Upload File

how to map mitre att&ck techniques€¦ · bridging the gap between theory and implementation...

  • Home
  • Documents
  • How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and
12
How to Map MITRE ATT&CK Techniques: Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering

Upload: others

Post on 14-Jul-2020

8 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques:

Bridging the Gap between Theory and Implementation

Steve Rivers, Director, Threat Intelligence Engineering

Page 2: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

Contents

3 MITRE ATT&CK and ThreatQ

3 MITRE ATT&CK Mapping

4 ThreatQMITREMapperConfiguration

5 AThreatHuntingExampleUsingMITREMapper

11 Conclusion

Page 3: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 3www.threatquotient.com

MITRE ATT&CK and ThreatQ

TheMITREATT&CKframeworkcontainsatremendousamountofdatathatcanprovevaluableinarangeofusecases,includingspearphishing,threathunting,incidentresponse,vulnerabilitymanagementandalerttriage.TomaketheinformationcontainedwithintheMITREATT&CKframeworkactionablefortheseusecases,ThreatQuotientintegratescomponentsoftheframeworkintotheThreatQplatformtoprovidethefollowingcapabilities:

z EnableinvestigationsthatoriginatewithcomponentsfromtheMITREATT&CKframework,suchastechniques.

z AutomaticallybuildrelationshipsbetweenMITREATT&CKdataandotherusefulpiecesofthreatdata.

z Automaticallymapthreatdatafrominternalsources(e.g.,SIEM,ticketing,emailgateway)andexternalsources(e.g.,feeds)withMITREATT&CKtechniques.

z Storehistoricalthreathuntinginvestigations,dataandlearningsandautomaticallyassociatethesewithrelatedcomponentsoftheMITREATT&CKframework.

Theintegrationenablessecurityoperationsteamstotakefulladvantageoftheframework,whileworkingwithintheThreatQplatform,toproactivelyandcollaborativelyacceleratedetectionandresponse.

MITRE ATT&CK Mapping

TheMITREATT&CKframeworkisahugestepforwardincreatingaknowledgebaseofadversariesandassociatedtactics,techniquesandprocedures(TTPs).ManyvendorsarestartingtobuildATT&CKdataintotheirdetectiontoolswhichisdrivingadoptiongloballyoftheATT&CKframeworkforthreathuntingandincidentresponseprocesses.Thisisgreatprogress,butunfortunatelymanyorganizationsstillhaveagapwhentryingtoapplyprocesstotechnologiesthatdonotintegratewithATT&CKdata.ThreatQuotienthascreatedanintegrationbetweentheThreatQplatformandMITREATT&CKthathelpstobridgethisgap.

TheThreatQplatformoffersathreat-centricapproachtosecurityoperations.Purpose-builttoacceleratedetection,investigationandresponse,theplatformisintegratedwithalargenumberofkeysecuritysystemsandisawareofcontextuallyrelevantdetectionsoralertsthatarethreatrelated.ThisinformationisingesteddirectlyintotheThreatQThreatLibrary.TheThreatQMITREMapperintegrationoffersatooltoautomaticallyestablishrelationshipsbetweenMITREATT&CKtechniquesandthreatdatathathasbeeningestedfrominternalandexternaltools.ThefunctionalityispoweredbyThreatLibrarysearches,whichenableuserstoseamlesslyleveragedatafromtechnologiesthatdonotsupportATT&CKdirectlyoutofthebox.

TheremainderofthisdocumentusesathreathuntingusecasetriggeredbyaspearphishingincidenttodemonstratehowtheThreatQMITREMapperintegrationmaybeused.

The integration of MITRE ATT&CK enables security operations teams to take full advantage of the framework while working within the ThreatQ platform.

Page 4: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 4www.threatquotient.com

ThreatQ MITRE Mapper Configuration

ThissectionshowshowtheintegrationcouldbeconfiguredusingtheMITREATT&CKtechnique:T1193—SpearphishingAttachment.

Step 1 — Define MappingsInthisstep,wedeterminethetypeofdatathatwewouldliketomaptotheSpearphishingAttachmenttechnique.

WesearchforthedatathatwewouldliketomaptoaspecificATT&CKtechniqueandthensavethesearchforusebytheMITREMapperintegration.InFigure1wehavedefinedasearchthatlooksforallfilesthathavebeensenttousfromourProofpointsystem,whichisnotintegratedwiththeMITREATT&CKframework.Crucially,weareonlyinterestedinthefilesandhavelimitedoursearchtothatdata.

Figure 1: Searching for data to map

Page 5: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 5www.threatquotient.com

Step 2 — Configure the IntegrationTheintegrationisconfiguredtomaptheresultsfromthesavedsearchagainsttheMITREATT&CKSpearphishingAttachmenttechnique.

Theintegrationisdesignedtorunonaperiodicbasis.Eachofthesavedsearchesthathavebeendefinedwillbeexecutedbytheintegration.TheresultsfromeachsavedsearchwillthenberelatedautomaticallytotheirdesignatedMITREATT&CKtechnique.Inthisexample,theintegrationwillmapanyfilesthathavebeensenttoThreatQbyProofpointtotherecordforT1193—SpearphishingAttachmentthatexistswithintheThreatLibrary.

Onceconfigured,theintegrationwillautomaticallybuildanyrelationshipsbetweenadesignatedMITREATT&CKtechniqueandtheoutcomeofthesavedsearcheverytimethatitexecutes.Thisincludesanynewdatathathasarisen.

A Threat Hunting Example Using MITRE Mapper

OverviewManyusersofATT&CKwillbuildariskandimpactmatrixtodeterminewhichtechniquesaremostlikelytoimpacttheirorganization.ItiscommonforThreatHuntingteamstothenusehighriskorhighimpactATT&CKtechniquesasthebasisforfurtherinvestigation.Let’sassumethatthisisthesituationnowandthatathreathunteriskeentoanalyzetheSpearphishingAttachmenttechniqueinmoredetail.

Step 1 — Starting the InvestigationAnewThreatQInvestigationiscreated.Thestartingpointfortheinvestigationthenneedstobedefined.Inthiscase,weareusingtheATT&CKtechnique:T1193—SpearphishingAttachment.Figure2showstheuseofthesearchfeaturewithinThreatQInvestigations,whichisthenaddedtotheinvestigationonceclicked.

Figure 2: Searching the Threat Library for a starting point

Many users of ATT&CK will build a risk and impact matrix to determine which techniques are most likely to impact their organization.

Page 6: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 6www.threatquotient.com

Step 2 — Identifying Interesting Attachments

Figure 3: Finding related files

ClickingontheSpearphishingAttachmentnoderevealsasetofassociatedrelationships.Inthiscase,thereisalargeamountasThreatQhascapturedcontextuallyrelevantdatadirectlyfromMITREandinserteditintotheThreatLibrary.TheassociatedrelationshipsthatexistinFilesareagreatstartingpointgiventhetypeofattacktechniquethatisbeinginvestigated.Hereweseeasinglerelatedfile.Figure3showstheresultsafterthisfilehasbeenaddedtotheinvestigation.

Step 3 — Related EventsThenextstepistolookforrelatedeventsthatareassociatedwiththefilethathasbeenaddedtotheinvestigation.Relationshipsareusedtoidentifyanyassociatedeventsandaddtheseandassociatedcontextualdatadirectlyintotheinvestigation.

Figure 4: Additional events

Figure4showstheresultofthisprocess.Inthiscase,wehaveidentifiedtwoseparateeventstiedtothisfile,whichwerebothforwardedtoThreatQbyanotherintegration.Botheventswereemailsthatweresenttotwoseparaterecipients.Thoserecipientshavebeenidentifiedasbeingassociatedwiththeorganization’sfinancedepartment.

Page 7: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 7www.threatquotient.com

Step 4 — Deeper AnalysisItisclearthisfilemayhighlighttheexistenceofapotentialthreatwithintheorganizationandthatfurtheranalysismayberequired.So,thethreathunterchoosestolearnalittlemoreaboutanycontextuallyrelevantdatathatmaybeassociatedwiththefile.

ThefileisanalyzedforanyassociatedindicatorsthatThreatQmaybeawareof.Thisinformationiscapturedfromexternaltechnologies(suchasthreatfeeds)orinternaltechnologies(suchasvulnerabilitymanagement).InterestingindicatorsareaddedtotheinvestigationasperFigure5.

Figure 5: Adding context

Thethreathuntermayalsochoosetouseadditionalenrichmenttoolstocapturemoredataaboutanypotentialthreats.ThisisaccomplishedusingThreatQ’sOperationsfeature,whichallowsuserstoexecuteenrichmentsagainstspecificpiecesofdata.Figure6showsanexampleofaURLbeingsenttoCiscoThreatGridforfurtheranalysis.TheresultswillbeautomaticallycapturedbyThreatQandmadeavailabletofurthertheinvestigationifrequired.

Page 8: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 8www.threatquotient.com

Figure 6: Submitting a URL for further analysis

FurtheranalysisusingMITREATT&CKandsandboxdatarevealsthattheattachmenthasanassociationwiththeTrickBotmalware.Thisisalsoaddedintotheinvestigation(Figure7)forfurtheranalysisbyIncidentResponseteamsatalaterstage.

Figure 7: Associated TrickBot Malware

Thereareseveraladditionalstepsthatthethreathuntercouldchoosetoundertakeatthisstage.TheseincludedeeperanalysisintoindicatorsandassociatedrelationshipsorlookingforTTP-relatedoutcomessuchasadversaryrelationships.

Step 4 — Mitigation and ResponseThefinalstepistoidentifymitigationandresponseactions.Initially,thethreathunterlooksforsignaturesthatcouldbeusefulinmanaginganythreatfromTrickBot.Thereareseveralsourcesforthesesignatures,butinthiscase,theyhavebeenimportedautomaticallyusingThreatQ’sMalpediafeed.

Page 9: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 9www.threatquotient.com

InFigure8thethreathunterhasidentifiedthreesignaturesthatmaybeusedtodetectTrickBot.EachsignatureisacompleteYARArule,whichmaybedeployedtoanIPSorothernetworkorhost-baseddetectionsystem.Ataskhasbeenassigned(‘DeploySignaturetoIPS’)totheSecurityteamtodeploythesignatures.

Figure 8: Identifying signatures to respond to TrickBot

TheThreatLibraryalsocontainssomeinformationonmitigationsthatmaybedeployedtodefendagainsttheTrickBotMalware.TheseareaddedtotheinvestigationandassignedtotheSecurityteamforaction(Figure9).

Figure 9: Additional mitigations

Page 10: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 10www.threatquotient.com

TheinvestigationhasbeenupdatedwithmitigationsandresponsestotheimmediateperceivedthreatfromTrickBot.ThefinalstepistolookforlongertermstepstohelpmitigateanyadditionalrisksthatmaybeassociatedwiththeSpearphishingAttachmenttechnique.

Figure 10: Longer term mitigations

TheMITREATT&CKdatathatresideswithintheThreatLibraryisusedtoidentifyasetofmitigationsthatmaybeappliedtomanagetheriskassociatedwiththeT1193—SpearphishingAttachmenttechnique.Thesehavebeenaddedtotheinvestigationandtasksassignedtotheappropriateteamswithintheorganization(Figure10).

Figure11showsthecompletedinvestigation.

Figure 11: The completed investigation

Page 11: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

How to Map MITRE ATT&CK Techniques

© ThreatQuotient, Inc. 11www.threatquotient.com

Conclusion

Thesampleinvestigationinthispaper,startedwithaMITREATT&CKtechniquebutcentredaroundanattachmentthatoriginatedfromathird-partysystem.ThisattachmentdidnotoriginallyhavearelationshiptotheSpearphishingAttachmenttechniquefromMITRE.EstablishingtherelationshipenabledathreathuntertoutilizetheATT&CKtechniqueasthestartingpointforahuntwhich,inturn,yieldedinformationonapotentialactivethreatandotheravenuesofinvestigation.

OneofthekeyadvantagesoftheThreatQplatformisitsopen,extensiblearchitecturethatallowsforstrongintegrationandinteroperabilitywiththetoolsorganizationsusetoday,andthetoolstheymaybeconsideringacrossabroadspectrumofservices.TheThreatQMITREMapperallowssecurityteamstouseMITREATT&CKtoitsfullestextent,evenwhentheirtechnologiesdonotsupportATT&CKdirectlyoutofthebox.UserscandefinesearcheswithintheThreatLibraryandmapthemtooneormanyMITREATT&CKtechniques.Theintegrationautomaticallybuildsrelationshipsbetweentheoutcomeofthesesearchesandtheassociatedtechniquesovertime.

NearlyeveryorganizationisinterestedinusingtheMITREATT&CKframework.TheThreatQplatformcanserveasthegluetointegratedisparatetechnologiesintoasinglesecurityarchitecture,sharingtherightintelligencewiththerighttoolsattherighttime.WithThreatQ,organizationscaneasilyimplementtheframeworkandbenefitfromthesignificantvalueitbringstothreathuntingandotherusecases.

One of the key advantages of the ThreatQ platform is its open, extensible architecture that allows for strong integration and interoperability with the tools organizations use today.

Page 12: How to Map MITRE ATT&CK Techniques€¦ · Bridging the Gap between Theory and Implementation Steve Rivers, Director, Threat Intelligence Engineering . Contents 3 MITRE ATT&CK and

©ThreatQuotient,Inc.

ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, APAC and MENA. For more information, visit www.threatquotient.com.


DEEP DIVE INTO CYBER REALITY · Operationalize Threat Intelligence The MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) framework has emerged as a key resource for

Detecting Cyber Threats with ATT&CK™ Based Analytics · Knowledge (ATT&CK™) for Enterprise framework, as well as the broader family of ATT&CK™ models, for characterizing post-compromise

Threat hunting with MITRE ATT&CK

If I Were MITRE ATT&CK Developer: Challenges to Consider ... · MITRE ATT&CK If you know how attackers work, you can figure out how to stop them Attack lifecycle is a common method

MITRE ATT&CKÒ: Design and Philosophy · MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge

Module 1: Introducing the Training and … Workshop...Module 1: Introducing the Training and Understanding ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public

MITRE ATT&CK : APT29 Techniques Mapped to Mitigations and ... · Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated

BZAR Hunting Adversary Behaviors with Zeek and ATT&CK · What we’ll talk about Background: ATT&CK and Threat Hunting Threat Hunting with BZAR –Zeek Network Security Monitor –How

Module 1: Introducing the Training and Understanding ATT&CK 1... · 2020-01-07 · techniques. On our website, we currently have 50 dif erent data sources mapped to Enterprise ATT&CK

MITRE ATT&CK Enterprise Framework · • LogRhythm Process Monitor and/or EDR (e.g. Carbon Black / Cylance) • LogRhythm Registry Monitor (Windows) and/or EDR (e.g. Carbon Black

The State of MITRE ATT&CK Threat-Informed Defense

Mapping BeyondTrust Solutions into › assets › ...Open and available to any person or organization for use at no charge, the goal of MITRE ATT&CK is to bring communities together

MITRE ATT&CK™: Design and Philosophy · ATT&CK was created out of a need to systematically categorize adversary behavior as part of conducting structured adversary emulation exercises

SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution

Operation Cobalt Kitty - MITRE ATT&CK® · 2020-07-15 · The advanced persistent threat Operation Cobalt Kitty targeted a global corporation and was carried out by highly skilled

MITRE ATT&CK Round 2 · Cortex y alo Alto etwors The ltimate uide to the MITRE ATT&CK Round 2 EDR Evaluation hite Paper 2 MITRE publishes raw data based on in-depth testing, giving

An Introduction to ATT&CK - Federal Aviation …...An Overview of the (Enterprise) MITRE ATT&CK framework Use Cases in 15 minutes (or less!) –Detection –Cyber Threat Intelligence

Mapping Industrial Cybersecurity Threats to MITRE ATT&CK

Post-Exploitation Hunting with ATT&CK & Elastic...Eliminate false positives with enrichment enabled by Elastic Let ATT&CK guide your analytics Quantify and track detection capability

Cisco Security and MITRE ATT&CK Enterprise · anything, so deciding where you start is your responsibility too. ... Many organizations ask us about our capabilities in the context

MITRE EngenuityATT&CK Evaluations : Quick Guide Carbanak

API Top 10 2019, Case Securing your APIs: OWASP Study and … · 2020. 8. 11. · On API, Microservices Security, Container Runtime Security and MITRE ATT&CK® for Kubernetes(K8S)

MITRE ATT&CK: The Play at Home Edition · •Everyone in the community needs help contribute to the story by associating tactics and techniques to current events •We need to start

Technical Validation...title, description, target OS, and tags which map the attack to the MITRE ATT&CK framework , as well as regulations and industry -standard benchmarks such as

How to Submit a Threat Profile to MITRE ATT&CK · How to Submit a Threat Profile to MITRE ATT&CK Walker Johnson September 2018

OSQUERY Breach ATT&CK - MacAdmins Conference

WHAT IS MITRE ATT&CK? files/MITRE Attack.pdf · •Do they cover techniques you don’t detect, or can they consolidate detections •Look at products that can also tag behaviours,

Module 4: Storing and Analyzing ATT&CK-Mapped Data 4 Slides.pdf · Module 4: Storing and Analyzing ATT&CK-Mapped Data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for

Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019 · through red teaming or adversary emulation, and improve network ... compromises in the past several months, including

USE MITRE ATT&CK FOR STRONGER SECURITY SAFEBREACH · be carried out, to help defender stay up-to-date, and prepared for proven, emerging, and new techniques in the wild. Contributors

MITRE ATT&CK® as a Framework for Cloud Threat Investigation...ATT&CK framework, and 43% cite the challenge of mapping event data to tactics and techniques. • A large percentage

CYBERARK SOLUTIONS AND THE MITRE ATT&CK FRAMEWORK

PART2-T10 2020 ATT&CK™ Vision Correlating TTPs to Disrupt … · 2020-04-17 · #RSAC Profiling Malware using MITRE ATT&CK™ 3 Research Goals: Provide guidance on optimal security

MITRE ATT&CK WORKBOOK - EnterpriseTalk

The Essential Guide to the MITRE ATT&CK Evaluation Round 3