYSTEM
– Effective permissions: SYSTEM
– Use: Part of initial infection vector or used during operation to locally or remotely execute persistent malware.
– Detection: Monitor new service creation. Look for out of the ordinary service names and activity that does not correlate with known-good software, patches, etc. New services may show up as outlier processes that have not been seen before when compared against historical data.
– Data Sources: Windows Registry, process information
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 8 |
ATT&CK: The Tactics and Techniques
PersistencePrivilege
Escalation
Credential
Access
Host
Enumeration
Defense
Evasion
Lateral
MovementExecution C2 Exfiltration
Accessibility Features
AddMonitor
BIOS
DLL Search Order Hijack
Edit Default File Handlers
Hypervisor Rootkit
Legitimate Credentials
Logon Scripts
Master Boot Record
Mod. Exist’gService
New Service
Path Interception
Registry Run Keys
Scheduled Task
Service File Permission Weakness
Serv. Reg. Perm. Weakness
Shortcut Modification
Windows MgmtInstr. Event
Subsc.Winlogon Helper
DLL
Bypass UAC
DLL Injection
Exploitation
of
Vulnerability
Credential
Dumping
DLL Side-
LoadingDisabling
Security
ToolsFile System
Logical
Offsets
Indicator
blocking on
hostIndicator
removal from
toolsIndicator
removal from
hostMasquerad-
ingNTFS
Extended
AttributesObfuscated
Payload
Process
Hollowing
Rootkit
Rundll32
ScriptingSoftware
Packing
Account
enumeration
Credentials
in Files
Network
Sniffing
User
Interaction
Binary
Padding File system
enumeration
Group
permission
enumeration
Local
network
connection
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Application
deployment
softwareExploitation
of
VulnerabilityLogon
scriptsPass the
hashPass the
ticketPeer
connections
Remote
Desktop
Protocol
Remote
ServicesReplication
through
removable
mediaShared
webrootTaint shared
content
Windows management
instrumentation
Windows remote
management
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Commonly
used portComm
through
removable
mediaCustom
application
layer
protocolCustom
encryption
cipherData
obfuscationFallback
channelsMultiband
commMultilayer
encryptionPeer
connectionsStandard app
layer
protocol
Standard
encryption
cipher
Automated
or scripted
exfiltrationData
compressedData
encryptedData size
limits
Data staged
Exfil over C2
channelExfil over
alternate
channel to
C2 networkExfil over
other
network
medium
Exfil over
physical
medium
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
Local
networking
enumeration
Windows
admin
shares
Standard
non-app
layer
protocol
Uncommonly
used port
Web shell
Credential
manipulation
Timestomp
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 9 |
Applications
Gap analysis with current defenses
Prioritize detection/mitigation of heavily used techniques
Information sharing
Track a specific adversary’s set of techniques
Simulations, exercises
New technologies, research
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 10 |
Tactic Breakdown
Persistence
20 PrivilegeEscalation 14Credential Access 5Host Enumeration 11Defense Evasion 19
Lateral Movement 14Execution
11Command and Control 13 Exfiltration
13
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 11 |
Publicly Known Adversary Use
Persistence
20 5PrivilegeEscalation 14 4Credential Access 5 3Host Enumeration 11 8Defense Evasion 19 12
Lateral Movement 14 6Execution
11 5Command and Control 13 10Exfiltration
13 4
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 12 |
Publically Reported Technique Use
PersistencePrivilege
Escalation
Credential
Access
Host
Enumeration
Defense
Evasion
Lateral
MovementExecution C2 Exfiltration
Accessibility Features
AddMonitor
BIOS
DLL Search Order Hijack
Edit Default File Handlers
Hypervisor Rootkit
Legitimate Credentials
Logon Scripts
Master Boot Record
Mod. Exist’gService
New Service
Path Interception
Registry Run Keys
Scheduled Task
Service File Permission Weakness
Serv. Reg. Perm. Weakness
Shortcut Modification
Windows MgmtInstr. Event
Subsc.Winlogon Helper
DLL
Bypass UAC
DLL Injection
Exploitation
of
Vulnerability
Credential
Dumping
DLL Side-
LoadingDisabling
Security
ToolsFile System
Logical
Offsets
Indicator
blocking on
hostIndicator
removal from
toolsIndicator
removal from
hostMasquerad-
ingNTFS
Extended
AttributesObfuscated
Payload
Process
Hollowing
Rootkit
Rundll32
ScriptingSoftware
Packing
Account
enumeration
Credentials
in Files
Network
Sniffing
User
Interaction
Binary
Padding File system
enumeration
Group
permission
enumeration
Local
network
connection
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Application
deployment
softwareExploitation
of
VulnerabilityLogon
scriptsPass the
hashPass the
ticketPeer
connections
Remote
Desktop
Protocol
Remote
ServicesReplication
through
removable
mediaShared
webrootTaint shared
content
Windows management
instrumentation
Windows remote
management
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Commonly
used portComm
through
removable
mediaCustom
application
layer
protocolCustom
encryption
cipherData
obfuscationFallback
channelsMultiband
commMultilayer
encryptionPeer
connectionsStandard app
layer
protocol
Standard
encryption
cipher
Automated
or scripted
exfiltrationData
compressedData
encryptedData size
limits
Data staged
Exfil over C2
channelExfil over
alternate
channel to
C2 networkExfil over
other
network
medium
Exfil over
physical
medium
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
Local
networking
enumeration
Windows
admin
shares
Standard
non-app
layer
protocol
Uncommonly
used port
Web shell
Credential
manipulation
Timestomp
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 13 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
Notional Defense Gaps
PersistencePrivilege
Escalation
Credential
Access
Host
Enumeration
Defense
Evasion
Lateral
MovementExecution C2 Exfiltration
Accessibility Features
AddMonitor
DLL Search Order Hijack
Edit Default File Handlers
Legitimate Credentials
New Service
Path Interception
Scheduled Task
Service File Permission Weakness
Credential
Dumping
DLL Side-
LoadingDisabling
Security
ToolsFile System
Logical
Offsets
Account
enumeration
Credentials
in Files
Network
Sniffing
User
Interaction
Binary
Padding File system
enumeration
Group
permission
enumeration
Local
network
connection
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Application
deployment
softwareExploitation
of
VulnerabilityLogon
scriptsPass the
hashPass the
ticketPeer
connections
Remote
Desktop
Protocol
Remote
ServicesReplication
through
removable
mediaShared
webrootTaint shared
content
Windows management
instrumentation
Windows remote
management
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Commonly
used portComm
through
removable
mediaCustom
application
layer
protocolCustom
encryption
cipherData
obfuscationFallback
channelsMultiband
commMultilayer
encryptionPeer
connectionsStandard app
layer
protocol
Standard
encryption
cipher
Automated
or scripted
exfiltrationData
compressedData
encryptedData size
limits
Data staged
Exfil over C2
channelExfil over
alternate
channel to
C2 networkExfil over
other
network
medium
Exfil over
physical
medium
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
Local
networking
enumeration
Windows
admin
shares
Standard
non-app
layer
protocol
Uncommonly
used port
Detect Partially Detect No Detect
Credential
manipulation
BIOS
Hypervisor Rootkit
Logon Scripts
Master Boot Record
Mod. Exist’gService
Registry Run Keys
Serv. Reg. Perm. Weakness
Shortcut Modification
Windows MgmtInstr. Event
Subsc.Winlogon Helper
DLL
Bypass UAC
DLL Injection
Exploitation
of
Vulnerability
Indicator
blocking on
hostIndicator
removal from
toolsIndicator
removal from
hostMasquerad-
ingNTFS
Extended
AttributesObfuscated
Payload
Process
Hollowing
Rootkit
Rundll32
ScriptingSoftware
Packing
Web shell
Timestomp
| 14 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
Adversary Visibility at the Perimeter
PersistencePrivilege
Escalation
Credential
Access
Host
Enumeration
Defense
Evasion
Lateral
MovementExecution C2 Exfiltration
Accessibility Features
AddMonitor
DLL Search Order Hijack
Edit Default File Handlers
Legitimate Credentials
New Service
Path Interception
Scheduled Task
Service File Permission Weakness
Credential
Dumping
DLL Side-
LoadingDisabling
Security
ToolsFile System
Logical
Offsets
Software
Packing
Account
enumeration
Credentials
in Files
Network
Sniffing
User
Interaction
Binary
Padding File system
enumeration
Group
permission
enumeration
Local
network
connection
enumeration
Operating
system
enumeration
Owner/User
enumeration
Process
enumeration
Security
software
enumeration
Service
enumeration
Window
enumeration
Application
deployment
softwareExploitation
of
VulnerabilityLogon
scriptsPass the
hashPass the
ticketPeer
connections
Remote
Desktop
Protocol
Remote
ServicesReplication
through
removable
mediaShared
webrootTaint shared
content
Windows management
instrumentation
Windows remote
management
Command
Line
File Access
PowerShell
Process
Hollowing
Registry
Rundll32
Scheduled
Task
Service
Manipulation
Third Party
Software
Commonly
used portComm
through
removable
mediaCustom
application
layer
protocolCustom
encryption
cipherData
obfuscationFallback
channelsMultiband
commMultilayer
encryptionPeer
connectionsStandard app
layer
protocol
Standard
encryption
cipher
Automated
or scripted
exfiltrationData
compressedData
encryptedData size
limits
Data staged
Exfil over C2
channelExfil over
alternate
channel to
C2 networkExfil over
other
network
medium
Exfil over
physical
medium
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
Local
networking
enumeration
Windows
admin
shares
Standard
non-app
layer
protocol
Uncommonly
used port
Full Visibility Partially Visibility No Visibility
Credential
manipulation
BIOS
Hypervisor Rootkit
Logon Scripts
Master Boot Record
Mod. Exist’gService
Registry Run Keys
Serv. Reg. Perm. Weakness
Shortcut Modification
Windows MgmtInstr. Event
Subsc.Winlogon Helper
DLL
Bypass UAC
DLL Injection
Exploitation
of
Vulnerability
Indicator
blocking on
hostIndicator
removal from
toolsIndicator
removal from
hostMasquerad-
ingNTFS
Extended
AttributesObfuscated
Payload
Process
Hollowing
Rootkit
Rundll32
ScriptingSoftware
Packing
Web shell
Timestomp
| 15 |
Adversary has the most latitude for variation at the network level
Firewall, IDS/IPS, netflow, proxy, mail gateway, WCF, SSL MitM, protocol decoders, anomaly detection etc…
All partial solutions
Don’t add up to a complete one
Often require specific prior knowledge
– IPs, domains, malware changed easily
Sector, organization specific infrastructure
Frequently modify tools
Use legitimate channels
Better coverage with host sensing
Adversary Visibility at the Perimeter
C2 Exfiltration
Commonly
used portComm
through
removable
mediaCustom
application
layer
protocolCustom
encryption
cipherData
obfuscationFallback
channelsMultiband
commMultilayer
encryptionPeer
connectionsStandard app
layer
protocol
Standard
encryption
cipher
Automated
or scripted
exfiltrationData
compressedData
encryptedData size
limits
Data staged
Exfil over C2
channelExfil over
alternate
channel to
C2 networkExfil over
other
network
medium
Exfil over
physical
medium
From local
system
From
network
resource
From
removable
media
Scheduled
transfer
Standard
non-app
layer
protocol
Uncommonly
used port
Defense
Evasion
Legit. Cred.
DLL Side-
LoadingDisabling
Security
ToolsFile System
Logical
Offsets
Binary
Padding
Bypass UAC
DLL InjectionIndicator
blocking on
hostIndicator
removal from
toolsIndicator
removal from
hostMasquerad-
ingNTFS
Extended
AttributesObfuscated
Payload
Process
Hollowing
Rootkit
Rundll32
ScriptingSoftware
PackingTimestomp
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288Full Visibility Partially Visibility No Visibility
| 16 |
Public Website – attack.mitre.org
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
| 17 |
Questions?
More information:
attack.mitre.org
Questions and contributions:
Twitter:
@MITREattack
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288