#RSAC

SESSION ID:

#RSAC

SESSION ID:

Freddy Dezeure

MITRE ATT&CK - THE SEQUELAIR-R02

CEOFreddy Dezeure BV@Fdezeurewww.freddydezeure.eu

Rich StruseDirector, Center for Threat-Informed DefenseMITRE Engenuity@MITREattackattack.mitre.org

#RSAC

2

Presentation builds on our RSA2019 MITRE ATT&CK presentation

Our goal is to provide real hands-on guidance

Everything was built in cooperation with Munich Airport

The Sequel

#RSAC

3

IdentifyProtectDetect

UpdateShare

Agenda

#RSAC

Our Enterprise Is A Financial Service

4

We process money for our clientsOur main risks: – Financial loss – Business continuity – Brand damage – GDPR

Our infrastructure is well protected (we think)We want to perform threat-informed defense

#RSAC

Our Infrastructure

5

“Win10” “Win11”

#RSAC

Our Infrastructure

6

Created in Detection Lab– Installed from GitHub– + One additional host– + Squid proxy– + Caldera

We populated the logfiles by normal user behaviorWe executed our scenario and made screenshots

#RSAC#RSAC

Identify

Our Assets, Our Infrastructure, Our Main Adversaries And Their TTPs

#RSAC

Identify Our Adversaries’ Objectives And Behavior

8

Identify our Adversaries of interest– Open source and commercial threat intelligence– ISACs/ISAOs– NCICC/CERTs

Identify which tactics/techniques they use– ATT&CK Navigator

#RSAC

9

OurAdversaries

OurSystems

OurAssets

MotivesTargets

#RSAC

Our Main Adversaries

10

Cross-sector : targeted ransomware Emotetfollowed by TrickbotFollowed by Ryuk/LockerGoga…

Sectoral : Fin7, Cobalt Group

#RSAC

11

OurAdversaries

OurSystems

OurAssets

TTPs

#RSAC

12

#RSAC

13

#RSAC

14

#RSAC

15

#RSAC

16

#RSAC

We Built And Used A Realistic Exploit

17

Word lure document with PowerShell macro connecting to api.ipify.org to grab external ip of our infrastructure and vizualize it

#RSAC#RSAC

Protect

Design And Validate Our Critical Controls

#RSAC

Design Our Controls

19

Adversaries

Security ControlsAssets

Spear PhishingPowerShell

#RSAC

Mitigations For T1086 PowerShell

20

#RSAC

Mitigation Guidance From The Community

21

#RSAC

Implemented In Our Enterprise Environment

22

With FW policy

Without FW policy

“Win10” “Win11”

#RSAC

Validate Our Controls In Our Lab

23

Adversaries

Security ControlsAssets

Spear PhishingPowerShell

#RSAC

Screenshot of the lure document

24

#RSAC

Result Of The Execution Of The Macro

25

#RSAC

Visibility In Our Environment

26

Screenshot in Splunk logs (Sysmon and proxy)

“Win10” (without FW rule)

#RSAC

Test Our Controls

27

Adversaries

Security ControlsAssets

Spear PhishingPowerShell

#RSAC

CALDERA – MITRE Open Source Research Project

28

Automated adversary emulation– Safely replicate realistic adversary behavior– Repeatable testing and verification of prevention/detection

Features– Uses ATT&CK to create Adversary profiles– Uses AI and modeling to make decisions about actions– Self-cleans after operation completes– Low install overhead– Does not require extensive red team knowledge to operate

#RSAC

Outcome Of Caldera With T1086 In Our Infrastructure

29

#RSAC

Outcome On “Win11” (Protected With FW Policy)

30

#RSAC#RSAC

Detect

Design And Validate Our Analytics

#RSAC

Design Our Detection

32

Gain Visibility – Priorities in log collection

Design Analytics– Write them with knowledge of Our Adversaries– Get them from the community

Deploy– Detect / Hunt / Refine

#RSAC

SIGMA: A Language for Analytics

33

https://github.com/Neo23x0/sigma

#RSAC

34

SIGMA Community Rules Repository

#RSAC

35

Detecting Windows command line executable spawned from Microsoft Office

#RSAC

Detection With SIGMA Rules

36

Splunk alerts detecting PowerShell spawned from Word

#RSAC

Detection With SIGMA Rules (2)

37

Splunk alert detecting PowerShell communicating outside

Alert on “Win10” (without FW rule)

#RSAC

Detection With SIGMA Rules – Building Alerts (3)

38

Splunk alerts built with identified SIGMA rules

Critical alert on “Win10” (without FW rule)

#RSAC

Alerts Triggered By Running Caldera With T1086

39

All alerts are on “Win10” (without FW rule)

#RSAC#RSAC

Update

#RSAC

Update on ATT&CK Developments

41

ATT&CK for ICS, Cloud and more

Subtechniques

Threat Report ATT&CK Mapper (TRAM)

MITRE ENGENUITY

#RSAC#RSAC

Share

Contribute To The Community

#RSAC

Share Insights And Contribute

The MITRE ATT&CK community is very activeSharing TTPs/SIGMA rules is easier and more useful than IOCs– Contribute to MITRE ATT&CK attack@mitre.org– Contribute to SIGMA

https://github.com/Neo23x0/sigma/tree/master/rules

Participate in the Community– MITRE ATT&CKcon– EU ATT&CK User Community

43

#RSAC

EU ATT&CK User Community

44

Mailing list: opt in ? -> email to info@circl.luNext workshop in Brussels 18-19 May 2020The biggest ATT&CK event ever…

#RSAC

“Apply” Slide

45

Next week you should:– Consider Windows Firewall policy to mitigate PowerShell techniques

In the first three months following this presentation you should:– Identify Your Adversaries– Identify and deploy at least three use cases in your organization

Within six months you should:– Permeate your cyber defense using ATT&CK– Share your insights in the SIGMA community

#RSAC

Resources And Acknowledgements

46

ATT&CK repository and ATT&CK NavigatorHow to use the MITRE ATT&CK NavigatorPREVENT Legitimate Windows Executables To Be Used To Gain Initial Foothold In Your Infrastructure (@dmargaritis)SIGMA and SIGMA rule collection (Thomas Patzke, Florian Roth)CALDERAEU ATT&CK Community Workshop 18-19 May 2020Munich Airport Information Security HubCenter for Threat-Informed DefenseDetection Lab