SlideShare una empresa de Scribd logo

MITRE-Module 3 Slides.pdf

ReZa AdineH
ReZa AdineH

This document discusses mapping raw cyber threat data to the ATT&CK framework. It describes finding behaviors in raw data, researching the behaviors, translating them to ATT&CK tactics, and identifying the relevant ATT&CK techniques. The process includes comparing mappings to other analysts and understanding different types of techniques. An exercise demonstrates mapping behaviors from command line executions and malware analysis to ATT&CK.

Presentaciones y charlas públicas
1 de 23
Descargar para leer sin conexión
Module 3: Mapping to ATT&CK from Raw Data
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
Mapping to ATT&CK from Raw Data ▪ So far, working from intel where activity has already been analyzed ▪ Analysis of techniques/behaviors directly from source data – Likely more information available at the procedure level – Not reinterpreting another analyst’s prose – Greater knowledge/expertise required to interpret intent/tactic ▪ Broad set of possible data can contain behaviors – Shell commands, malware, forensic disk images, packets ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Mapping to ATT&CK 0. Understand ATT&CK 1. Find the behavior 2. Research the behavior 3. Translate the behavior into a tactic 4. Figure out what technique applies to the behavior 5. Compare your results to other analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
ipconfig /all sc.exe ln334656-pc create .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx Commands captured by Sysmon being run interactively via cmd.exe 10.2.13.44:32123 -> 128.29.32.4:443 128.29.32.4:443 -> 10.2.13.44:32123 Flows from malware in a sandbox HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftNetsh New reg keys during an incident 1. Find the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior ▪ Can be similar to analysis of finished reporting for raw data ▪ May require expertise in the specific data type – Network, forensics, malware, Windows cmd line, etc ▪ May require multiple data sources, more context – Additional questions to responders/analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – Can make some educated guesses, but not enough context File analysis: When recycler.exe is executed, it gives the following output: C:recycler.exe RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007 Shareware version Type RAR -? for help – Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx And the file being compressed/encrypted is a Visio diagram, probably exfiltration ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic ipconfig /all – Specific procedure only mapped to System Network Configuration Discovery – System Network Configuration Discovery -> Discovery ✅ – Seen being run via Sysmon -> Execution .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “vsdx” is Visio data – Moderate confidence Exfiltration, commands around this could make clearer – Seen being run via Sysmon -> Execution ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies ▪ Similar to working with finished reporting we may jump straight here – Procedure may map directly to Technique/Tactic – May have enough experience to compress steps ipconfig /all – Specific procedure in System Network Configuration Discovery (T1016) – Also Command-Line Interface (T1059) .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “a –hp” compresses/encrypts – Appears to be Data Compressed (T1002) and Data Encrypted (T1022) – Also Command-Line Interface (T1059) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Concurrent Techniques ▪ Don’t just think of what’s happening – think of how it’s happening ▪ Certain tactics commonly have concurrent techniques: – Execution – Defense Evasion – Collection ▪ Examples: – Data Compressed + Data Encrypted (2x Exfiltration) – Spearphishing Attachment + User Execution (Initial Access + Execution) – Data from Local System + Email Collection (2x Collection) – Process Discovery + Command-Line Interface (Discovery + Execution) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Different Types of Techniques ▪ Not all techniques are created equal! – Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/ ▪ Some are specific – Rundll32 – Netsh Helper DLL ▪ Some are broad – Scripting – Obfuscated Files or Information ▪ Some capture “how” the behavior occurs – Masquerading – Data Transfer Size Limits – Automated Collection ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Compare Your Results to Other Analysts ▪ Same caveats about hedging biases ▪ May need a broader set of skills/experience to work with types of data Analyst 1 Analyst 2 • Packets • Malware/Reversing • Windows command line • Windows Events • Disk forensics • macOS/Linux ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Pros/cons of Mapping from the Two Different Sources Step Raw Finished Find the behavior Nearly everything may be a behavior (not all ATT&CK) May be buried amongst prose, IOCs, etc Research the behavior May need to look at multiple sources, data types. May also be a known procedure May have more info/context, may also have lost detail in writing Translate the behavior into a tactic Have to map to adversary intent, need domain knowledge/expertise Often intent has been postulated by report author Figure out what technique applies to the behavior May have a procedure that maps straight to technique, or may require deep understanding to understand how accomplished May be as simple as a text match to description/procedure, or may be too vague to tell Compare your results to other analysts May need multiple analysts to cover all data sources More likely in a form where other analysts needed for coverage/hedge against bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 3: Working with raw data ▪ You’re going to be examining two tickets from a simulated incident ▪ Ticket 473822 – Series of commands interactively executed via cmd.exe on an end system ▪ Ticket 473845 – Pieces of a malware analysis of the primary RAT used in the incident ▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3 ▪ Use whatever to record your results or download and edit ▪ Identify as many behaviors as possible ▪ Annotate the behaviors that are ATT&CK techniques ▪ Please pause. We suggest giving yourself 25 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise Questions ▪ What questions would you have asked of your incident responders? ▪ What was easier/harder than working with finished reporting? ▪ What other types of data do you commonly encounter with behaviors? ▪ Did you notice any behaviors that you couldn’t find a technique for? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473822) ipconfig /all arp -a echo %USERDOMAIN%%USERNAME% tasklist /v sc query systeminfo net group "Domain Admins" /domain net user /domain net group "Domain Controllers" /domain netsh advfirewall show allprofiles netstat -ano System Network Configuration Discovery (T1016) System Network Configuration Discovery (T1016) System Owner / User Discovery (T1033) Process Discovery (T1057) System Service Discovery (T1007) All are Execution - Command-Line Interface (T1059) System Information Discovery (T1082) Permission Groups Discovery (T1069) Account Discovery (T1087) Remote System Discovery (T1018) System Network Configuration Discovery (T1016) System Network Connections Discovery (T1049) Discovery ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473845) C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command. UPLOAD file (upload a file server->client) DOWNLOAD file (download a file client->server) SHELL command (runs a command via cmd.exe) PSHELL command (runs a command via powershell.exe) EXEC path (executes a PE at the path given via CreateProcess) SLEEP n (skips n beacons) 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 Copy C:winspoo1.exe -> C:WindowsSystem32winspool.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinspool REG_SZ "C:WindowsSystem32winspool.exe" Execution - Command-Line Interface (T1059) Execution - Powershell (T1086) Execution - Execution through API (T1106) Command and Control - Commonly Used Port (T1043) Command and Control - Data Encoding (T1132) Command and Control - Standard Application Layer Protocol (T1071) Defense Evasion - Masquerading (T1036) Persistence - Registry Run Keys (T1060) Command and Control – Remote File Copy (T1105) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
From Raw Data to Finished Reporting with ATT&CK ▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting ▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context – Allows other analysts to examine the mapping for themselves – Allows much easier capture of how a technique was done ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Finished Reporting Examples During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2. 1. Discovery – System Network Configuration Discovery (T1016) 2. Execution – Command-Line Interface (T1059) System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell. Instead of Appendix C – ATT&CK Techniques ▪ System Network Configuration Discovery ▪ Command-Line Interface ▪ Hardware Additions ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
End of Module 3 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

Recomendados

MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniquesijtsrd
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourKasper de Waard
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 

Recomendados

MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniquesijtsrd
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourKasper de Waard
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxduketjoy27252
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Cysinfo Cyber Security Community
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksJoseph Holbrook, Chief Learning Officer (CLO)
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...NetworkCollaborators
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessPrecisely
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdfReZa AdineH
 

Más contenido relacionado

Similar a MITRE-Module 3 Slides.pdf

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxduketjoy27252
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Cysinfo Cyber Security Community
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...NetworkCollaborators
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessPrecisely
 

Similar a MITRE-Module 3 Slides.pdf (20)

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical Hacking
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and Tricks
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data Access
 

Más de ReZa AdineH

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdfReZa AdineH
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehReZa AdineH
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehReZa AdineH
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReZa AdineH
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟ReZa AdineH
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareReZa AdineH
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 

Más de ReZa AdineH (9)

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdf
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza Adineh
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshare
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 

Último

Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Pooja Nehwal
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalFabian de Rijk
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedDelhi Call girls
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatmentnswingard
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...amilabibi1
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 

Último (18)

Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 

MITRE-Module 3 Slides.pdf

  • 1. Module 3: Mapping to ATT&CK from Raw Data
  • 2. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 3. Mapping to ATT&CK from Raw Data ▪ So far, working from intel where activity has already been analyzed ▪ Analysis of techniques/behaviors directly from source data – Likely more information available at the procedure level – Not reinterpreting another analyst’s prose – Greater knowledge/expertise required to interpret intent/tactic ▪ Broad set of possible data can contain behaviors – Shell commands, malware, forensic disk images, packets ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 4. Process of Mapping to ATT&CK 0. Understand ATT&CK 1. Find the behavior 2. Research the behavior 3. Translate the behavior into a tactic 4. Figure out what technique applies to the behavior 5. Compare your results to other analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 5. ipconfig /all sc.exe ln334656-pc create .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx Commands captured by Sysmon being run interactively via cmd.exe 10.2.13.44:32123 -> 128.29.32.4:443 128.29.32.4:443 -> 10.2.13.44:32123 Flows from malware in a sandbox HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftNetsh New reg keys during an incident 1. Find the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 6. 2. Research the Behavior ▪ Can be similar to analysis of finished reporting for raw data ▪ May require expertise in the specific data type – Network, forensics, malware, Windows cmd line, etc ▪ May require multiple data sources, more context – Additional questions to responders/analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 7. 2. Research the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 8. 2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – Can make some educated guesses, but not enough context File analysis: When recycler.exe is executed, it gives the following output: C:recycler.exe RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007 Shareware version Type RAR -? for help – Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 9. 2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx And the file being compressed/encrypted is a Visio diagram, probably exfiltration ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 10. 3. Translate the Behavior into a Tactic ipconfig /all – Specific procedure only mapped to System Network Configuration Discovery – System Network Configuration Discovery -> Discovery ✅ – Seen being run via Sysmon -> Execution .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “vsdx” is Visio data – Moderate confidence Exfiltration, commands around this could make clearer – Seen being run via Sysmon -> Execution ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 11. 4. Figure Out What Technique Applies ▪ Similar to working with finished reporting we may jump straight here – Procedure may map directly to Technique/Tactic – May have enough experience to compress steps ipconfig /all – Specific procedure in System Network Configuration Discovery (T1016) – Also Command-Line Interface (T1059) .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “a –hp” compresses/encrypts – Appears to be Data Compressed (T1002) and Data Encrypted (T1022) – Also Command-Line Interface (T1059) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 12. 4. Concurrent Techniques ▪ Don’t just think of what’s happening – think of how it’s happening ▪ Certain tactics commonly have concurrent techniques: – Execution – Defense Evasion – Collection ▪ Examples: – Data Compressed + Data Encrypted (2x Exfiltration) – Spearphishing Attachment + User Execution (Initial Access + Execution) – Data from Local System + Email Collection (2x Collection) – Process Discovery + Command-Line Interface (Discovery + Execution) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 13. 4. Different Types of Techniques ▪ Not all techniques are created equal! – Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/ ▪ Some are specific – Rundll32 – Netsh Helper DLL ▪ Some are broad – Scripting – Obfuscated Files or Information ▪ Some capture “how” the behavior occurs – Masquerading – Data Transfer Size Limits – Automated Collection ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 14. 5. Compare Your Results to Other Analysts ▪ Same caveats about hedging biases ▪ May need a broader set of skills/experience to work with types of data Analyst 1 Analyst 2 • Packets • Malware/Reversing • Windows command line • Windows Events • Disk forensics • macOS/Linux ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 15. Pros/cons of Mapping from the Two Different Sources Step Raw Finished Find the behavior Nearly everything may be a behavior (not all ATT&CK) May be buried amongst prose, IOCs, etc Research the behavior May need to look at multiple sources, data types. May also be a known procedure May have more info/context, may also have lost detail in writing Translate the behavior into a tactic Have to map to adversary intent, need domain knowledge/expertise Often intent has been postulated by report author Figure out what technique applies to the behavior May have a procedure that maps straight to technique, or may require deep understanding to understand how accomplished May be as simple as a text match to description/procedure, or may be too vague to tell Compare your results to other analysts May need multiple analysts to cover all data sources More likely in a form where other analysts needed for coverage/hedge against bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 16. Exercise 3: Working with raw data ▪ You’re going to be examining two tickets from a simulated incident ▪ Ticket 473822 – Series of commands interactively executed via cmd.exe on an end system ▪ Ticket 473845 – Pieces of a malware analysis of the primary RAT used in the incident ▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3 ▪ Use whatever to record your results or download and edit ▪ Identify as many behaviors as possible ▪ Annotate the behaviors that are ATT&CK techniques ▪ Please pause. We suggest giving yourself 25 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 17. Exercise Questions ▪ What questions would you have asked of your incident responders? ▪ What was easier/harder than working with finished reporting? ▪ What other types of data do you commonly encounter with behaviors? ▪ Did you notice any behaviors that you couldn’t find a technique for? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 18. Going Over Exercise 3 (Ticket 473822) ipconfig /all arp -a echo %USERDOMAIN%%USERNAME% tasklist /v sc query systeminfo net group "Domain Admins" /domain net user /domain net group "Domain Controllers" /domain netsh advfirewall show allprofiles netstat -ano System Network Configuration Discovery (T1016) System Network Configuration Discovery (T1016) System Owner / User Discovery (T1033) Process Discovery (T1057) System Service Discovery (T1007) All are Execution - Command-Line Interface (T1059) System Information Discovery (T1082) Permission Groups Discovery (T1069) Account Discovery (T1087) Remote System Discovery (T1018) System Network Configuration Discovery (T1016) System Network Connections Discovery (T1049) Discovery ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 19. Going Over Exercise 3 (Ticket 473845) C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command. UPLOAD file (upload a file server->client) DOWNLOAD file (download a file client->server) SHELL command (runs a command via cmd.exe) PSHELL command (runs a command via powershell.exe) EXEC path (executes a PE at the path given via CreateProcess) SLEEP n (skips n beacons) 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 Copy C:winspoo1.exe -> C:WindowsSystem32winspool.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinspool REG_SZ "C:WindowsSystem32winspool.exe" Execution - Command-Line Interface (T1059) Execution - Powershell (T1086) Execution - Execution through API (T1106) Command and Control - Commonly Used Port (T1043) Command and Control - Data Encoding (T1132) Command and Control - Standard Application Layer Protocol (T1071) Defense Evasion - Masquerading (T1036) Persistence - Registry Run Keys (T1060) Command and Control – Remote File Copy (T1105) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 20. From Raw Data to Finished Reporting with ATT&CK ▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting ▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context – Allows other analysts to examine the mapping for themselves – Allows much easier capture of how a technique was done ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 21. Finished Reporting Examples During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2. 1. Discovery – System Network Configuration Discovery (T1016) 2. Execution – Command-Line Interface (T1059) System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell. Instead of Appendix C – ATT&CK Techniques ▪ System Network Configuration Discovery ▪ Command-Line Interface ▪ Hardware Additions ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 22. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 23. End of Module 3 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.