Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to ATT&CKing Threat Management
Similar to ATT&CKing Threat Management (20)
Recently uploaded
Recently uploaded (20)
ATT&CKing Threat Management
- 1. Andy Piazza | @klrgrz | /in/andypiazza/ https://medium.com/@andy.c.piazza/whoami-a5410956fffb https://www.sans.org/reading-room/whitepapers/threatintelligence/paper/39090 ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis
- 2. whoami ▪ Chief Evangelist for phia LLC ▪ CyberThreat Analyst with previous experience in counter-terrorism and counter-narcotics ▪ Passionate about information sharing, team building, and problem solving ▪ SANS Master of Science in Information Security Engineering student @klrgrz https://www.linkedin.com/in/andypiazza/ #doorkickingtokeyboardclicking
- 3. Objectives ▪ Develop a research methodology using the MITRE ATT&CK framework that informs resource management – After this presentation, you will: ▪ Know how to implementATT&CK as a quantitative data model ▪ Observe how ATT&CK can inform decisions at the strategic, operational, and tactical levels ▪ See the top ten reported threat actor techniques
- 4. Prioritized Resource Management ▪ Organizations have limited resources and a world of threats to assess and prioritize ▪ Without effective threat management prioritization, organizations: – Cannot protect against the most likely threat vectors and actors – Cannot implement an informed defense-in-depth (DiD) strategy ▪ How do we definitively answer questions like: – What are the latest threat actor techniques? – What logs should we collect? – What hunts should we prioritize?
- 6. A Structured Methodology ▪ Structured methodology: – Collect – publicly available threat reporting that discusses specific threat activity – Catalog – threat reporting intoAirtable using the ATT&CK techniques as multi-select values – Assess – the trends in the ATT&CK techniques observed across the body of reporting – Act – by informing resource management prioritization ▪ Research objectives – Collect a large volume of threat reports to identify trends in observed ATT&CK techniques – Develop metrics and visualizations based on the categorized ATT&CK data – Propose examples of prioritized actions that organizations could take based on these results
- 7. Collect: Scope of Collection ▪ Report collection was limited by the following considerations – Publicly available (no paywalls or login required) – Describes threat actor activity (attributed or non-attributed) activity against a target – Original/source reporting (no articles based on another researchers report) – No academic or proof-of-concept attacks ▪ Collection process – Logged reports into a database created using Airtable – Captured source URL for future reference
- 8. Catalog: Processing Report Details ▪ Data Model – Airtable spreadsheet configured to track report details (Title, Author, Date, etc.) – 11 columns forTactics with their correspondingTechniques as multi-select fields ▪ Processing Reports – Reviewed reports to determine whichTechniques are described by the researcher – A few researchers adopted ATT&CK in their reports starting in 2018 ATT&CK Extraction from TA17-117A into the ATT&CK Tracker
- 9. Catalog: Database Creation ▪ A mix of manual and automated processing 1. Exported the framework techniques from Navigator 2. Imported spreadsheet into Airtable 3. Changed the field type to Multiple Select 4. Airtable converted the existing values into multiple choice options 1 2 3 4
- 10. Catalog: ATT&CK Tracker in Airtable
- 11. Assess: Analytical Findings ▪ By the numbers: – 22 unique sources – 50 reports processed – 122 uniqueTechniques – 613 total categorizations – 41 threat actors – 2012 earliest report date RANK TECHNIQUE COUNT 1. Registry Run Keys / Startup Folder 23 2. StandardApplication Layer Protocol 22 3. SpearphishingAttachment 21 4. PowerShell 20 5. Commonly Used Port 19 6. Obfuscated Files or Information 19 7. Command-Line Interface 18 8. System Information Discovery 17 9. File and Directory Discovery 15 10. Remote File Copy 14 11. Scripting 14 (Top “Ten” ReportedTechniques)
- 12. Assess: Visibility vs. Capability ▪ Visibility gained through defense-in-depth (DiD) map of enterprise environments – Notional Inc. DiD map was created as an example enterprise map for this research – Techniques are mapped based on the organization’s ability to detect and hunt for threats ▪ Threat actor capability map identifies which techniques actors used GREEN = SOC monitoring YELLOW = Can’t monitor, can hunt GREY = in 20+ reports PURPLE = in 10-20 reports
- 13. Assess: Visibility vs. Capability Overlay
- 14. Act ▪ Strategic Level: – Assess security architecture for sensor relocation and additions to increase visibility – Schedule funds and projects to purchase new security appliances ▪ Operational Level – Prioritize alerts by technique type (e.g. in theTopTen) – Assess processes concerning specific techniques to ensure procedures are adequate for mitigation ▪ Tactical Level – Execute threat hunts based onTopTenTechniques list, newly observed techniques, etc.
- 15. Future Research ▪ Increased visualization research – Technique usage by actor, including first-seen milestones – Heat map development within threat intelligence platforms (TIP) ▪ Greater adoption of ATT&CK in threat reporting – Technique-to-IOC tables decrease the amount of time it takes to consume intelligence – Greater adoption leads to improved automation during ingest of reports into aTIP ▪ Mature the technique descriptions – Infosec community must contribute threat hunting techniques, detection signatures, and other blue-team centric input into the ATT&CK framework website
- 16. Summary ▪ Threat management is a critical component of effective enterprise security and resource management ▪ Categorizing threat reporting using ATT&CK is essential to understanding threat actor capabilities ▪ ATT&CK should be a critical requirement for security appliances and threat intelligence platforms “Without data, you're just another person with an opinion.” ―W. Edwards Deming
- 17. Key Resources & Acknowledgments ▪ Huge Hat/Tip to the MITRE ATT&CKTeam for their hard work ▪ Another H/T to the teams like FireEye that included the ATT&CK tables in reports ▪ To stay up-to-date on ATT&CK progress, follow their blog at https://medium.com/mitre-attack ▪ For more of my writing, my blog is at https://medium.com/@andy.c.piazza
Editor's Notes
- Chief Evangelist for phia LLC Cyber Threat Analyst with previous experience in counter-terrorism and counter-narcotics Passionate about information sharing, team building, and problem solving SANS Master of Science in Information Security Engineering student Years ago, I was a combat MP looking to get out of the Army and decided I wanted to do intelligence, because that just sounds cool. I earned a Bachelors and then a Masters in Intelligence studies and eventually made my way into cyber threat analysis. I was so excited to hit the ground running with all of the cool analytical methodologies that my degree stressed. What did I find when I first got into the role? There wasn’t a lot of structure nor repeatable methodologies in cyber analysis for most organizations. So I set out on a goal of developing trainable, measurable, and repeatable processes for threat analysis. With the emergence of ATT&CK onto the scene, developing a process around categorizing threat reporting was the next logical project for me. This research is the culmination of about 18 months of watching the ATT&CK community grow, testing in-house Microsoft Access databases that I used to triage threat reporting, and waiting for adoption in common threat intelligence platforms (TIP). Social media: @klrgrz https://www.linkedin.com/in/andypiazza/ Introduce your topic Establish your identity and credentials Begin to hook the audience into your presentation. The best presentations and learning usually include story telling. Consider incorporating a short story (not a hypothetical scenario, if possible), right here upfront on your title slide, which sets the stage for your objectives. How and why did you get interested in this topic / problem? Was there some notable workplace event that made this topic important to you? Why will this presentation be both interesting and useful to the audience?
- Thesis: By leveraging the MITRE Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework as a quantitative data model, analysts can bridge the gap between strategic, operational, and tactical intelligence while advising their leadership on how to prioritize computer network defense, incident response, and threat hunting efforts to maximize resources while addressing priority threats. It can be translated to say that I used the ATT&CK framework as a metadata layer to look at threat reporting at a macro level rather then a micro level. The theory here is that categorizing a large data-set of threat activity using ATT&CK can lead to critical intelligence for decision making. Research objectives Collect a large volume of threat reports to identify trends in observed ATT&CK techniques Develop metrics and visualizations based on the categorized ATT&CK data Propose examples of prioritized actions that organizations could take based on these results
- Quite a few organizations are applying ATT&CK as actor playbooks or to categorize activity in individual threat reports. As a threat analyst, I wanted to know what TTPs were trending, when were techniques first observed, and what were the most prevalent techniques used across multiple incidents by multiple actors. Being able to answer questions like those is crucial to effective resource management- whether that prioritization is in IT assets, which logs to collect, or how human resources are staffed to address specific alerts over others. Using ATT&CK to categorize threat reporting into threat intelligence platform (TIP) can help answer these questions and drive effective resource management.
- MITRE’s Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework started in 2013 and is a community effort to maintain. Analysts from around the world contribute by submitting feedback to MITRE for their website. ATT&CK even has its own annual conference where practitioners come together to talk best practices and lessens learned from their experiences incorporating ATT&K into various use cases. When looking at the ATT&CK Enterprise Matrix, Tactics are listed as column headers with their supporting Techniques listed below them. Each Technique has a hyperlink to separate page that describes the technique, how threat actors have used it previously, which actors have used it. This is essentially the Procedures page for the acronym Tactics, Techniques, and Procedures.
- To structure the research and analysis, I follow a model that I created a few years ago to describe how I think of data analysis. It is Collect, Catalog, Assess, and Act. For collection, it was critical to me that the reporting was openly available to the world. While I have access to commercial reporting and other restricted sharing platforms, I wanted to ensure that others could pick up the raw data and confirm my analysis. Then I cataloged this reporting in an Airtable spreadsheet. I used the free version of Airtable and it was really easy to set-up, which we’ll get into a little later in this presentation. Once I collected a large data set, then I could move to the Assess phase to start addressing the questions I presented earlier: what are the top techniques being reported, when was a technique first observed, etc. Then in the Act phase, I propose how the findings in the Assess phase can inform decisions at the strategic, operational, and tactical levels.
- Again, the focus here was to collect open source threat reporting that described actual malicious activity. I did not want academic papers on theoretical techniques, and I did not want “reporting about reporting”. If I opened an article that said, “based on researchers from X”, I would immediately stop reading and go find the original researcher's material. This is important to prevent the logging of the same event multiple times, which could skew the data towards over representation for specific techniques. Collection sources also varied to include short blogs and full white papers of 100+ pages in some cases. In fact, the reports collected ended up from 22 unique sources.
- As I mentioned, Cataloging was done in an Airtable spreadsheet. I designed it to replicate many of the fields that any decent threat intelligence platform should already collect about a threat report, including the source URL, publish date, title, author, etc. To catalog the techniques, I designed the columns similar to the Enterprise Matrix with the 11 tactics as separate columns. Lesson-learned after processing so many reports, I would have all techniques listed under a single TTP Column in future versions of this system. I spent a bit of time jumping from column to column trying to find the techniques. Thankfully, Airtable has the type-to-search feature in the multi-select fields but doing that across 11 columns was not efficient. Important admin note: n the middle of this research project, MITRE updated ATT&CK with one new tactic column (Impact) and new techniques. These updates were not included in this research to prevent losing time to analyzing nearly 15 threat reports that were already processed. To catalog each report, I had to analyze their wording to identify which Techniques were being described. For most of the ATT&CK techniques, this was relatively easy since I have been a threat analyst for a few years. On the screen here, we see an example how to identify specific keywords that indicate Techniques. From the US-CERT Technical Alert 17-117A Enumeration for “system name” becomes “System Information Discovery” (T1082). I read a few hundred articles/reports and processed 50 into the system. Some authors are even using ATT&CK in their reports, which is amazingly helpful for this research and for general understanding of the threat activity. I refer to those tables as the “executive summary for threat analysts” since they give you a very clear picture of what happened in an attack. For example, FireEye used ATT&CK in their Triton blog in 2019. (Miller, Brubaker, Zafra, & Caban, 2019). In highly dynamic environments, such as a SOC, the immediacy of this threat data in a table is instantly applicable to threat analysis procedures. This is the bulk of the work for this project. A lot of time goes into assessing reports and cataloging them properly into the system. What’s important to note though is that analysts are already having to read these reports and process them into systems as it is. If ATT&CK is added to a TIP, then this process is really only adding one field – or eleven fields if you go with a separate field for each tactic column.
- Here is a quick step-by-step for creating the Airtable spreadsheet and auto-populating the columns with the Techniques as multi-select options. Left-to-right view of downloading the spreadsheet, uploading it, and auto converting the values into drop down options. I cannot stress how cool this last part of “Existing cell values will be converted into the following multiple-choice options”. Before I found that option, I was manually typing in each technique for the first few columns when I got frustrated and figured there had to be a better way. A little Google-fu led me to this option. It saved me hours.
- Here is a view of the spreadsheet in the background and the record view of single report on the right. Airtable tracks the activity of the record, so organizations would have traceability to who made changes to record. This could be helpful if junior analysts are inputting data and senior analysts have a quality assurance process to review records and make changes. As I mentioned on a previous slide, a few researchers adopted ATT&CK in their reports starting in 2018, making the catalog process very quick to process. There MITRE ATT&CK footnotes for each technique and actor is also another great source for technique mapping. However, I did not process many of those reports as I wanted to replicate threat analysts going out to curate reporting across the internet. There is a decent amount of overlap between this research’s collected reports and the references on their website. Resource displayed: Miller, S., Brubaker, N., Zafra, D. K., & Caban, D. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved from FireEye: https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
- Now that the hard work is done and everything is cataloged, we can start to look for trends in the data and to find ways to apply this new dataset to the organization’s problem sets. Airtable offers the ability to run calculations and visualizations in their paid version, so I opted to export the data to Excel and run metrics for free. The first assessment was identifying the top ten techniques from the reported data. There was a tie for tenth place, so there are eleven techniques listed. Overall, I don’t think this list is too surprising. However, I would have guessed that Spearphishing with Attachment or Spearphishing with Link would be in the number one slot. It is interesting that Spearphishing with Link is not on this list even though it is a separate technique in ATT&CK. Besides simply education ourselves on the most common techniques so we can say interesting things at dinner parties, lets look at how we can apply this data a bit.
- First, we must put ourselves into an enterprise mindset by considering what our enterprise security protections look like through the lens of ATT&CK. The defense-in-depth map on the left is completely fictitious for a fake company, “Notional Incorporated”. This notional defense-in-depth (DID) map is presented to demonstrate the strategic value of threat actor capability maps when applied to an enterprise, and the capabilities include a leading Endpoint Detection and Response (EDR) solution, an Intrusion Detection System (IDS), and an email security appliance. Collectively, this notional security stack provides monitoring coverage for the techniques highlighted in green. Yellow denotes where the existing tools provide enough visibility for threat hunting, but where the organization’s visibility is limited. For example, Notional Inc.’s IDS can monitor and alert on HTTP traffic, but it is blind to TLS traffic in this notional environment, so the C2 Tactics are labeled yellow. The Capability Map on the right was developed using the ATT&CK Navigator to color code techniques using the findings from this research paper. The Techniques highlighted GREY were in 20 or more reports and the purple Techniques were in categorized in reports from 10 to 20 times. This heat map enables organizational leaders to visualize the most active threat actor techniques, which leads to educated conversations about prioritization of projects and resources.
- The prioritization becomes even clearer when the actor capabilities are overlaid on top of the enterprise visibility map. From the Notional Inc.’s map and the real data collected in this project; we can see that the techniques “Registry Run Keys / Startup Folder” (T1060) and “Standard Application Layer Protocol” (T1071) are highly used by threat actors but are difficult to monitor with the currently deployed toolsets. In fact, the Notional Inc. enterprise map provides zero coverage for technique “Obfuscated Files or Information” (T1027) and research shows that it is the sixth most popular technique with over 19 reports referencing its usage. “Process Discovery” (T1057) and “Custom Command and Control Protocol” (T1094) are two additional methods that are actively used by threat actors but are not covered by the Notional Inc.’s security stack. So we have collected and cataloged a bunch of reporting that is leading to some amazing insights. Now what?
- With this information, the organization is able to make informed decisions and close critical gaps in their coverage of threat actor capabilities. At the strategic level, the organization can realign sensors to provide better coverage of the network and prioritize funding for new resources. At the operational level, leaders prioritize monitoring and response efforts of the SOC and review the appropriate processes to ensure that their analysts are reviewing the appropriate system logs to assess the alert. The ATT&CK Technique pages even identify which logs may be relevant for each Technique. At the tactical level, threat hunts are prioritized and executed to address commonly observed Techniques, first reported Techniques and other priorities identified in the data set. Through this research, I demonstrated ATT&CK as a quantitative data model that provides strategic, operational, and tactical intelligence value. This system can prioritize defenses and informs resource management discussions at all levels.
- ATT&CK is not going away and the community continues to add to the body of knowledge regularly. Vendors are incorporating ATT&CK into their data models and using adversary emulation scenarios to rate their products’ ability to detect key adversarial techniques. Specific to this research, I plan to continue to populate my Airtable with new reports as I work them in my day job. I also want to explore building out threat actor playbooks as visualizations similar to Palo Alto Network’s unit42 Playbook View (https://pan-unit42.github.io/playbook_viewer/). Visualizations are not only great for briefings non-threat analysts, but they also help organize technical findings into a logical flow of activity. I am really hopeful that additional threat products will include the Technique-to-IOC correlations. These really do make report consumption a breeze for systems and for the analysts that have to understand that activity. Lastly, I am hopeful that the MITRE ATT&CK website will continue to receive input from the community. Specifically, I would like to see the references on the Techniques pages updated to link to the various presentations and blogs that discuss detecting and hunting for those techniques. Information sharing across Blue Teams speeds up the detection process and MITRE can continue to serve as a community leader by tying together as many resources as possible for defenders.