Don't Boil the Ocean: Using MITRE ATT&CK to Guide Hunting Activity

so my name is John stoner thanks for having me out we're gonna talk about miter attack thread hunting activities and a couple of other things today my organization always asked me to put a disclaimer out there just in case you decide to make some sort of a decision about getting software or something so we want to make sure that nobody takes anything I put out there too seriously in terms of futures and stuff so there's my disclaimer enjoy alright so this is me I've been doing various cyber activities for the base past 20 years if you're familiar with some stuff within Splunk I wrote the essay investigator app it was a fun little app I continue

to develop today I do a lot of blogging around hunting and security operations spent some quality time at a couple of different organizations there within the sim and thread Intel space and as a personal note I happen to love the Smiths and all 80 sad timing music that was something one of my colleagues put into the deck and I figured I'd keep it in there so today as we're going through this we're going to kind of cover four high level areas we're gonna talk about the what and why do we hunt we're gonna talk about how my torrent a conforms us during that hunt we're going to talk about building hypotheses because when we start looking at threat hunting we

kind of like applying the scientific method to this and building a hypothesis going ahead and confirming or refuting the hypothesis and going from there and then going ahead and looking at what are the things we can take away from our hunts as we go through they can get very complicated and get very busy we're trying to kind of simplify some of these things to kind of help people focus and be able to go ahead and get a meaningful hunt out of it so I don't know if anybody knows this gentleman about a year ago I was looking for a good way to synthesize why do I hunt and the Twitter Fairy came by one day and dropped this

right in my feed and I've kept it ever since because it really epitomizes why we want to hunt right if I'm playing whack-a-mole within my organization I fixed that one box I move on I'm great I'm happy and the adversary said sing goes I'm good right one one one little foothold down I got twenty others within the organization the reason I want to hunt is because I want to go and find those other pieces and there's other nuggets they're still sitting around my environment and if all I worry about is the lack of mole I'm never gonna find those other things that I'm gonna constantly be playing catch-up so the question then becomes what do we hunt

for well like Indiana Jones we have to kind of think about this from a hunt perspective of going down from there very very trivial things and if you guys watched any of the trilogy you really call that he never really found any trivial stuff we never saw those in the film right he always went up to a little bit more of the annoying the challenging and the tough there so but if you think about it I collect a hash value I collect an IP address those are very very easy to find they can have some impact but it's very easy for the adversary to change those things as well as I work my way up the stack finding

tools from the adversary finding TTP's from the adversary it's very tough for us to find but they're extremely valuable and it inflicts pain on the adversary in the other direction so the farther we can go up that stack during our hunts and find more and more of those high-value nuggets the more impactful we can be right so as we talk about these things and start looking at these let's keep that in mind but remember choose and choose wisely and think about what happened to the guy who didn't choose wisely so we can use miter attack to go ahead and basically get a better idea around the techniques and the tactics that our adversaries are using and use that to

inform our hunt now for those who just a quick show of hands here how many people are familiar with miter attack ok about half give or take okay so miter attack adversarial tactics techniques in common knowledge basically what I like to do and if you actually go to the miter attack site they'll talk about and show you how it is set up against the locky mark and kill chain which is that thing down below but it's really addressing the stuff to the right hand side post exploitation and post exploitation within an attackers kill chain if you will there is actually another model out there called pre attack that looks to the stuff to the left of bang so to

speak okay now the reason this exists and a good reason that you can use this from a threat perspective is is once an adversary has a foothold on your system there's all sorts of things that they're doing in the Lockheed Martin kill chain model it really made it difficult to go back into all those different actions on objectives you're just saying I'm looking for this I'm looking for that using the mitre techniques I could be looking across you know hundreds of techniques that adversaries are using and map them across the kill chain as well to better understand where in the attack the adversary is so it gives me a greater level of fidelity this is my

microcosm this is also a very sorry picture that I used Microsoft Word or PowerPoint to kind of draw my block diagram I couldn't really draw out a three dimensional otherwise but the idea here is is that you have in green a tactic right so lateral movement is a tactic at the high level underneath that you have a series of techniques I just put two in there to make it a little bit easier to read past the hash and remote desktop protocol on this side of the screen and turn around here real quick on in the blue right we have software right these are pieces of software that miters identified that mapped to specific adversary techniques and the

ones in red are specific adversary groups that map to specific techniques and of course certain adversaries used by certain pieces of software so you can see kind of the connection between these different things both from a threat intelligence perspective but also from a threat hunting perspective to better inform when I see an adversary using a technique it might help me inform who the adversary is and what software obviously it's not an absolute but these are different pieces that gain better intelligence and better optics into what I'm seeing within my environment I didn't think this was going to render well but what I actually walked into this theater I thought maybe this might actually show up pretty well so this is

the entire mitre attack enterprise framework it is constantly being added to and in fact the far left-hand column is initial access that wasn't there about a year ago the initial access used to be part of pre attack but as they start removing the kill chain farther and farther to the delivery side initial access started popping up there this is again something you can go to miters site to go ahead and reference there's a number of different ways to look at this I've got a couple other things in here as well the other model I wanted to talk about was the diamond model and and the reason I'm talking about this and it does go a

little bit away from mitre attack but it also kind of helps inform us from a threat intelligence and a threat hunting perspective and and and the the two pieces coming together familiar audit familiar with a diamond model not many people a couple people that's okay so from a diamond model perspective again it's more for threat intelligence there's a couple of great links there the example here though I'll walk through real briefly just to kind of give you a feel because again I can take my threat hunting pivot into my threat intelligence because there's going to be a synergy and the workflow between those folks so in our example here this is something threat connect put together a

few years ago thread connected has a threat intelligence platform and they decided to go ahead and build a diamond model around the the Battle of Yavin maybe here the Battle of Yavin come on there's more than three people have seen the battle he read about the Battle of Yavin okay alright so in the Battle of Yavin there was a victim out there who is the victim the death star the Empire they were the victims right but when I look at this and I look it from a diamond model perspective I have to look at what are the capabilities that the adversary has inflicted upon the victim I need to look at the technique at all

the capabilities proton torpedoes the force the lightsaber right those are all adversary capabilities that the victim absorbed on the opposite side on the infrastructure what kind of infrastructure do they have well they had a rebel base right they had an x-wing fighter they had an r2d2 right those different capabilities and infrastructure work and become what are the TTP's on that horizontal axis well which adversaries out there have those tactics techniques and procedures who has those capabilities Luke Skywalker does right the Rebel Alliance has those and so you can see kind of how I can build an adversary victim relationship and a capability infrastructure relationship as we get these different pieces and it can inform us from a

threat intelligence perspective so there are things that we're going to do a threat hunting perspective that we can then plug back into our diamond model and inform our threat intelligence team who can then pivot back to our threat intelligent or threat hunting and our security operations team so this becomes a symbiotic relationship we can also use the diamond model to think about how we want to hunt so there are four vertices there and there's actually a link at the bottom of the screen that talked about how to build your using your diamond model to go ahead and inform your threat hunting but again choose wisely all right capability and victim are often the times where we're going to go

ahead and choose to start our hunts generally you're not going to start at the adversary level you might start at the infrastructure level if you have specific tippers or what-have-you to go ahead and pivot from there but these are kind of things just to kind of keep in mind as you're starting your threat hunt now with attack attack can help drive that threat hunting piece which we'll talk about it can drive the threat intelligence and that's where mitre attack generated from to start with and the findings that you have both from your threat hunting your threat intelligence can feed your security operations and vice versa so you can see kind of how these different pieces can

work back and forth across one another you just have to be able to go ahead and open that up now as we start looking at Amanda who that guy is just checking time time was very important in that movie if you think about it time is a crucial factor okay so think about it from that perspective do not get myopic with your hunt if you go ahead and set your hunt to a very very very narrow view you're going to go ahead and miss all the other things that are out there so start broadly with your hunt and gradually bring it in how much of your data is generally time series data most of it some of it none of it

anybody most of it right so most of it is time series data let's take advantage of that and use that timing to go ahead and be able to go ahead and review that from there now when you start hunting against a hypothesis it's important to understand that your hunt is going to take you in many many different directions okay it could lead you to where the sidewalk ends but what's important to know along the way is you're going to see bright shiny objects you want to make sure you note those bright shiny objects but that you don't get distracted by the right shiny objects and start walking down the street this way you want to continue

down the path that you're on go ahead and note those turns though that you take so that you can always retrace your steps and then start new when you get to a dead end another thing that's important to note is is that hunts do not exist in a silo so stay on target okay use them in like to think of it as guardrails right I started I started hunt with a specific technique we're gonna start going down that route so I might start hunting for PowerShell and in this case I might come across PowerShell that also isn't seeing dating coding I could hunt for data encoding all by itself but you know what the confluence of those two things might be

important for my specific hunt in my specific environment for a specific adversary so being able to go ahead and say hey what I see X and I see Y together that's something that might be of higher value than just one by itself but be loading those things and looking for those together so you're always gonna trip over those other pieces now in this case we're going to talk about building our hypothesis and using the mitre attack techniques to build our hypothesis so this kind of came out of something we've been working on in our team about a year ago we build an adversary emulation it's a blue team as capture the flag exercise and we built

this thing we were executing against it and we wanted to come back with like a deeper dive that we could go ahead and provide to folks that kind of better unders you know what the hunting activity would look like and what we could uncover and so I sat down and kind of started working through this and I started looking at this going well where would I start and I took a look at the mitre attack techniques and I started looking at these and going yeah let's go ahead and start hunting for PowerShell and I started seeing all the different things in PowerShell now of course I knew we had PowerShell in there because we had built this thing but it was

really interesting to be able to go down that path and start seeing these different techniques that are called out in the matrix that mitre puts together and seeing these different things within data indicator on removal of Windows Event log clearing right there's there's a number of them we'll get into a couple of others but you can go ahead and use these techniques as a starting point now who who has PowerShell running in their environment and I expect to see everybody's hands up okay you can port PowerShell to Linux you can put PowerShell to Mac OS so you're gonna see PowerShell everywhere at this so hunting just for PowerShell might not be super fortuitous so it's important to

craft your hypothesis in a way that's gonna be most beneficial but I can start with that and then I can go ahead and modify and and broaden and narrow my hypothesis how I want to so the hypothesis we picked was ad versus we'll use PowerShell Empire to establish a foothold and carry out attacks maybe I want to time-bound that probably do in my in mylar in a very very wide network with lots of different pieces maybe I want to bound it to a specific set of hosts maybe I want to bound it to a specific set of servers maybe I want to bound it to a specific organization right my hunt should have scope and and

some Len length and breadth to it so I want to go ahead and think about that from that perspective now unfortunately I don't have an hour to go through all of the different things that we did to go ahead and validate these these different hypothesis and techniques but what I want to talk about now is talk about how I can go ahead and build this and then what should I be thinking about as I start the hunt what I should be looking at coming back out of the hunt as well and things that I can do to start operationalizing it so first thing when we talk about that we want to hypothesize around these what I want to

do is I want to go ahead and try to confirm my hypothesis are going to refute my hypothesis right we don't prove hypotheses going back and channeling my seventh grade science teacher at the moment there so what are some of the things I need to do well I'm hunting for PowerShell right PowerShell technique I can go ahead and look at the mitre attack I can get a little bit of blur 'bitch that I saw just there a second ago but I probably need to understand a little bit about what PowerShell is how do I hunt forward if I don't understand what it is right if I'm going to go ahead and specifically say I want to look for PowerShell Empire I

need to understand a bit more about PowerShell Empire how it actually functions what it actually looks like maybe what kind of default settings it has do any of you and your daily IT security lives use default settings and you don't have to raise your hand I'm not gonna ask you for that okay or maybe you say no I don't do it but you know once in a while do I change every default setting let me ask you that again you don't to show your hands but think about it from that perspective adversary has a job adversary has bosses adversary has timelines right it's entirely possible they're going to cut corners there and maybe take a couple

default settings so why not look at this from a default setting perspective and say are there default settings maybe I could look for their low hanging fruit to start with right I can look it from a network perspective and say PowerShell does have network connections that go back and forth what are those network flows look like what ports do they use look at from a user level what user accounts are being used when did the events occur again coming back to time being most crucial and then PowerShell runs scripts is there insight into the specific scripts that are running out there that we can go ahead and take advantage of and understand a little bit more about the

intent that lets going on so if I can start with even just a couple of those questions to start my hunt I can go ahead and start going about trying to confirm or refute that hypothesis now when I get to the end of my hunt I need to start thinking about this in a was I able to confirm or refute it if I invariably refuted it find no problem if I don't have enough information we'll come back to that one because that's important to be able to go ahead and inform our self for hunts and make ourselves better over time if I could confirm it I've got a bit of a problem for chance and there's some steps I want

to do to operation license so we'll touch on that as well but I always like to think of this for me what have we learned what have we learned from our hunt if we don't learn anything from our hunt there's really not a point to it all right I want to understand what my attack picture looks like maybe a visual learner here okay I I know if you know somebody sits here and tells me a bunch of things I'm sitting there bobble head bobble head bobble head and it's kind of going right by me I need to write it down so I can see it right I need to go ahead and look at things because from an

advanced attacker perspective there's data moving all different directions and I'm just not good at keeping up with all the different IP addresses and everything else so I'd like to go else go ahead and draw our self a picture build that attack picture to see which way data is flowing and with what characteristics I mean one of the thing about how do I map the findings that I have back to my diamond model so I can inform my threat intelligence team I may want to look for other techniques right so if Dave coding is being used at the same time as PowerShell again that's a valuable nugget if I see exfiltration using an alternative protocol like an FTP or a DNS that's

useful information I want to go ahead and be able to plug that in to say these things are happening in concert with one another right and then I want to start thinking about this from an operational ization how can I feed this back to my sock because we'll talk about that in a second and then the last thing is where are gaps gaps are one of those kind of funny things that are out there there was a spirited debate around Thanksgiving Christmas time between Robert Lee and Richard Bay click around you know when you thread hunt are you supposed to be threat hunting or are you supposed to be doing gap analysis as well I kind of fall into the gap

analysis I want to inform and make mice might make my sock better and smarter so I kind of like using the where are gaps as part of our hunt as well so what have we learned right coming away from our hut what have we learned did we learn that they had default settings within their within their their configuration of their of their framework right what kind of communications exists there again think about that pyramid of pain if I can go ahead and see some of these things from an adversary infrastructure that's kind of a higher level threshold of pain that we can inflict upon them who changes SSL certs on a regular basis ok a lot of you guys do there's a lot of

fun when you do it to write on all your web servers on all your other devices right think about it from that perspective those things aren't a lot of fun to do why would an adversary want to change those things on a regular basis ok again they're a little bit like us they want to be able to go ahead and do the things that they want to do the fun stuff right not necessarily go ahead and do the operations and and and maintenance kinds of things so be looking for those kinds of things to take advantage of is their outbound communication is a large volume of data or small volume of data I mean a trickle

is still important a large stream is obviously important that turns to be an outlier so it's probably not going to be those large volumes of data but you never know looking at processes so from a process perspective are we seeing processes running under specific accounts do we expect those processes to be running under specific accounts if I have a service account what I accept to be running on ftp Exe what I expect a service to account to be running Who am I dot exe right think about these things from a hunt perspective and particularly if a hunting over PowerShell are these things being spawned by PowerShell does that seem a little odd think about these

from that perspective as you form up your hypothesis and using those techniques right do I have specific things running in a specific order when you guys do an upgrade of a system right the manual says do step one do step two do step three right it doesn't say do one then do three then did - then do four then do seven and do five right there's a specific order from an adversary perspective chances are the adversary wants to run things in a specific order as well why because they trusted because they've tested it because that's how the manual runs it so if I can start looking for those processes running in a specific order that's another potential tell that we

have out there to be able to go ahead and better understand what the adversary is doing and then hunt that across multiple systems as well looking at other commands that have been spawned like I said PowerShell run something spawn something else and then the last part is is there any nuggets that I can find out there on the internet as an example PowerShell Empire is freely available out there on github there are strings inside of that that if I'm looking for it inside of my environment I can pivot out in search github the pay spins the reddit's wherever out there in the world and look for additional additional factoids you know we kind of talk about Google being our friend from

a from a threat perspective take advantage of that and start looking for those strings out there to kind of better inform where are these things being seen are these default settings or these other things that do ahead and form us from our hunt so this is my other picture this is my other picture time again you can tell that I'm quite the artist this is my hunter around PowerShell Empire I have an SSL issuer I have a shot 256 hash right those are indicators that I can go ahead and use and pivot within my environment and look for additional instances of this I see a callback to a c2 server with an IP address and a domain that's something

else I can look for right I see a couple of servers right I see executables being run those executables were being run in a specific order ftp who will my schedule tasks I see that being run across to three different systems once under one user context and two under a different user context right those user contexts are valuable understanding when those accounts may or may not have been created as valuable right I can also see that I got a user agent string in there and I also see that I have a secondary hunt that has kind of merged its way into my powershell hunt and that's okay but that's something where I want to go

ahead and say you know what that's kind of looking like a web vulnerability scan maybe it's coming from that same server over there let's go ahead and kind of put our package around it and set that aside and build a separate using the techniques separate hunt around that other thing so they don't start kind of merging and blurring the lines between the two right but right there I've got five different indicators that I could pivot back into and do additional hunts on very very straightforward and that doesn't even touch on the IP addresses and host names of my individual systems within my environment right this is just kind of showing that I have four or five

problematic systems that I need to do more digging on not even building additional hypotheses around those so there's a lot of fertile ground here just on one hunt alone as I go ahead and look at this and map this back to my kill chain and I'm sorry back to my diamond model I can go ahead and say well PowerShell Empire is the capability that our adversary has specifically and if I went back and looked at that IP address and the server's I could see that those were European VPS servers that was part of the infrastructure and in the lower right side of the screen you're left the technical axis there has a number of TTP's that we've gathered

throughout that hunt again using all of these different mitre attack techniques again this was something we build for our adversary emulation and and so you can see with the specific organization that was our our make believe adversary here but you can see how I can take my information from my thread hunt and build out this diamond model in for my threat intelligence team to look at it a little bit of a different way yeah this does show much nicer here than it did on my little screen this is the miter attack navigator you can you can see the link there you can go ahead and put your own overlays onto this what I've done here

is I've gone through and as I was building out all my hunts I went ahead and color-coded every time I saw an additional instance of a technique and so in this case Green is the most frequently seen but PowerShell was the most frequently seen across all of my hunts but you can see across the individual tactics the different techniques that we were using and where it bore fruit to go ahead and see this and again it becomes all of these different pieces really represent that apt to be able to understand what those different parts are we'll come back to that in a second so we talked about operational operationalizing our findings James James Bauer did a nice

little YouTube video on threat hunting web shells with Splunk you can go ahead and check it out on YouTube the comment that he put there was tremendous I thought because it kind of really succinctly sums it up thread hunting for the sake of threat hunting and rinse and repeat is not a good use of your time okay I kind of think of it from the perspective of the wheel there you hunt you find something you operationalize it and you move to the next thing okay if I operation Eliza and right good alerting I don't have to go hunt for the same thing over and over again it's not efficient okay so operationalize it and move to something else when we want to

start operationalizing it we need to think about this and think about it in the context of that pyramid again what can we Alert on we hit a laurel encoded PowerShell they may run encoded PowerShell in their environment you don't have to raise your hand if you don't want to but you know some people do and there's good reasons for it right other organizations they say you know what there's no reason to run encoded PowerShell be aware of your organization and why you might do that okay when a specific executable is run in a specific order if I can go ahead and instrument that and I understand that this is really not something I'd expect to see

within my environment alert on those those could be very much higher fruit-bearing kinds of things ssl issuers same kinds of things as i move down the stack right I could blacklist an IP address that's totally fine if I'm trying to staunch the bleeding right if I need to go ahead and put something in spot just to go ahead and stop the stop stop the blood flowing out of the organization I can do that but understand that that is a temporary solution because if I've got a whole host of VPS servers out there I'm rolling to the next one and I'm keeping going alright so just kind of keep those things in mind there's AG of a couple of other things

to think about there but think about it in that context so something else that you can do and again all right cool anybody familiar with a system on system on some people you insist upon okay great so sis Mont has a set of configurations out there the swift on security ones are probably the most well known that help you go ahead and set up rules if you will to go ahead and say when I see specific images command lines parent images what-have-you go ahead and generate a log event for me well one of the functions that was built into system on recently is the ability to go ahead and add these additional context to it and so a whole la carte um

did a nice thing and went through and basically mapped all of these number of these different system on configs to the miter attack techniques so you can see I got three of them highlighted there you see when windows event you'd Alexei is referenced it has the technique mapping to indicate a removal and host when I see remove definitions from the command line its map to disabling security tools when I see PowerShell Dec see reference in the parent image the technique is PowerShell so these are nice ways to be able to use things like the system on tool set to better inform and go ahead and create those in my logs to ease my way into some of these hunting functions

to say let's just start by looking at some of the techniques that are out there and where are we seeing it within the environment and I just pulled this out I just did this quick search to go ahead and pull PowerShell and I can see the different techniques and I can see the images that I can see the parent images so you can see power shells running and spawning CSC XE who am i XE FTP XE net sh c right so I can see these different pieces here the one caveat that I would put to this right and then I can overlay this onto a map and make pretty pictures out of it but it helps

me kind of get informed where I am now I'll point out the one that's the great majority over here signed binary process execution the concern that I have with that one is that it is it can be a little while the vague side at the moment the way it's written so much like any other environment use these tools as a starting point don't use them as an endpoint use them to go ahead and tweak and modify I could also go ahead and use this and apply it to correlation searches so if you're running a sim I could go ahead and take these kinds of things boil them into my sim again from an operational of the station

perspective that might go ahead and help me inform my threat hunting and give me guidance as to where I need to pivot back to where are the gaps again going back that navigator if you guys recall there's a nice big gap right in the middle around credential access I didn't have a single hunt around credential access that came back with any hits does that mean and this goes back to the gap piece of this does this mean I am NOT collecting data that informs me about that or does that mean that I need to go ahead and do additional hunts so you can use these techniques enumerate the techniques that you've used look at them

as to how they bear fruit and then use this to also to figure out maybe where my gaps are to be able to start collecting more data or to do more threat hunting in those areas to kind of understand better what's going on out there so to kind of start pulling this all together we've done a lot of work around hunting I've we've got a blog series out there you're more than welcome to check out I posted my slides out there so you should be able to have access to the links we actually have some curated datasets that are out there currently there's a one set that you can go ahead and spin up in a environment

and just play with yourself you can download the data because we've open sourced it as well and the powershell version that we've got of the data sets will be coming out a little bit later in march so kind of keep an eye on my twitter feed and a couple other places and you'll be seeing more about that also from a miter attack perspective go out both a medium and on the mitre site itself they have an excellent set of written write-ups around it and i just recently did a blog series around using miter a from an introductory perspective second from a throw hunting perspective with some more examples that i didn't have time to show today as well as

operationalizing your attack framework as well and with that that's me that's my twitter handle I was not able to work a few of those references into this so those are my other favorite movies from the 80s I'd like to thank you guys for your time thank you besides for having me out here and I hope you enjoy the rest of the conference [Applause]