Post-Exploit Threat Modeling with ATT&CK

hi everybody my name is Andy Applebaum I'm a researcher at the mitre corporation you can't really see it but on the lower right hand corner it says mitre I'm gonna be presenting something we've been working at mitre called attack which is an acronym have you guys are you guys familiar with mitre by any chance we love acronyms we got CVE we got sticks we got tanks do we got Capek Mike there's like two dozen more those are kind of the big ones attack is another one it stands for adversary tactics techniques and common knowledge it is a publicly released framework that we have to kind of model what an adversary does post exploit if you're on your laptop

and you're on the internet right now you can go to attack mitre oregon kind of jump ahead to see what attack is but first Massaro put a little bit of a preamble I'm not sure if you guys are really familiar with the Lockheed Martin's cyber kill chain but it kind of walks through these steps an adversary does and they're breaking into a network and everything yet reconnaissance weaponization delivery exploit control execute and maintain a lot of stuff it's not very detailed it's kind of like high-level what the adversary is doing and traditionally when we talk about you know cyber security and network defense we talk about on these these four left leftmost stages you know reconnaissance

weaponization delivery and exploit people have a tendency to focus on the perimeter of a network and how to defend that as opposed to you know control execute maintenance which is what the adversary does once they get into the network and we like to begin this presentation with this little quote up here which is kind of a median number of days and an adversary will sit inside of a network after they've broken through which is a lot the every serious sitting at around a network for a while after they break into it and it's kind of important to recognize that hey if we can look at those post exploit stages a little bit more we can detect the

adversary you know quicker than 146 days so this is just kind of an overview of how we developed attack basically we got a bunch of threat reports threat analysis we kind of took those throw them into a notional framework of how we can kind of taxonomies and represent everything in attack and then ran that over with into a red team to kind of test a network to to double back and try to refine our model and jumping ahead I'm going to go into the model a little bit here on the upper right hand corner you can see the ten high-level tactics in attack instead of just control execute maintained we now have persistence we have privilege

escalation defense evasion credential access discovery lateral movement so on and so forth and this kind of breaks down those three right of exploit stages into a time agnostic series of ten high-level tactics that adversaries tend to do or attend to try to achieve once they get into a network so one of the key points about an attack here is that the adversary model we have here isn't necessarily theoretical attacks but rather we've developed attack bump or we've developed attack by analyzing publicly available threat reports so all of the the references we have an attack site public threat reports that that actually say hey this this threat group was doing this this technique again as I

mentioned a few times attack provides kind of more hype more fidelity of the write of exploits stages we're not just focusing on the perimeter we're trying to really tech sodomize what the adversary is doing once they get into a network and another important point is that attack really focuses on behaviors we aren't focusing on tools as much as we are in kind of what the adversary is doing we don't have file hashes or individual URLs indicators of compromised we don't necessarily focus on those well rather we want to talk about behaviors adversaries are doing and then finally just a point we're working with a lot of people to get kind of attack out there government industry academia everything

we want everyone to use attack you know so again attack that moderate org so just a breakdown of attack and I apologize though my slides are like extra wide so they're breaking over the sides a little bit but so what attack consists first you have the tactics I just kind of talked about the 10 a high level tactics and then within each tactic you have a list of techniques that adversaries can do to achieve that tactic along with each technique you have a little bit about detection and mitigation that defenders can take and trying to use attack and mitigate the techniques and then importantly we also have documented adversary use of techniques referring to threat actor

you know publicly although threat reports as well as citations to software that that adversaries can use to engage those techniques then another fun thing we have is kind of disambiguation of adversary names if you guys have read threat reports there's like a million different write actor names so we've tried to go and find the ones that are synonymous with each other so here's an example tactic and technique the tactic is persistence an adversary wants to maintain persistence within the network the technique is creating a new windows service we include a description of what the technique is we include the platform it applies to here it's windows and in the model there's a little bit more

granularity Windows XP Windows NT stuff like that the permissions required for an adversary to execute this here it's administrator and administrator or assistant privileges the effective permissions after the adversary execute this technique so here it's system list of just detection strategies that defenders can use to try to mitigate this or rather detect this technique so you can monitor service creation things like that some steps for mitigation limit privileges of user accounts things like that and then data sources these are kind of Windows internal components that as a defender you could monitor to try to identify whenever an adversary might be playing with new service so here it's you know you can monitor the registry process monitoring and command

line parameters and if you look at these data sources you can potentially come up with signatures to identify when an adversary might be trying to use this technique we have examples which are the groups in software that do this so here you can see carbon ACK Lazarus group tiny Zbot all the other fun ones we have a list of actual threat actor groups that use this new service technique and then for some of the techniques we have links to Capek which is another minor acronym which just provides more of kind of linkage back to a higher-level model so here's the eye chart we've recently expanded attack so it's gotten a lot bigger I don't know if you guys can

really see it but we have lots of stuff at the top in blue you can see the tactics I don't know if you guys can see it in the back but we have persistence privilege escalation defensive age and then under each tactic we have techniques that that the adversary can do to achieve the tactics so here part of discovery as security software discovery that's an example technique for discovery tactic some of these apply to more than one tactic for example DLL injection we have listed for privilege escalation as well as defense evasion legitimate credentials we got persistence privilege escalation and defense evasion so a lot of these can be can be used in other they don't just

apply to one tactic now I also mentioned we have threat actor groups here here's an example deep panda we have a description saying kind of what the threat actor group is trying to describe it at a high level we also include references to where we actually reference the threat report that talked about this threat actor group so here you can see we have the citation there that intrusion into healthcare company anthem was attributed to the Panda we have the citation to the threat connector research report we have a list of aliases as you can see we have tons of fun Alice's here in this case none of them really seem to relate to each other

but they all have been kind of cited publicly as being hey this is this threat actor group we have a list of techniques that this threat actor group uses PowerShell thats execution with a management instrumentation web shell these are things that we've seen in public threat reports to say hey this threat actor group is using this to this this technique we have a list of software and I'll go into that one it more in a minute here you can see that the Panda uses net and tasks with two windows built-in internals as well as these three malware suites that are that were custom developed so here's another threat actor group and I've just kind of

tried to visualize it and cut up the command and control on the right has cut off a little bit but apt 28 they've used I think there are six references here of things that they've that we've that we've seen publicly reported that they're actively doing indicator removal time stomp remote file copy things like that and we're interestingly we can use this to kind of compare different groups in pink you have deep Panda and orange you have apt 28 and here you can see that they both have very different play books in what they're doing deep and you can see we have citations for persistence and privilege escalation where's our apt 28 we don't an apt 28

has active citations for command and control where it's Rudy panda we don't really have that as much the next component of attack is software this is an example of a built-in or a Windows built-in that we've included in the software the software list that we have an attack this is task list again we have a description subscribes with task list is aliases task list it we have a categorization of type type neither be tool or a malware we have a kind of a boolean whether or not it's a built-in both in tool and in this case yes task list is the techniques that task was can be used to achieve our process discovery security software discovery and system

service discovery we have a list of groups that that we've actively seen using this piece of software deep and iturra and make on and then a reference to Microsoft this is another type of software a me vast it's unlike task list this is malware this is custom malware used by specific threat actor group in this case it's deep panda these are the capabilities that researchers have identified that this piece of software can use in public threat reports you know kind of reverse engineering the software seeing what it does we have the techniques it's not Windows built in the type of malware only it's one alias we have a description and again we have citations kind of following the same

format this is a fun I charted just having fun in PowerPoint coloring different things um but in pink it's deep panda in and what I've done here is kind of the Panda uses three malware Suites Sekulow me Avast and two ruse be horrible with these names but you can see that these different software Suites have different capabilities in blue yellow and red is kind of the unique capabilities to each to each software suite in green it's a combination of Sekulow and me vast purp underoos being so I'm brown is all of them the only one that they all have in common is they all have kind of command-line interface for execution again this is an eye chart but kind of

the the big takeaway here is that by looking at the malware we can see a lot of different things that these adversaries can do when you kind of consolidate it together instead of just having those I think nine different like real references that the pen has been doing we now have 28 that they could have been doing because we know what their malware is capable of doing then just for fun kind of a comparison between apt 28 and deep panda I've done the same thing where we kind of enumerate the malware for apt 28 you can see that there's a lot more you know as opposed to having six techniques now apt 28 well there now

there's 22 potential techniques that beset that this Drecker could be doing deep panda has 28 and there are 9 that both can can potentially be doing this provides a nice visualization and now instead of seeing the partial coverage we saw before we see a lot more spread out for each and interestingly the the both category spreads out as well there are a lot of use cases for attack I have some here I'll go through them but I invite everybody to try to come up with their own fun stuff we can do gap analysis of current defenses I'm gonna talk about that on the next slide but you can use attacks that kind of try to

measure your security posture you can also use attack to prioritize detection and mitigation strategies based on what techniques and tactics you want to focus on talk about that one in a minute too you can use attack for information sharing you know if we know that this threat after group does these techniques I can send that along to someone else and say hey this threat actor group is active right now you know monitor for these techniques and you can kind of share what that threat actor group is doing in time back in the prioritization you can then prioritize what you want to look for you also track a specific adversary if you know in 2012 that this threat

actor group had this set of set of tools that was using then saying 2015 what are they doing now how is that modified how do those modifications reflect changes in time things like that adversary emulation is a big one we will one of those we want to do with attack has tried to you know give attack to a red team and say hey here are some techniques and tactics go do these go test the network engage these techniques and when we tell a red team to do that we can provide kind of a structured report to the blue team saying this is what the red team was doing this is their report hey you're not you're not able to detect

this technique it's a nice way to kind of kind of choose structure a red team exercise and really measure your security posture then new technologies and research lots of fun stuff you can do here personally III do a little bit of research trying to like formalize attack formal methods stuff like that it's fun I know of a professor who's doing something similar but lots of fun stuff you can do with attack so this is an example use case and here it's kind of going back to the whole idea of a gap analysis in green what we've done here is we've kind of colorized it based on how confident we are that we're detecting we're able to detect a certain

technique and in green you have high confidence you might be very confident that I can detect the time stamp stomp technique in red you have no confidence that you can detect it so I might not be able to detect indicator removal on the individual hosts of my network and yellow you might have something like medium confidence and so the idea here is by kind of colorizing this chart you can measure your security posture again maybe using red teams or just analyzing the tools you have on your network you can colorize the chart you can try to measure what what you're actually able to detect instead of just throwing defensive tools and then after doing this you can focus on what what you need

to kind of amp up from from a detection perspective so if I if I don't detect by passing you a C that's something that I should probably have because it's covering two different tactics so it kind of provides you a way to measure what your security actually is on your system as opposed to just kind of just having a collection of defensive techniques one of the key points we like to make with attack is kind of again cutting off the right side of the table um one of the key points we like to make is that adversaries tend to do a lot on hosts so what this chart shows is kind of what you can see if you're just looking at

the network perimeter and if you look here all you can really see is exfiltration command and control and a little bit of defense evasion and and web shell here you're really missing a lot of these tactics that that adversaries are doing and I think this this goes back to that quote in the beginning where we say hey once an adversary gets into the network they're there for 146 days on average you know because if we're if we're just looking at the perimeter there are things we're missing so the big takeaway here is you get better coverage if you have host sensing you know another key takeaway is that adversary has a lot of variation they can do at the network level and you

can see kind of the command and control that's the main category that they're able to vary and these software or defensive technologies we have like firewalls IDs systems NetFlow proxies mail gateway so on and so forth they tend to focus on the perimeter and they really miss all these other tactics that adversaries are doing in the last key point we like to make is that a lot of these tend to focus on very specific now I just like ip's domains file hashes things like that and these are all important things to focus on but the adversary can change these things they aren't they aren't very they aren't static they can be varied question

yes so there is I'm not the expert on this one but there are some like software suites that measure things that are going on on the host and I think one good example we like to give is a sis Microsoft sis Mon or sysinternals am I getting it right thank you but this internals is able to measure certain you know if we go back to this this technique here we have the data sources here and the idea is if you take something like sysinternals and say hey look at these data sources try to develop some sort of signature just notice an anomaly you can actually detect something on the host as opposed to doing it at the network level anyway

so I think this sharp might need to be updated but the basic idea here is that some of these techniques we have in here are are kind of like Red Team techniques we haven't seen them as much in public threat reports but we've seen them kind of with with active red teaming we've done I think a big example is persistence there's a lot of persistence techniques that we have in the model we have 24 but we really only have 13 that adversaries tend to focus on and this chart has modified a lot over time originally a lot of these didn't have as many citations but now we've kind of fleshed out the model and you can see

credential access discovery command and control they collection most of the other ones to have basically full coverage that we always see we tend to see the adversaries doing these techniques and the idea here is that if there are techniques we know adversaries tend to focus on and we can focus our defensive efforts on those techniques to increase our likelihood of detecting those adversaries it's just this just kind of shows that kind of pictorially you can see that there's only a few left and white that are not actually done all that actively I'm not sure how updated this chart is I think at the beginning I mentioned we've been doing attack for a little while this is the original

version of attack from 2014 I think we only have eight tactics and we have third as many eyeball on that techniques it was a very much smaller model a lot easier to read in a PowerPoint we updated it this one was still more readable we added out a new tactic this was in 2015 a lot more techniques and then finally we've kind of come across to this we've really been expanding this this model is really kind of jumped out and we've introduced groups software and we've tried to evolve it as we've incorporated more and more information and feedback we have a public website I mentioned it a few times but I'm gonna do it again

attack moderate org please go there read about it we have lots of contact information and attacked that org attack app might org we have a Twitter account you can tweet to the Twitter account will respond you can contact me yeah so any questions yeah

right so I can't personally speak to that but that's a very good kind of future use of attack would be to kind of because we've only recently got this basically list of groups and the groups themselves are completely unstructured so be very interesting I think to go through try to label what each group does and try to see what the correlation is between each group and how they because you might find that you know nation-state attackers have a very different TTP kind of bag of tools than say a criminal based attacker I had two wildly speculate I guess for more variability in one or the other but that's a good question

that I know of using attack not yet that's something that I think we've kind of talked about and and it's you know you when you look at it or when I look at a slide like like this one you know my instincts say you know if we have let's say a bag of tools that we see kind of a threat actor doing an unknown threat actor how well do they correlate with a known threat actor and you could probably put that in there and try to come up with a set of scoring yeah yeah I believe we're working on it if you could send me an email afterwards I can try to dig into that a little bit

more I'm not sure it's available yet on the public website I'm trying to remember because we've recently released a whole bunch of things related to attack there is another tool set out there called unfetter by the NSA that they just publicize which and that also brings attack in and that might have a built in XML model but if you could send me an email I can look into that for you

oh so I'm with miter miter is a private not-for-profit we largely advise the government where are you from over CVE we tend to focus on standards things like that we tend we manage I think seven federally funded research and development centers so we're kind of hybrid we're not quite pure research like in like a national lab say but we're more we do research but it's mainly in support of the government the government not quite a Fed

yeah yeah that's that's that's a very good point it's kind of interesting because on one hand this this it's all public you know information out there but at the same time it's very easy to access now it would provide not only a nice toolkit for people to you know used for deception say but also for detection but also for deception if if we start getting in there and then we get some fun game theory going on so yeah

so I'm sadly on the research end of things so I'm not very good at answering that I think one of the most important ones is legitimate credentials I think that that was used a lot in public threat reports where adversaries I mean a big part of red teaming is you pop a box and you you dump the credentials I think that's one of the biggest ones I'd say Remote Desktop is another big one interestingly based on you know what we've seen it exploiting vulnerabilities as a post exploit Technic isn't as common as say using built-in windows tools which is why we have so much effort dedicated to texana maizing the built-ins

yes sir so I mean this is a this is notional it was kind of hyper you know it's fictional but the idea is you know you would you basically take the model you would try to measure how well you detect something and then and then color it or score it based on your your results there so here you know we might measure some so exploitation of vulnerability is for privilege escalation defense evasion and credential access and that's something that can apply that that or rather that you can detect partially you might only detect some vulnerabilities but there might be you know zero days that you're not detecting things like that or as if someone tries doing security software

discovery on a host you can immediately say hey you know I know you're doing that and you can catch them right there

this shirt no I don't think so yet right right so so I don't have this slide strip but we also have something called the cyber analytic repository which is Carmine org and that provides you know I had mentioned about using sysinternals to measure those different data sources that provides a little bit of that and I believe using that you can also create this mapping because now you have signatures behavior olufsen natures that apply to that that actually map back to attack so you can do a little bit of that measurement but that's definitely something we want to have is a way for people to ingest this and just like that be able to create this coloring because

it provides a fantastic visualization right and this this is fantastic for providing that

unless there's any questions I'll just throw contact info and again public website but if you guys are interested feel free to contact us contact me anything thank you very much