concept of MITRE ATT&CK for connected cars and vehicles as presented at EU ATT&CK Workshop #8. Initiative to use Sigma rules for VSOC to proactively map out threats for connected cars.
1. MITRE ATT&CK and Sigma
improvements for Connected Cars
MITRE ATT&CK EU Community #8, 2021
~by
Andrii Bezverkhyi, SOC Prime
twitter @andriinb
2. _whoami
NotPetya attribution using ATT&CK < 5 days, July 2, 2017
Tagging Sigma w ATT&CK since 2017 -> 2018
uncoder.io and tdm.socprime.com
and cti.uncoder.io
THANK YOU
MITRE, EU ATT&CK & Sigma community & SOC Prime team,
for making this possible.
11. Initial reads, if you’re a car hacking noob like me
and want to get into car cyber security safety:
Hacking Connected Cars: Tactics, Techniques, and Procedures
by Alyssa Knight
RSAC 2020 “SESSION ID: STR-F03
Mercedes-Benz and 360 Group:
Defending a Luxury Fleet with the Community
Keen Security Lab blog at https://keenlab.tencent.com/
14. Let’s make it simple
“New”
Digital stuff
Good Ol’
CAN Bus
& new car
network
Real World
Head Unit
Telematics Box
BLE, WiFi, 4/5G
OBD-II, USB
Gets diagnostics
and issues
commands to
ECU and any
digitalized car
parts
Lights
Engine
Doors
ABS / ESP /
ADAS / LIDAR
Roof, Airbags
17. Tactics: lateral movement
Technique: CAN bus
Tactics: Persistence:
Infotainment System / Head Unit
Telematics system (T-Box)
Sub-techniques will include firmware, OS, apps, drivers
20. Sigma for VSOC, we get to be Proactive
Using sigma rules to describe Detections for known Techniques & Tools on
connected vehicles based on red team reports and observations
Easy translation to VSOC backend platforms like Google Chronicle, Azure
Sentinel, ELK stack, Splunk, Humio etc.
Exchange the early signals without sharing CTI (sigma is not CTI)
Use ATT&CK for Linux + experimental attack4cvc tags
How can I help:
Sigma training, uncoder, attack4cvc as open-source project, getting Threat
Bounty researchers aligned behind it.
21. One Rule to improve all your Sigma rules
Status
Stable: the rule is considered as stable and may be used in production systems or dashboards.
Test: an almost stable rule that possibly could require some fine tuning.
Experimental: an experimental rule that could lead to false results or be noisy, but could also identify
interesting events.
Severity (Level in Sigma)
Critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately.
High: Relevant event that should trigger an internal alert and requires a prompt review.
Medium: Relevant event that should be reviewed manually on a more frequent basis.
Low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination
with others. Immediate reaction shouldn't be necessary, but a regular review is recommended.
22. Do not connect aftermarket Head Unit to CAN bus
Use Sigma Level and Status
Stay safe
Thank you