ATT&CK™ the Attacker Assessing & Improving Detection Capabilities
# whoami Christian Kollee ✗ Studied Computer Science at University of Erlangen- Nueremberg (Diplom-Informatik) ✗ Several years at various universities and at Fraunhofer ✗ IT security since 2012 ✗ Currently working as IT Security Consultant (Security Monitoring, Incident Response, Digital Forensics)
Why should we care about detection?
Defender’s Dilemma The intruder only needs to exploit one of the victims in order to compromise the enterprise. Intruder’s Dilemma The defender only needs to detect one of the indicators of the intruder’s presence to initiate incident response within the enterprise. Richard Bejtlich - https://taosecurity.blogspot.de/2009/05/defenders-dilemma-and-intruders-dilemma.html
How can we detect these indicators?
All models are wrong; some models are useful - George Box
Recon Intrusion Kill Chain Weaponization Delivery Exploitation Installation / Maintain ATT&CK™ Enterprise C2 / Control Actives on Objective / Execute Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain; Hutchins, E. & Cloppert, M. & Amin, R.; 2011
Ten ATT&CK™ – Tactics 188 different techniques, e.g., 60 60 60 60 60 Scheduled Task 50 50 50 50 50 40 40 40 40 40 30 30 30 30 30 Timestomp 20 20 20 20 20 10 10 10 10 10 0 0 0 0 0 Remote Desktop Protocol Scheduled Task
Technique name Technique description Info box Examples Mitigation Detection References
How to use ATT&CK TM from a defender perspective?
1 Asses your current detection capabilities Identify and extend your detection 2 capabilities based on your data sources Prioritize additional data sources based 3 on the threats you are facing
1 Asses your current detection capabilities Goto 3 and prioritize your data source based on your threats ➢ Use your playbooks ➢ Use adversarial emulation tools
Identify and extend your detection 2 capabilities based on your data sources Access Token Anti-Virus API Monitoring Authentication Binary File BIOS Browser Logs Metadata Extensions Data Loss Digital DLL Monitoring Extensible Environment File Monitoring Host Network Prevention Certifcation Firmware Variable Interface Logs Interface (EFI) Kernel Drivers Loaded DLLs Malware Master Boot Named Pipes Netfow Network Device Reverse Record (MBR) Logs Engineering Network Packet Capture Powershell Process Process Process Use of Sensor Health Protocol Logs Command- Monitoring Network and Status Analysis Lines Parameters Services SSL/TLS System Calls Third-Party User Interface Volume Boot Windows Error Inspection Application Record (VBR) Reporting Logs Windows Windows WMI Objects Event Logs Registry
Prioritize additional data sources based 3 on the threats you are facing ➢ Network Protocol Analysis (DNS) ➢ What incidents do you have? ➢ Netfows ➢ How could you detect them (earlier)? ➢ Process Monitoring ➢ What sources are required? ➢ Windows Event Logs
Conclusion
Intruder’s Dilemma The defender only needs to detect one of the indicators of the intruder’s presence to initiate incident response within the enterprise. 1 Asses your current detection capabilities using ATT&CK TM One approach Identify and extend your detection capabilities 2 based on your data sources Prioritize additional data sources based on the 3 threats you are facing
Thank you! Questions?
MITRE ATT&CK TM – https://attack.mitre.org MITRE ATT&CK TM MTIRE ATT&CK TM Navigator – https://mitre.github.io/attack-navigator/enterprise/ MITRE – CALDERA – https://github.com/mitre/caldera Endgame – Red Team Automation (RTA) – https://github.com/endgameinc/RTA Adversarial Uber – Metta – https://github.com/uber-common/metta Emulation Nextron Systems – APTSimulator – https://github.com/NextronSystems/APTSimulator Red Canary – Atomic Red Team – https://github.com/redcanaryco/atomic-red-team A little white mug of espresso on a wood table – Photo by Annie Spratt on Unsplash Fire, fame, danger, and van – Photo by Dawn Armfeld on Unsplash Pictures Desert – Photo by Mark Eder on Unsplash Roots – Photo by David Peters on Unsplash Fortress – Photo by dMz on Pixabay
Recommend
More recommend
