Enabling Distributed Threat Analysis

Enabling Distributed Threat Analysis: Common Attack Patterns and Malware Characterization

Sean BarnumPenny Chase

Aug 2011

HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS).The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.PremiseBuilding secure systems and effectively responding to incidents requires an understanding of the relevant threatsAn actionable understanding of todays scale, complexity and volume of relevant threats requires structured representations to support automation

Threat information3Attacker motivationAttacker behavior (TTP)Attacker capabilityTargeted attack surfacePotential impactHow to detect threatHow to mitigate threatSolution ResourcesCommon Attack Pattern Enumeration and Classification (CAPEC) for structured characterization of attack patternsMalware Attribute Enumeration and Characterization (MAEC) language for structured characterization of malwareCyber Observable eXpression (CybOX) underpinning CAPEC & MAECThe HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.The Long-established Principal of Know Your Enemy

One who knows the enemy and knows himself will not be endangered in a hundred engagements. One who does not know the enemy but knows himself will sometimes be victorious. Sometimes meet with defeat. One who knows neither the enemy nor himself will invariably be defeated in every engagement.

4Chapter 3: Planning the Attack

The Art of War, Sun Tzu

An appropriate defense can only be established if you know how it will be attacked

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.5What are Attack Patterns?Blueprint for creating a specific type of attackAbstracted common attack approaches from the set of known exploits

Capture the attackers perspective to aid software developers, acquirers and operators in improving the assurance profile of their systemsThe HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.6Leveraging Attack Patterns Throughout the Software LifecycleGuide definition of appropriate policiesGuide creation of appropriate security requirements (positive and negative)Provide context for architectural risk analysisGuide risk-driven secure code reviewProvide context for appropriate security testingIdentify and characterize threat TTPs for red teamingProvide a bridge between secure development and secure operationsIdentify patterns of malicious behavior for attack detection and characterization in operationsThe HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Common Attack Pattern Enumeration and Classification (CAPEC)Community effort targeted at:Standardizing the capture and description of attack patternsCollecting known attack patterns into an integrated enumeration that can be consistently and effectively leveraged by the communityGives you an attackers perspective you may not have on your own

Excellent resource for many key activities Abuse Case developmentArchitecture attack resistance analysisRisk-based security/Red team penetration testingWhitebox and Blackbox testing correlationOperational observation and correlation

Where is CAPEC today?http://capec.mitre.orgCurrently 386 patterns, stubs, named attacks 68 Categories & 6 Views

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.What do Attack Patterns Look Like?Primary Schema ElementsIdentifying InformationAttack Pattern IDAttack Pattern NameDescribing InformationDescriptionRelated WeaknessesRelated VulnerabilitiesMethod of AttackExamples-InstancesReferencesPrescribing InformationSolutions and MitigationsScoping and Delimiting InformationTypical SeverityTypical Likelihood of ExploitAttack PrerequisitesAttacker Skill or Knowledge RequiredResources RequiredAttack Motivation-ConsequencesContext Description Supporting Schema ElementsDescribing InformationInjection VectorPayloadActivation ZonePayload Activation ImpactDiagnosing InformationProbing TechniquesIndicators-Warnings of AttackObfuscation TechniquesEnhancing InformationRelated Attack PatternsRelevant Security RequirementsRelevant Design PatternsRelevant Security Patterns The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Attack Pattern Description Schema FormalizationDescriptionSummaryAttack_Execution_FlowAttack_Phase1..3 (Name(Explore, Experiment, Exploit))Attack_Step1..*Attack_Step_TitleAttack_Step_DescriptionAttack_Step_Technique 0..*Attack_Step_Technique_DescriptionLeveraged_Attack_PatternsRelevant_Attack_Surface_ElementsObservables0..*EnvironmentsIndicator0..* (ID, Type(Positive, Failure, Inconclusive))Indicator_DescriptionRelevant_Attack_Surface_ElementsEnvironmentsOutcome0..* (ID, Type(Success, Failure, Inconclusive))Outcome_DescriptionRelevant_Attack_Surface_ElementsObservables0..*EnvironmentsSecurity Control0..* (ID, Type(Detective, Corrective, Preventative))Security_Control_DescriptionRelevant_Attack_Surface_ElementsObservables0..*EnvironmentsObservables0..*The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Attack Patterns Bridge Secure Development and OperationsSecure DevelopmentSecure OperationsAttack PatternsAttack Patterns 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDUsing attack patterns makes it possible for the secure development domain to leverage significant value from secure operations knowledge, enabling them to:Understand the real-world frequency and success of various types of attacks.Identify and prioritize relevant attack patterns.Identify and prioritize the most critical weaknesses to avoid.Identify new patterns and variations of attack.Secure Operations Knowledge Offers Unique Value to Secure DevelopmentAttack patterns enable those in the secure operations domain to provide appropriate context to the massive amounts of data analyzed to help answer the foundational secure operations questions.Secure Development Knowledge Offers Unique Value to Secure Operations 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDThe Cyber Observables construct is intended to capture and characterize events or properties that are observable in the operational domain. These observable events or properties can be used to adorn the appropriate portions of the attack patterns in order to tie the logical pattern constructs to real-world evidence of their occurrence or presence. This construct has the potential for being the most important bridge between the two domains, as it enables the alignment of the low-level aggregate mapping of observables that occurs in the operations domain to the higher-level abstractions of attacker methodology, motivation, and capability that exist in the development domain. By capturing them in a structured fashion, the intent is to enable future potential for detailed automatable mapping and analysis heuristics. Cyber Observables Overview 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDPage 14Common Cyber Observables (CybOX) Schema (simple overview) 2010 The MITRE Corporation. All rights reserved.UNCLASSIFIEDThese same cyber observables also apply to numerous other domainsMalware characterizationOperational EventsLoggingCyber situational awarenessIncident responseForensicsEtc.

2010 The MITRE Corporation. All rights reserved.UNCLASSIFIED

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Complete CAPEC Entry Information

Stubs InformationThe HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Where is CAPEC today?

Recent versionsSignificant schema changesIncluding addition of Observables structureNew contentEnhanced & refined contentAdded new categories of patternsNetwork attack patternsPhysical security attacksSocial engineering attacksSupply chain attacksCurrently 386 patterns, stubs, named attacks; 68 categories and 6 views

CAPEC StatusThe HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.CAPEC Current Content (15 Major Categories)1000 - Mechanism of AttackData Leakage Attacks - (118)Resource Depletion - (119)Injection (Injecting Control Plane content through the Data Plane) - (152)Spoofing - (156)Time and State Attacks - (172)Abuse of Functionality - (210)Exploitation of Authentication - (225)Probabilistic Techniques - (223)Exploitation of Privilege/Trust - (232)Data Structure Attacks - (255)Resource Manipulation - (262)Physical Security Attacks (436)Network Reconnaissance - (286)Social Engineering Attacks (403)Supply Chain Attacks (437)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.CAPEC Current Content (Which Expand to)1000 - Mechanism of AttackData Leakage Attacks - (118)Data Excavation Attacks - (116)Data Interception Attacks - (117)Resource Depletion - (119)Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) - (82)Resource Depletion through Flooding - (125)Resource Depletion through Allocation - (130)Resource Depletion through Leak - (131)Denial of Service through Resource Depletion - (227)Injection (Injecting Control Plane content through the Data Plane) - (152)Remote Code Inclusion - (253)Analog In-band Switching Signals (aka Blue Boxing) - (5)SQL Injection - (66)Email Injection - (134)Format String Injection - (135)LDAP Injection - (136)Parameter Injection - (137)Reflection Injection - (138)Code Inclusion - (175)Resource Injection - (240)Script Injection - (242)Command Injection - (248)Character Injection - (249)XML Injection - (250)DTD Injection in a SOAP Message - (254)Spoofing - (156)Content Spoofing - (148)Identity Spoofing (Impersonation) - (151)Action Spoofing - (173)Time and State Attacks - (172)Forced Deadlock - (25)Leveraging Race Conditions - (26)Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions - (29)Manipulating User State - (74)Abuse of Functionality - (210)Functionality Misuse - (212)Abuse of Communication Channels - (216)Forceful Browsing - (87)Passing Local Filenames to Functions That Expect a URL - (48)Probing an Application Through Targeting its Error Reporting - (54)WSDL Scanning - (95)API Abuse/Misuse - (113)Try All Common Application Switches and Options - (133)Cache Poisoning - (141)Software Integrity Attacks - (184)Directory Traversal - (213)Analytic Attacks - (281)Probabilistic Techniques - (223)Fuzzing - (28)Manipulating Opaque Client-based Data Tokens - (39)Brute Force - (112)Screen Temporary Files for Sensitive Information - (155)

Exploitation of Authentication - (225)Exploitation of Session Variables, Resource IDs and other Trusted Credentials - (21)Authentication Abuse - (114)Authentication Bypass - (115)Exploitation of Privilege/Trust - (232)Privilege Escalation - (233)Exploiting Trust in Client (aka Make the Client Invisible) - (22)Hijacking a Privileged Thread of Execution - (30)Subvert Code-signing Facilities - (68)Target Programs with Elevated Privileges - (69)Exploitation of Authorization - (122)Hijacking a privileged process - (234)Data Structure Attacks - (255)Accessing/Intercepting/Modifying HTTP Cookies - (31)Buffer Attacks - (123)Attack through Shared Data - (124)Integer Attacks - (128)Pointer Attack - (129)Resource Manipulation - (262)Accessing/Intercepting/Modifying HTTP Cookies - (31)Input Data Manipulation - (153)Resource Location Attacks - (154)Infrastructure Manipulation - (161)File Manipulation - (165)Variable Manipulation - (171)Configuration/Environment manipulation - (176)Abuse of transaction data strutcture - (257)Registry Manipulation - (269)Schema Poisoning - (271)Protocol Manipulation - (272)Network Reconnaissance - (286)ICMP Echo Request Ping - (285)TCP SYN Scan - (287)ICMP Echo Request Ping - (288)Infrastructure-based footprinting - (289)Enumerate Mail Exchange (MX) Records - (290)DNS Zone Transfers - (291)Host Discovery - (292)Traceroute Route Enumeration - (293)ICMP Address Mask Request - (294)ICMP Timestamp Request - (295)ICMP Information Request - (296)TCP ACK Ping - (297)UDP Ping - (298)TCP SYN Ping - (299)Port Scanning - (300)TCP Connect Scan - (301)TCP FIN scan - (302)TCP Xmas Scan - (303)TCP Null Scan - (304)TCP ACK Scan - (305)TCP Window Scan - (306)TCP RPC Scan - (307)UDP Scan - (308)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.CAPEC Current Content (386 Attacks)

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Current Maturation PathsExtend coverage of CAPECImprove quality of CAPECExpand the scope of CAPECBridge secure development with secure operationsImprove integration with other standards (MAEC, CEE, etc.)Expand use of CAPEC Establish initial compatibility program22The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Malware AttributeEnumeration & CharacterizationThe HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.Why Do We Need to Develop Standards for Malware?Page 24

Multiple layers of protection

Lots of productsInconsistent reports

Theres an arms race

2011 The MITRE Corporation. All rights reserved.Language for sharing structured information about malware Grammar (Schema)Vocabulary (Enumerations)Collection Format (Bundle)Focus on attributes and behaviorsEnable correlation, integration, and automationPage 25Malware Attribute Enumeration and Characterization (MAEC)

ThreatsVulnerabilitiesDetectionResponsePlatforms

2011 The MITRE Corporation. All rights reserved.25Operational

AnalysisHelp Guide Analysis ProcessStandardized Tool OutputMalware Repositories

MAEC Use CasesPage 26

ToolTool 2011 The MITRE Corporation. All rights reserved.26MAEC OverviewPage 27

2011 The MITRE Corporation. All rights reserved.In terms of structure, MAEC can be thought of as having three interconnected layers: At the lowest level, which serve to answer the question of what the malware does through actions, which serve to characterize hardware accesses and system state changes performed by malware. Thus, actions can be relatively amorphous, although initially we have concentrated on defining those that can be achieved through low-level API calls. However, the main point with regards to actions is that they are relatively devoid of any significant meaning they dont answer the question of why the malware performed them in the first place.

What we are attempting to show the division between semantics and syntactics is that we are abstracting actions away from their implementations. Such abstract actions will allow the construction of a more concise grammar, and also facilitate correlation between malware that may do similar things at a low-level but with vastly different implementations (such as malware targeted at different platforms). Of course, this doesnt mean that we should throw out how an action is implemented, as this is certainly useful for purposes of correlation, as the same action can have many possible implementations.

The more interesting structure of MAEC begins at the mid-level, which we term Behaviors. Behaviors are aimed at organizing and defining the purpose behind low-level actions, whether in groups or as singletons. Thus, Behaviors can represent discrete components of malware functionality at a level that is useful for analysis, triage, detection, etc.

Going up another level, we have what we refer to as Mechanisms. Mechanisms are organized groups of behaviors. Some examples would be propagation/insertion, self-defense, and the like. Since there is likely a very low upper bound on the number of possible mechanisms, they can be useful in terms of understanding the composition of malware at a very high level.

As a very simple example of how a malicious action can be mapped between MAECs levels, lets say that some malware calls Windows CreateFile() API Call and creates xyz.dll. This would first be mapped to the Create File action; after further investigation, we conclude that this file was created as a means of instantiating a malicious binary on a system, thus mapping to a MAEC Behavior in this fashion. Finally, Malicious Binary Instantiation can be considered as part of a malware persistence mechanism.

Transition: For the initial MAEC release, weve been focusing primarily on actions, particularly with regards to those that can be characterized through dynamic analysis engines and sandboxes. Thus, let me go into a bit more detail with regards to our action model.

27MAEC Description: Profiling Zeus C2MAEC Mechanism: C2MAEC Behavior: C2 Get Configuration MAEC Behavior: C2 BeaconMAEC Behavior: C2 Receive CommandMAEC Behavior: C2 Send Data 2011 The MITRE Corporation. All rights reserved.MAEC & Zeus C2 IMechanism: C2Behavior: Get Configuration Behavior: BeaconBehavior: Recv CommandBehavior: Send DataMAEC Behavior: C2 Get ConfigurationProtocol: HTTP Encryption Type: RC4/customMAEC Action: http_get MAEC Object: http_connectionMethod: GETParameter: /config.binResponse: HTTP/1.1 200 OKResponse Body: Response Content Length: 1212 bytes

MAEC Object: tcp_connectionExternal IP: xxx.xxx.xxx.xxxExternal Port: 80

2011 The MITRE Corporation. All rights reserved.29MAEC & Zeus C2 IIMechanism: C2Behavior: Get Configuration Behavior: BeaconBehavior: Recv CommandBehavior: Send DataMAEC Behavior: C2 BeaconProtocol: HTTP Encryption Type: RC4/customFrequency: 1/20 minutes

MAEC Action: http_post MAEC Object: http_connectionMethod: POSTPOST Data: Parameter: .*/gate.phpResponse: HTTP/1.1 200 OKResponse Body: Response Content Length: 44 bytes

MAEC Object: tcp_connectionExternal IP: xxx.xxx.xxx.xxxExternal Port: 80

2011 The MITRE Corporation. All rights reserved.30MAEC & Zeus C2 IIIMechanism: C2Behavior: Get Configuration Behavior: BeaconBehavior: Recv CommandBehavior: Send DataMAEC Behavior: C2 Receive CommandProtocol: HTTP Encryption Type: RC4/customSupported Commands: reboot, kos, shutdown, bc_add, bc_del, block_url, unblock_url, block_fake, getfile, getcerts, resetgrab, upcfg, rename_bot

MAEC Action: decode_http_response MAEC Object: http_connectionResponse Body: Response Content Length: > 44 bytes

MAEC Object: tcp_connectionExternal IP: xxx.xxx.xxx.xxxExternal Port: 80

2011 The MITRE Corporation. All rights reserved.31MAEC & Zeus C2 IVMechanism: C2Behavior: Get Configuration Behavior: BeaconBehavior: Recv CommandBehavior: Send DataMAEC Behavior: C2 Send DataProtocol: HTTP Encryption Type: RC4/custom

MAEC Action: http_post MAEC Object: http_connectionMethod: POSTPOST Data: Parameter: .*/gate.phpResponse: HTTP/1.1 200 OK

MAEC Object: tcp_connectionExternal IP: xxx.xxx.xxx.xxxExternal Port: 80

2011 The MITRE Corporation. All rights reserved.32MAEC Schema v 1.1 (XML)Page 33 2011 The MITRE Corporation. All rights reserved.

Malware Ontology (OWL)Page 34

2011 The MITRE Corporation. All rights reserved.Use Case: Host Based Detection

Malware BinaryDynamic Analysis EngineAnubisCWSandboxThreatExpertEtc.Engine Output

Sandbox -> MAEC Translator

Host-based Scanner 2011 The MITRE Corporation. All rights reserved.35MAEC Output

Real World Example: MAEC & Zeus BotPage 36

Zeus Binary

Anubis SandboxAnubis Output**http://anubis.iseclab.org/?action=result&task_id=1167a57d1aa905e949df5d5478ab23bf9Anubis MAEC Translator ScriptMAEC OVAL Translator Script

OVAL Output

2011 The MITRE Corporation. All rights reserved.36

Page 37Use Case: Data Fusion & Correlation

Malware Binary

Is this malware similar to recent activity?

DNS/WhoisPCAPRev EngThreat Reports

Zeus X

Zeus YExtract FeaturesDecompose QuestionOntologiesQuery Inference Engine 2011 The MITRE Corporation. All rights reserved.MAEC object model replaced with CybOXActionType simplifiedEffectType refined, made easier to useMore object-focusedPermits definition of much more complex effectsLots of under the hood tweaks and minor additionsMAEC Bundle now supports storage of Objects, Actions, Behaviors, and Analyses at the top levelAdditional analysis environment attributes added to Analysis TypeEnumerations made into separate typesMain entities streamlined to remove unnecessary hierarchyMany morev2.0 ChangesPage 38

2011 The MITRE Corporation. All rights reserved.Signature/Indicator Management CapabilityPermits standard method of defining anti-malware signatures and indicators. Examples: OpenIOCs, ClamAV, Yara, Snort, etc.Linkages to other MAEC entities where appropriate. E.g. objects for specifying signature/indicator used in detection.

Relationship SupportAllows defining simple relationships between MAEC entities in an easy to use fashion. Examples: ParentOf, ChildOf, PrecededBy, etc.

Many new enumerated typesActions, Effects, Relationships, etc.

vPage 39v2.0 Additions

2011 The MITRE Corporation. All rights reserved.Page 40Common Cyber Observables (CybOX) Schema

ICSG Malware WG

openIOC 2011 The MITRE Corporation. All rights reserved.AccountDiskDisk PartitionDNS CacheEmail MessageFileGUILibraryPackageMemoryNetwork ConnectionNetwork RouteLinux PackageProduct

ServiceSocketSystemUser SessionVolumeWin Critical SectionWin DriverWin EventWin Event LogWin KernelWin Kernel HookWin HandleWin MailslotWin MutexPage 41MAEC v2.0 Objects (imported from CybOX)Win Named PipeWin Network RouteWin PrefetchWin RegistryWin SemaphoreWin System RestoreWin TaskWin ThreadWin Waitable TimerX509 Certificate(more on the way) 2011 The MITRE Corporation. All rights reserved.MAEC & CybOXPage 42Before (MAEC 1.x)MAEC

MAEC ObjectsMAEC EntitiesAfter (MAEC 2.0 and up)MAEC

Object TypeMAEC EntitiesCybOX

Defined Object TypeImportsDefined ObjectDefined ObjectDefined ObjectSubstitutes 2011 The MITRE Corporation. All rights reserved.Industry CollaborationsWorking with Mandiant on MAEC openIOCTool vendors supported our development of MAEC translators:CWSandbox : GFI SoftwareThreatExpert : SymantecAnubis : International Secure Systems (Isec) LabDiscussions with tool vendors about adopting MAEC as a native output format (under NDAs)Malware analysts experimenting with MAEC (e.g., to compare multiple tool output)

Community EngagementPage 43 2011 The MITRE Corporation. All rights reserved.43IEEE Industry Connections Security Group (ICSG)Malware Working Group developed an exchange schema to facilitate the sharing of sample data between AV product vendorsMAEC currently imports the IEEE ICSG Malware Metadata exchange schemaRecently established Malware Metadata Exchange Format WGMain Focus:Adding capability to MMDEF schema for capturing blackbox behavioral metadata about malwareWill likely import MAEC/CybOX, especially MAEC Objects and ActionsSecondary Focus:Adding capability to MMDEF schema for profiling clean (non-malicious) files, including software packagesAimed at sharing information about clean files for reducing AV detection false positivesPotentially transition to a new IEEE standard

Community EngagementPage 44

2011 The MITRE Corporation. All rights reserved.Request to join: http://maec.mitre.org/community/discussionlist.htmlArchives available

MAEC Community: Discussion ListPage 45

2011 The MITRE Corporation. All rights reserved.MITRE hosts a social networking collaboration environment: https://handshake.mitre.orgSupplement to mailing list to facilitate collaborative schema developmentMalware Ontologies SIG SubgroupMAEC Community: MAEC Development Group on HandshakePage 46

2011 The MITRE Corporation. All rights reserved.

Questions?sbarnum@mitre.orgpc@mitre.org

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.section titleMIS Training Institute Section I - Page 47XXX 001Enter YOUR company name here