SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing....
Transcript of SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing....
#RSAC
SESSION ID:
#RSAC
SESSION ID:
Freddy Dezeure
MITRE ATT&CK - THE SEQUELAIR-R02
CEOFreddy Dezeure [email protected]
Rich StruseDirector, Center for Threat-Informed DefenseMITRE [email protected]
#RSAC
2
Presentation builds on our RSA2019 MITRE ATT&CK presentation
Our goal is to provide real hands-on guidance
Everything was built in cooperation with Munich Airport
The Sequel
#RSAC
3
IdentifyProtectDetect
UpdateShare
Agenda
#RSAC
Our Enterprise Is A Financial Service
4
We process money for our clientsOur main risks: – Financial loss – Business continuity – Brand damage – GDPR
Our infrastructure is well protected (we think)We want to perform threat-informed defense
#RSAC
Our Infrastructure
5
“Win10” “Win11”
#RSAC
Our Infrastructure
6
Created in Detection Lab– Installed from GitHub– + One additional host– + Squid proxy– + Caldera
We populated the logfiles by normal user behaviorWe executed our scenario and made screenshots
#RSAC#RSAC
Identify
Our Assets, Our Infrastructure, Our Main Adversaries And Their TTPs
#RSAC
Identify Our Adversaries’ Objectives And Behavior
8
Identify our Adversaries of interest– Open source and commercial threat intelligence– ISACs/ISAOs– NCICC/CERTs
Identify which tactics/techniques they use– ATT&CK Navigator
#RSAC
9
OurAdversaries
OurSystems
OurAssets
MotivesTargets
#RSAC
Our Main Adversaries
10
Cross-sector : targeted ransomware Emotetfollowed by TrickbotFollowed by Ryuk/LockerGoga…
Sectoral : Fin7, Cobalt Group
#RSAC
11
OurAdversaries
OurSystems
OurAssets
TTPs
#RSAC
12
#RSAC
13
#RSAC
14
#RSAC
15
#RSAC
16
#RSAC
We Built And Used A Realistic Exploit
17
Word lure document with PowerShell macro connecting to api.ipify.org to grab external ip of our infrastructure and vizualize it
#RSAC#RSAC
Protect
Design And Validate Our Critical Controls
#RSAC
Design Our Controls
19
Adversaries
Security ControlsAssets
Spear PhishingPowerShell
#RSAC
Mitigations For T1086 PowerShell
20
#RSAC
Mitigation Guidance From The Community
21
#RSAC
Implemented In Our Enterprise Environment
22
With FW policy
Without FW policy
“Win10” “Win11”
#RSAC
Validate Our Controls In Our Lab
23
Adversaries
Security ControlsAssets
Spear PhishingPowerShell
#RSAC
Screenshot of the lure document
24
#RSAC
Result Of The Execution Of The Macro
25
#RSAC
Visibility In Our Environment
26
Screenshot in Splunk logs (Sysmon and proxy)
“Win10” (without FW rule)
#RSAC
Test Our Controls
27
Adversaries
Security ControlsAssets
Spear PhishingPowerShell
#RSAC
CALDERA – MITRE Open Source Research Project
28
Automated adversary emulation– Safely replicate realistic adversary behavior– Repeatable testing and verification of prevention/detection
Features– Uses ATT&CK to create Adversary profiles– Uses AI and modeling to make decisions about actions– Self-cleans after operation completes– Low install overhead– Does not require extensive red team knowledge to operate
#RSAC
Outcome Of Caldera With T1086 In Our Infrastructure
29
#RSAC
Outcome On “Win11” (Protected With FW Policy)
30
#RSAC#RSAC
Detect
Design And Validate Our Analytics
#RSAC
Design Our Detection
32
Gain Visibility – Priorities in log collection
Design Analytics– Write them with knowledge of Our Adversaries– Get them from the community
Deploy– Detect / Hunt / Refine
#RSAC
SIGMA: A Language for Analytics
33
https://github.com/Neo23x0/sigma
#RSAC
34
SIGMA Community Rules Repository
#RSAC
35
Detecting Windows command line executable spawned from Microsoft Office
#RSAC
Detection With SIGMA Rules
36
Splunk alerts detecting PowerShell spawned from Word
#RSAC
Detection With SIGMA Rules (2)
37
Splunk alert detecting PowerShell communicating outside
Alert on “Win10” (without FW rule)
#RSAC
Detection With SIGMA Rules – Building Alerts (3)
38
Splunk alerts built with identified SIGMA rules
Critical alert on “Win10” (without FW rule)
#RSAC
Alerts Triggered By Running Caldera With T1086
39
All alerts are on “Win10” (without FW rule)
#RSAC#RSAC
Update
#RSAC
Update on ATT&CK Developments
41
ATT&CK for ICS, Cloud and more
Subtechniques
Threat Report ATT&CK Mapper (TRAM)
MITRE ENGENUITY
#RSAC#RSAC
Share
Contribute To The Community
#RSAC
Share Insights And Contribute
The MITRE ATT&CK community is very activeSharing TTPs/SIGMA rules is easier and more useful than IOCs– Contribute to MITRE ATT&CK [email protected]– Contribute to SIGMA
https://github.com/Neo23x0/sigma/tree/master/rules
Participate in the Community– MITRE ATT&CKcon– EU ATT&CK User Community
43
#RSAC
EU ATT&CK User Community
44
Mailing list: opt in ? -> email to [email protected] workshop in Brussels 18-19 May 2020The biggest ATT&CK event ever…
#RSAC
“Apply” Slide
45
Next week you should:– Consider Windows Firewall policy to mitigate PowerShell techniques
In the first three months following this presentation you should:– Identify Your Adversaries– Identify and deploy at least three use cases in your organization
Within six months you should:– Permeate your cyber defense using ATT&CK– Share your insights in the SIGMA community
#RSAC
Resources And Acknowledgements
46
ATT&CK repository and ATT&CK NavigatorHow to use the MITRE ATT&CK NavigatorPREVENT Legitimate Windows Executables To Be Used To Gain Initial Foothold In Your Infrastructure (@dmargaritis)SIGMA and SIGMA rule collection (Thomas Patzke, Florian Roth)CALDERAEU ATT&CK Community Workshop 18-19 May 2020Munich Airport Information Security HubCenter for Threat-Informed DefenseDetection Lab