Measuring Cyber Defense With The MITRE Framework

yeah welcome everybody to my talk about uh how to measure iot security uh by using mitre attack ah yeah some words additional words about miss myself i have a master's degree from the world university book on iit security and i'm pretty into like jen already told you into the offensive part and used my knowledge to currently building up socks and blue teams so they get from the attack perspective a better um a better view on the on the defense in general yeah so why should we measure security so let's talk about the motivation imagine you have a bigger it environment let's say in a company and in this idea environment you have distributed responsibilities like you

have some guys that are managing the clients you have some guys that are managing the service web applications and so on and so forth and um yeah those guys are also doing some changes in their environment and as a security team i'm not directly into control of this so i can only see the results of those changes or by talking to the people and get the informations so it would be great for me as a security practitioner practitioner to get these changes directly on a regular basis so i can state for instance assumptions about my environment and say hey i need for instance this very important firewall rule and say um that my environment my

environment must be like this and or for the security operations center if you have a use case for instance and you want to uh check if this use case is still working all the time because you're getting the right logs and there's nothing missing so um would be great uh to have something to measure this and to verify this so that we can build security on confidence from our security perspective so um for this let's talk about mitral attack first um so what is mitral attack in general mitral attack is a framework with generic attacks in it those generic attacks are categorized in different tactics the so-called tactics here this is the upper line here

where i can say i have something like initial access so how to do i get into the company execution so i get my code executed and so forth so on and so forth and then we have the generalized uh attacks that were on a described on a very generic way here and so what can you do with it because it looks at the first glance like a boring table okay it is sometimes but um you can do with mata uh attack modeling so much was all also doing this for you so uh it is modeling some attacker groups or attackers in general and um let's see how it works so for instance it used for the initial access

for a company i use the phishing tactics techniques and then i get execution via the native api for instance then for persistence purposes because i get a foot into the door and i want to keep it there i create an account for me so i can come back because the system is reachable about over the internet then i can probably set up um do a privilege escalation to get system rights on the system uh by doing um a dll injection and then i can get my credentials uh during the credential dumping phase so like this you can general model your your infrastructure but oftentimes in compliance driven companies i see that my metro is a bit misused because this

is not a checklist because each and every technique here can be is only a generalized attack description you have um multiple layers under under it for instance you can do the native api execution by using powershell or by using a c-sharp or something else that you can imagine so you have many many multiple multiple ways in general to to do your actual attack so um because we can also use mitral by uh adopting it on a on our company for instance i made an abstract picture of that so we can um play through some scenarios for us and say hey come on i take the the tactics and uh derive techniques from that and to to to model um a scenario for me

um yeah let's say an attacker is doing some reconnaissance previously then he is setting up an email and say hey i will do the initial access by uh doing a phishing attempt doing adding an attachment to have execution probabilities so that i for instance execute the command line and uh dump dropping my code on on the machine then on the machine itself uh it come out calls back via for instance https thanks to let's encrypt uh fully encrypted uh to our common control server and then gets uh the next attack steps okay now we're on the machine we can say hey come on uh we want to ke we want to stay there and doing some persistence um

for instance like i said before we just use a um dll injection because we found a program or a service that is searching for a specific dll and we know to notice that okay so now we're system on a windows client for instance and um the next step is for us um uh for privilege escalation purposes after that the next step is uh do uh moving laterally so when we assist them we can simply dump elsa's if we do the right steps before and jump to the next box and here we found for instance some text files for the next machine and doing some collection and exfiltrate the information um to to a different server in the

internet and so you can adopt all the tactics with derived techniques and play with micro attack in general to get to get a feeling and the overview of your attack landscape uh and play something through so um okay we saw now uh mitral attack and but how do we measure uh in the past we um we did uh security testing for instance like something like uh red teaming where we hired external red team and said hey come on guys hack my company and give me a report about that and tell me how do i um how i can improve that um and then um yeah this is good this is very important but it's most of the time

is doing only annually so you have a snapshot of one time in the in the year about your current security state um and only one or two different ways into your company so the next uh candidate might be penetration testing which is a more focused approach where you can say i want to uh test this machine or that machine or the entire network this web application and so on it's also good but imagine you have five pen testers and 800 machines that doesn't scale so then also a candidate is vulnerability scanning which is also great because it's a broader approach but vulnerability scanning is more focused on the cves and in general so you can just

patch the system and you're fine you can measure it with that which is good so um it's might be a part in the general security program here but you can't just test with it some architecture problems for instance then there are different offenses or defensive tools that are mostly working like black boxes where you automate your test behavior but um what i would um say to use or what what might be interesting to use is that we as security practitioner practitioners model our expectations about the environment and say hey guys we want for instance this firewall must be there or uh the web application must be authenticated like this and uh or this theme rule must be

triggered under this conditions so it's more like the mindset of the um of the software development life cycle where when you use the test driven approach and say hey i'd write a test for it and check if it's if my condition that i want to have is there so how can we measure that with mitra so we simply use mitra and put it into for instance atomic red team this is one one way to do this so let's dive into it so what is atomic threat team atomic red team is actually a major use case that you can model within a simple yaml file and run it uh like in a it's actually attack in general so

you have different sections here in a atomic red team case uh the first one is the input arguments imagine this like variables for a function then you have to check the prerequisites then you run the attack itself and you're cleaning up the system to become the previous state again to be clean so okay let's show this on a small example let's say we have some source files here because we want to run a stager which is written in c-sharp and have an output file somewhere in temp then we have a prerequisite that we need a special compiler and also the access to this compiler so and then the next step is to compile the code and run the attack and after

that remove all the files that we generated like this okay this is a atomic test which is great but for measuring it's not enough because we need criterias without criterias we can't measure anything and we can also validate anything so we need at least success or failure criterias to say um this is a successful test or the it's a failed test so when the atom when the attack goes through uh the test is successful itself but it's a failure for us because the attack is working so let's look at the example here again we have at least three different um criterias here so we need to uh get the the compiler must be existing and we need

access to this compiler because i can't block it by for instance applocker and then attacker is not able to use it potentially and then i want the stager to do what the stager is doing connect to the command and control server and load the next stage and then we have a successful attack in general so this is also nice um let's zoom zoom out a bit more uh because yeah atomic tests are good and great um to have a test scenario but it's very very limited on one point so if you want to run um a chain of attacks with a bigger scenario like we showed before that you can definitely model um you need chains and each and every

chain has the success criteria and a validation step so when the chain fails somewhere you know why uh another thing is that some mitral attacks are not really possible to uh to get modeled like this so imagine you modeling create a count like an attack it might be interesting on different systems but it's pretty limited so you can model it like for a zoom use case to test it that i create an account uh doing something in between and delete their card again otherwise i would just mimic administrative behavior which is not intentional then so how can we use this methodology in general um you must choose your must conditions so you have to be focused on

that you gather them and then you prioritize them so the most important you will implement other because we have all everyone has only eight hours a day so we have to model it like this and focus and to start with a bunch of of the of those cases for instance then we create the cases uh so write our expectations to our environment and say hey it must be like this then we run the test we validate the test and then we improve our environment and then we can go on and on and on and create even more of those tests and then we can measure in the end our environment like this so how to express this

in in numbers for instance we can use it with mitra with metrics and say we have a technique here we have model in general five tests like this we are mitigating four of them and alerting only two of them the goal should be to to mitigate and alert every five of them but sometimes it's simply not possible because you have way too much um way too much way way too much false positives um and another a very um important aspect is that you focus on your uh environments so we're for instance the windows environment then we have the clients for it and we want to model those tests there and see if they are improving or changing and

how the current security posture is over there so then we also can measure this over time making a regular iteration about this so the time intervals is up to you so you can run it daily you can weekly monthly but not dearly and you have different categories here the red ones are the attackers successful so i have to do something then the attack is mitigated i have counter measures for this in place like hardening stuff here then we have monitoring so we at least getting the logs and it can read the locks after the successful attack uh but this is a prerequisite for the get alerted thing so um that we have a vm alert for instance and say hey now we

are also getting uh a notification when this happens even when when it's mitigated so we can also go a bit deeper into this that we can um write down some cases uh pretty briefly so um let's uh take for instance the elvis as us dumping via run dll here the attack is successful we categorized it in mitra and we defined counter measures we have a risk scoring within it so how important is it how fast and do i need to act here and uh we have the scope for me a system here is the whole system like the environment of the company and local is more the the local machine it's only affected there and you have some

guide that is responsible to meeting it or to do the stuff behind the successful task okay so we are coming finally to the end of my talk so what are the advantages of this strategy so we have a reproducible methodology to measure our security posture in general so also we can recognize changes there so if one of the divisions is maybe not intentional at all and changes some security um settings then um yeah we want to recognize this and we want uh to get notified here and we also um in general um uh getting the monitoring gaps because we ca with this approach we can also test our theme use cases on a regular basis and we have not only isolated the

text and we can um yeah model more uh sophisticated scenarios for us or to test those and the most important thing things are still then you become your security posture gets verifiable so thanks for your attention now i'm open for questions [Applause]

okay hello hello thank you for a nice talk uh one question about in case of you using the atomic red team framework to measure detection in the area of er products where set you the line or split the line in case of i would say in case if you dump credentials from the elsa's process you can execute your atomic i would say artifact and is more or less the idle case but compared to when i use the same technique with from a framework like cobble strike or brute rachel where can i set the line that i say okay yeah it's okay we see this but compared when i do the same technique based on in-memory

encryption other things i do not longer see this technique where can i say okay it makes sense it makes sense to do it in this way or to say we we see it at this point but not uh longer after we use cobalt swag or other tools yeah in general you have to prioritize first that you can say um these are the texts that are um more probably for my environment um you can use the the tactics from um a cobalt strike and you um implement it first when you say this might be an attack that is that takes place in my environment and then you have to model this um yeah when you have a deeper memory stuff uh that

you have to model okay you need to more uh a bit more work to do to do yeah or to to work on this case but then you you use the framework to get to to prove the visibility to prove the detection so um when i execute the artifact from atomic rectum i will maybe uh the the products we see this but especially in case of elsa's there are now of many ways to dump it in a different way so for example you open or you search for and an open handle which is already open in case of service those process and then i do not longer see it but wow what can i say then um

is it enough or should i say okay i know there always be a way to bypass or do it but um from my own experience it's always hard to find um the line so okay until this we see everything but then and it's made makes no longer sense or yeah yeah it depends on yeah the the one thing is that you have what you already stated is that you have uh different perspective and angles that you must implement that that you want to see and then you can trigger those and then you can detect this but when you also detect this then you have some kind of zoom use case let's say and um you build it and then with

atomic red team for instance you can trigger this uh use case and that's more than in this scenario more uh or the better idea actually okay because you don't have all the time there in the world so okay thank you hi question regarding the test case input files basically so you define it and then you just run it has anyone already provided a large library of predefined desk cases that you can just use yeah atomic red team is a repository on github where you exactly have this many predefined use cases that you can use and build up how many use cases do you have a rough question i did several hundreds i would i could say

question two the example you should was about windows right summer deck on windows so this is executing on one host machine how well does this work on a network centric perspective something that spans multiple machines um that you just set up a test machine for that and then you um penetrate the the uh your environment like the network i would set it up like this okay thanks you're welcome

any other questions for marcos all right then please give marcos a hand thank you very much