Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019

 
Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019
|1|

Frameworks and Why We Use Them

Katie Nickels

SANS CTI Summit – CTI 101
January 20, 2019

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019
|2|

 Why Do We Use Frameworks for CTI?

 ▪ Miller’s law: the number of objects an average person can hold
        in working memory is seven (https://en.m.wikipedia.org/wiki/Miller's_law)
 ▪      What is a framework?
         – Structure that we can use to organize CTI
 ▪      Frameworks can help us make better assessments and
        produce better intelligence by helping us:
         – Hedge against bias
         – Identify gaps
         – Compare incidents and adversaries
         – Find patterns and trends

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019
|3|

 Common CTI Frameworks
 ▪      Diamond Model
 ▪      Lockheed Martin Cyber Kill Chain®
 ▪      MITRE ATT&CK™
 ▪      VERIS

                                      Which one is “best?”
                                It depends on your requirements!

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019
|4|

 Remember the Limitations

 https://www.lacan.upc.edu/admoreWeb/2019/05/all-models-are-wrong-but-some-
 are-useful-george-e-p-box/

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019
|5|

 Diamond Model
 ▪ When is it useful?
    – To compare and group different
       intrusions
    – To examine similarities between
       seemingly disparate activity
 ▪ Limitations
    – High-level
    – Flexible – need to decide among
       your team how you “bin”
       information
 http://www.activeresponse.org/wp-
 content/uploads/2013/07/diamond.pdf

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
Frameworks and Why We Use Them - Katie Nickels SANS CTI Summit - CTI 101 January 20, 2019
|6|

 Lockheed Martin Cyber Kill Chain
 ▪ When is it useful?
        – To “bin” the phases of an adversary’s intrusion
        – To examine what you might be missing
 ▪      Limitations
        – High-level
        – Flexible – need to decide among your team
          how you “bin” information
 ▪      Also examine Courses of Action:
        – Detect, Deny, Disrupt, Degrade, Deceive,
          Destroy
 https://www.lockheedmartin.com/content/dam/lockheed-
 martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-
 Defense.pdf                                                                                                       https://www.lockheedmartin.com/en-
                                                                                                                   us/capabilities/cyber/cyber-kill-chain.html
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
|7|

 Other Lifecycle Frameworks
 MITRE Cyber Attack Lifecycle
                            Recon                                               Deliver                               Control                          Maintain

                                                   Weaponize                                               Exploit                           Execute
                                                                     https://www.mitre.org/capabilities/cybersecurity/threat-based-defense

 FireEye Attack Lifecycle

                                   https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds18-technical-s05-att&cking-fin7.pd f

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
|8|

             MITRE ATT&CK
Techniques: how the goals are

                                                                      Tactics: the adversary’s technical goals
                           Initial                                                                                       Privilege                              Defense                 Credential                                           Lateral                                                                     Command
                                                 Execution                          Persistence                                                                                                                   Discovery                                          Collection               Exfiltration
                          Access                                                                                        Escalation                              Evasion                  Access                                             Movement                                                                     & Control
                         Hardware Additions                                               Scheduled Task                                                              Binary Padding    Credentials in Registry     Browser Bookmark        Exploitation of Remote   Data from Information       Exfiltration Over        Remote Access Tools
                         Trusted Relationship                            LSASS Driver                                                    Extra Window Memory Injection                                                  Discovery                  Services              Repositories            Physical Medium             Port Knocking
                                                                                                                                                                                           Exploitation for
                                                                      Local Job Scheduling                                                   Access Token Manipulation                    Credential Access                                                              Video Capture                                      Multi-hop Proxy
                                                                                                                                                                                                                      Network Share         Distributed Component                                 Exfiltration Over
                     Supply Chain Compromise
                                                                             Trap                                                          Bypass User Account Control                  Forced Authentication           Discovery                 Object Model           Audio Capture             Command and              Domain Fronting
                                                                                                                                                                                                                                                                                                  Control Channel
                                                                           Launchctl                                                              Process Injection                            Hooking               Peripheral Device        Remote File Copy       Automated Collection                                    Data Encoding
                     Spearphishing Attachment
                                                                                                                   Image File Execution Options Injection                                Password Filter DLL             Discovery              Pass the Ticket          Clipboard Data           Data Encrypted           Remote File Copy
                                                     Signed Binary
                                                    Proxy Execution                                                             Plist Modification                                                                                                                      Email Collection       Automated Exfiltration     Multi-Stage Channels
                         Exploit Public-Facing                                                                                                                                             LLMNR/NBT-NS              File and Directory      Replication Through
                             Application             User Execution                                                              Valid Accounts                                              Poisoning                   Discovery            Removable Media           Screen Capture                                        Web Service
                                                                                                                                                                                                                                                                                               Exfiltration Over Other
                                                                                                                        DLL Search Order Hijacking                                           Private Keys                                   Windows Admin Shares          Data Staged            Network Medium
                         Replication Through         Exploitation for                                                                                                                                               Permission Groups                                                                                          Standard
                          Removable Media            Client Execution                                         AppCert DLLs                                                                    Keychain                  Discovery               Pass the Hash            Input Capture                                      Non-Application
                                                                                                                                                                       Signed Script                                                                                                              Exfiltration Over
                                                                                                                                                                      Proxy Execution                                                                                                           Alternative Protocol         Layer Protocol
                           Spearphishing via             CMSTP                                                   Hooking                                                                    Input Prompt             Process Discovery       Third-party Software      Data from Network
                               Service           Dynamic Data Exchange                                        Startup Items                                             DCShadow             Bash History                                      Shared Webroot             Shared Drive                                     Connection Proxy
                                                                                                                                                                                                                     System Network                                                                Data Transfer
                          Spearphishing Link             Mshta                                             Launch Daemon                                              Port Knocking                               Connections Discovery         Logon Scripts        Data from Local System         Size Limits          Multilayer Encryption
                                                                                                                                                                                             Two-Factor
                        Drive-by Compromise            AppleScript                                            Dylib Hijacking                                     Indirect Command         Authentication           System Owner/User         Windows Remote          Man in the Browser         Data Compressed          Standard Application
                                                                                                                                                                      Execution             Interception                 Discovery             Management                                                                    Layer Protocol
                            Valid Accounts               Source                                         Application Shimming                                                                                                                                         Data from Removable        Scheduled Transfer
                                                  Space after Filename                                         AppInit DLLs                                              BITS Jobs                                                                                           Media                                        Commonly Used Port
                                                                                                                                                                                         Replication Through         System Network              Application
                                                                                                                Web Shell                                        Control Panel Items      Removable Media         Configuration Discovery   Deployment Software
                                                   Execution through                                                                                                                                                                                                                                                     Standard Cryptographic
                                                     Module Load                                                                                                                                                                                SSH Hijacking                                                                   Protocol
                                                                                                Service Registry Permissions Weakness                                     CMSTP             Input Capture           Application Window
                                                                                                                                                                  Procedures – Specific technique implementation
achieved

                                                                                                                                                                                                                         Discovery               AppleScript
                                                    Regsvcs/Regasm                                             New Service                                     Process Doppelgänging      Network Sniffing                                                                                                               Custom Cryptographic
                                                                                                                                                                                                                                                                                                                               Protocol
                                                        InstallUtil                               File System Permissions Weakness                                        Mshta          Credential Dumping           Password Policy        Taint Shared Content
                                                        Regsvr32                                           Path Interception                                                                Kerberoasting                Discovery                                                                                         Data Obfuscation
                                                                                                                                                                       Hidden Files                                                            Remote Desktop
                                                  Execution through API                                 Accessibility Features                                        and Directories     Securityd Memory        System Time Discovery           Protocol
                                                                                                                                                                                                                                                                                                                           Custom Command
                                                       PowerShell                                             Port Monitors                                     Space after Filename         Brute Force            Account Discovery          Remote Services                                                            and Control Protocol

                                                        Rundll32                          Kernel Modules                          Sudo Caching                   LC_MAIN Hijacking      Account Manipulation        System Information                                                                                      Communication
                                                  Third-party Software                    and Extensions                      SID-History Injection                   HISTCONTROL        Credentials in Files            Discovery                                                                                             Through
                                                                                                                                                                                                                                                                                                                           Removable Media
                                                        Scripting                          Port Knocking                              Sudo                             Hidden Users                                  Security Software
                                                 Graphical User Interface                                                       Setuid and Setgid              Clear Command History                                    Discovery
                                                                                            SIP and Trust                                                                                                                                                                                                                     Multiband
                                                                                         Provider Hijacking                                                      Gatekeeper Bypass                                                                                                                                          Communication
                                                     Command-Line                                                               Exploitation for                                                                     Network Service
                                                       Interface                             Screensaver                      Privilege Escalation                    Hidden Window                                     Scanning                                                                                           Fallback Channels

         ©2019 The MITRE Corporation. ALL
                                      ServiceRIGHTS
                                             Execution RESERVED
                                                             BrowserApproved
                                                                     Extensions for public release. Distribution Deobfuscate/Decode
                                                                                                                 unlimited 18-1528-33.                                                                                Remote System                                                                                      Uncommonly Used Port
                                                                                       Re-opened Applications                                                    Files or Information                                   Discovery
                                                    Windows Remote
|9|

 MITRE ATT&CK
 ▪ When is it useful?
        – To track adversary behavior at a detailed level
        – To communicate with defenders and with other organizations about specific
          behaviors in a common language
 ▪      Limitations
        – Doesn’t cover all aspects of CTI or all techniques
        – Tactical focus
        – Complex – can have a steep learning curve

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 10 |

 APT28 Techniques*
          Initial                                                                                                     Privilege                                Defense                                Credential                                                         Lateral                                                                                 Command
                                      Execution Persistence                                                          Escalation                                Evasion                                 Access
                                                                                                                                                                                                                                           Discovery
                                                                                                                                                                                                                                                                        Movement
                                                                                                                                                                                                                                                                                                         Collection                 Exfiltration
                                                                                                                                                                                                                                                                                                                                                                and Control
         Access
 Initial Access                   E ecution                              ersistence                               rivilege Escalation                       efense Evasion                         Credential Access                     iscovery                      ateral Movement                Collection                 E filtration                  Command And Control
 Drive by Compromise               pple cript                           bash profile and bashrc                   ccess To en            anipulation     ccess To en              anipulation        ccount     anipulation              ccount Discovery            pple cript                        udio Capture                utomated     filtration     Commonly sed ort
    ploit ublic acin              C      T                               ccessibility            eatures          ccessibility          eatures          inary          addin                        ash     istory                      pplication   indow          pplication Deployment             utomated Collection       Data Compressed               Communication Throu h
  pplication                                                                                                                                                                                                                            Discovery                    oftware                                                                                    emovable edia
  ardware dditions                Command         ine Interface          ppCert D          s                      ppCert D         s                     IT         obs                              rute    orce                        rowser oo mar DiscoveryDistributed
                                                                                                                                                                                                                                                                     b ect odel
                                                                                                                                                                                                                                                                                Component             Clipboard Data            Data ncrypted                  Connection ro y
  eplication Throu h              Control     anel Items                 ppInit D         s                       ppInit D        s                      ypass           ser    ccount ControlCredential Dumpin                          ile and Directory Discovery  ploitation of emote             Data from Information     Data Transfer i e imits        Custom Command and
  emovable edia                                                                                                                                                                                                                                                      ervices                           epositories                                             Control rotocol
  pearphishin    ttachment        Dynamic Data         chan e            pplication           himmin              pplication          himmin            Clear Command              istory          Credentials in        iles            etwor     ervice   cannin     o on    cripts                 Data from ocal ystem         filtration ver lternative   Custom Crypto raphic
                                                                                                                                                                                                                                                                                                                                 rotocol                        rotocol
  pearphishin       in              ecution throu h       I              uthentication               ac a e       ypass       ser       ccount ControlC        T                                   Credentials in e istry                etwor     hare Discovery      ass the    ash                 Data from etwor     hared    filtration ver Command      Data ncodin
                                                                                                                                                                                                                                                                                                      Drive                     and Control Channel
  pearphishin      via   ervice     ecution throu h odule                IT         obs                          D        earch        rder   i ac in   Code        i nin                            ploitation for Credential           assword     olicy Discovery   ass the Tic et                 Data from emovable edia etworfiltration ver ther         Data    bfuscation
                                   oad                                                                                                                                                              ccess                                                                                                                                    edium
  upply Chain Compromise            ploitation for Client                oot it                                  Dylib i ac in                  Component irmware                                   orced uthentication                  eripheral Device Discovery    emote Des top        rotocol   Data ta ed                   filtration ver hysical      Domain      rontin
                                    ecution                                                                                                                                                                                                                                                                                       edium
 Trusted   elationship             raphical ser Interface                rowser    tensions                          ploitation for rivile e    Component b ect odel        oo in                                                        ermission    roups Discovery emote      ile Copy              mail Collection           cheduled Transfer              allbac     Channels
                                                                                                                   scalation                      i ac in
  alid   ccounts                  Install til                           Chan e Default ile                           tra   indow emory          Control anel Items        Input Capture                                                  rocess Discovery              emote ervices                  Input Capture                                             ulti hop     ro y
                                                                         ssociation                              In ection
                                   aunchctl                             Component irmware                          ile ystem ermissions         DC hadow                  Input rompt                                                    uery    e istry               eplication Throu h              an in the   rowser                                       ulti   ta e Channels
                                                                                                                     ea ness                                                                                                                                           emovable edia
                                   ocal      ob   chedulin              Component b ect odel                        oo in                       Deobfuscate Decode iles or erberoastin                                                   emote     ystem Discovery     hared    ebroot                 creen Capture                                            ultiband Communication
                                                                         i ac in                                                                Information
                                             Driver                     Create ccount                            Ima e ile        ecution ptionsDisablin    ecurity Tools   eychain                                                      ecurity   oftware Discovery          i ac in                  ideo Capture                                             ultilayer    ncryption
                                                                                                                 In ection
                                      shta                              D        earch         rder    i ac in     aunch Daemon                 D      earch rder i ac in            T                                        oisonin    ystem Information DiscoveryTaint hared Content                                                                         ort    noc in
                                   ower hell                            Dylib       i ac in                       ew      ervice                        D       ide oadin                            etwor      niffin                   ystem etwor                Third party oftware                                                                         emote      ccess Tools
                                                                                                                                                                                                                                        Confi uration Discovery
                                   e svcs         e asm                    ternal emote ervices                   ath Interception                          ploitation for Defense                   assword        ilter D              ystem etwor Connections indows dmin hares                                                                              emote ile Copy
                                                                                                                                                          vasion                                                                        Discovery
                                   e svr                                 ile ystem ermissions                     list     odification                      tra   indow emory                        rivate eys                          ystem wner ser               indows emote                                                                              tandard pplication ayer
                                                                           ea ness                                                                      In ection                                                                       Discovery                     ana ement                                                                                 rotocol
                                   undll                                  idden iles and Directories              ort     onitors                         ile Deletion                               eplication Throu h                  ystem ervice Discovery                                                                                                 tandard Crypto raphic
                                                                                                                                                                                                     emovable edia                                                                                                                                              rotocol
                                   cheduled Tas                          oo in                                    rocess In ection                       ile    ystem          o ical     ffsets     ecurityd emory                      ystem Time Discovery                                                                                                   tandard on pplication
                                                                                                                                                                                                                                                                                                                                                                ayer rotocol
                                   criptin                                ypervisor                               cheduled Tas              ate eeper ypass                                        Two actor uthentication                                                                                                                                      ncommonly sed ort
                                                                                                                                                                                                   Interception
                                   ervice    ecution                    Ima e ile      ecution             ptions ervice e istry ermissions idden iles and Directories                                                                                                                                                                                          eb     ervice
                                                                        In ection                                  ea ness
                                   i ned inary ro y                       ernel odules and                        etuid and et id           idden sers
                                     ecution                               tensions
                                   i ned cript ro y                       aunch    ent                            ID      istory In ection               idden           indow
                                     ecution
                                   ource                                 aunch Daemon                             tartup Items                            I TC    T
                                   pace after ilename                    aunchctl                                 udo                                   Ima e ile    ecution                ptions
                                                                                                                                                        In ection
                                  Third party      oftware               C           D D         I     ddition    udo Cachin                            Indicator loc in
                                  Trap                                   ocal       ob     chedulin               alid     ccounts                      Indicator         emoval from Tools
                                  Trusted Developer          tilities    o in Item                                   eb   hell                          Indicator         emoval on         ost
                                    ser   ecution                        o on        cripts                                                             Indirect Command                ecution
                                     indows ana ement

                                                                                                                                                                                                                                                *from open source
                                  Instrumentation                                    Driver                                                             Install         oot Certificate
                                     indows emote                           odify        istin        ervice                                            Install til
                                    ana ement
                                                                         etsh        elper D                                                             aunchctl
                                                                         ew      ervice                                                                  C          I      i ac in

                                                                                                                                                                                                                                                reporting we’ve mapped
                                                                         ffice       pplication         tartup                                              asqueradin
                                                                         ath Interception                                                                   odify       e istry
                                                                         list       odification                                                            shta
                                                                         ort     noc in                                                                   etwor    hare Connection
                                                                                                                                                          emoval
                                                                         ort     onitors                                                                  T     ile ttributes
                                                                         c common                                                                         bfuscated iles or
                                                                                                                                                        Information
                                                                         e opened             pplications                                                 list odification
                                                                         edundant ccess                                                                  ort      noc in
                                                                         e istry un eys                   tart                                           rocess Doppel               n in
                                                                         older
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution
                                                                         cheduled Tas      unlimited 18-1528-33.
                                                                                  rocess ollowin
                                                                         creensaver                                                                      rocess In ection
| 11 |

 APT29 Techniques
          Initial                                                                                                     Privilege                                Defense                                Credential                                                         Lateral                                                                                 Command
                                      Execution Persistence                                                          Escalation                                Evasion                                 Access
                                                                                                                                                                                                                                           Discovery
                                                                                                                                                                                                                                                                        Movement
                                                                                                                                                                                                                                                                                                         Collection                 Exfiltration
                                                                                                                                                                                                                                                                                                                                                                and Control
         Access
 Initial Access                   E ecution                              ersistence                               rivilege Escalation                       efense Evasion                         Credential Access                     iscovery                      ateral Movement                Collection                 E filtration                  Command And Control
 Drive by Compromise               pple cript                           bash profile and bashrc                   ccess To en            anipulation     ccess To en              anipulation        ccount     anipulation              ccount Discovery            pple cript                        udio Capture                utomated     filtration     Commonly sed ort
    ploit ublic acin              C      T                               ccessibility            eatures          ccessibility          eatures          inary          addin                        ash     istory                      pplication   indow          pplication Deployment             utomated Collection       Data Compressed               Communication Throu h
  pplication                                                                                                                                                                                                                            Discovery                    oftware                                                                                    emovable edia
  ardware dditions                Command         ine Interface          ppCert D          s                      ppCert D         s                     IT         obs                              rute    orce                        rowser oo mar DiscoveryDistributed
                                                                                                                                                                                                                                                                     b ect odel
                                                                                                                                                                                                                                                                                Component             Clipboard Data            Data ncrypted                  Connection ro y
  eplication Throu h              Control     anel Items                 ppInit D         s                       ppInit D        s                      ypass           ser    ccount ControlCredential Dumpin                          ile and Directory Discovery  ploitation of emote             Data from Information     Data Transfer i e imits        Custom Command and
  emovable edia                                                                                                                                                                                                                                                      ervices                           epositories                                             Control rotocol
  pearphishin    ttachment        Dynamic Data         chan e            pplication           himmin              pplication          himmin            Clear Command              istory          Credentials in        iles            etwor     ervice   cannin     o on    cripts                 Data from ocal ystem         filtration ver lternative   Custom Crypto raphic
                                                                                                                                                                                                                                                                                                                                 rotocol                        rotocol
  pearphishin       in              ecution throu h       I              uthentication               ac a e       ypass       ser       ccount ControlC        T                                   Credentials in e istry                etwor     hare Discovery      ass the    ash                 Data from etwor     hared    filtration ver Command      Data ncodin
                                                                                                                                                                                                                                                                                                      Drive                     and Control Channel
  pearphishin      via   ervice     ecution throu h odule                IT         obs                          D        earch        rder   i ac in   Code        i nin                            ploitation for Credential           assword     olicy Discovery   ass the Tic et                 Data from emovable edia etworfiltration ver ther         Data    bfuscation
                                   oad                                                                                                                                                              ccess                                                                                                                                    edium
  upply Chain Compromise            ploitation for Client                oot it                                  Dylib i ac in                  Component irmware                                   orced uthentication                  eripheral Device Discovery    emote Des top        rotocol   Data ta ed                   filtration ver hysical      Domain      rontin
                                    ecution                                                                                                                                                                                                                                                                                       edium
 Trusted   elationship             raphical ser Interface                rowser    tensions                          ploitation for rivile e    Component b ect odel        oo in                                                        ermission    roups Discovery emote      ile Copy              mail Collection           cheduled Transfer              allbac     Channels
                                                                                                                   scalation                      i ac in
  alid   ccounts                  Install til                           Chan e Default ile                           tra   indow emory          Control anel Items        Input Capture                                                  rocess Discovery              emote ervices                  Input Capture                                             ulti hop     ro y
                                                                         ssociation                              In ection
                                   aunchctl                             Component irmware                          ile ystem ermissions         DC hadow                  Input rompt                                                    uery    e istry               eplication Throu h              an in the   rowser                                       ulti   ta e Channels
                                                                                                                     ea ness                                                                                                                                           emovable edia
                                   ocal      ob   chedulin              Component b ect odel                        oo in                       Deobfuscate Decode iles or erberoastin                                                   emote     ystem Discovery     hared    ebroot                 creen Capture                                            ultiband Communication
                                                                         i ac in                                                                Information
                                             Driver                     Create ccount                            Ima e ile        ecution ptionsDisablin    ecurity Tools   eychain                                                      ecurity   oftware Discovery          i ac in                  ideo Capture                                             ultilayer    ncryption
                                                                                                                 In ection
                                      shta                              D        earch         rder    i ac in     aunch Daemon                 D      earch rder i ac in            T                                        oisonin    ystem Information DiscoveryTaint hared Content                                                                         ort    noc in
                                   ower hell                            Dylib       i ac in                       ew      ervice                        D       ide oadin                            etwor      niffin                   ystem etwor                Third party oftware                                                                         emote      ccess Tools
                                                                                                                                                                                                                                        Confi uration Discovery
                                   e svcs         e asm                    ternal emote ervices                   ath Interception                          ploitation for Defense                   assword        ilter D              ystem etwor Connections indows dmin hares                                                                              emote ile Copy
                                                                                                                                                          vasion                                                                        Discovery
                                   e svr                                 ile ystem ermissions                     list     odification                      tra   indow emory                        rivate eys                          ystem wner ser               indows emote                                                                              tandard pplication ayer
                                                                           ea ness                                                                      In ection                                                                       Discovery                     ana ement                                                                                 rotocol
                                   undll                                  idden iles and Directories              ort     onitors                         ile Deletion                               eplication Throu h                  ystem ervice Discovery                                                                                                 tandard Crypto raphic
                                                                                                                                                                                                     emovable edia                                                                                                                                              rotocol
                                   cheduled Tas                          oo in                                    rocess In ection                       ile    ystem          o ical     ffsets     ecurityd emory                      ystem Time Discovery                                                                                                   tandard on pplication
                                                                                                                                                                                                                                                                                                                                                                ayer rotocol
                                   criptin                                ypervisor                               cheduled Tas              ate eeper ypass                                        Two actor uthentication                                                                                                                                      ncommonly sed ort
                                                                                                                                                                                                   Interception
                                   ervice    ecution                    Ima e ile      ecution             ptions ervice e istry ermissions idden iles and Directories                                                                                                                                                                                          eb     ervice
                                                                        In ection                                  ea ness
                                   i ned inary ro y                       ernel odules and                        etuid and et id           idden sers
                                     ecution                               tensions
                                   i ned cript ro y                       aunch    ent                            ID      istory In ection               idden           indow
                                     ecution
                                   ource                                 aunch Daemon                             tartup Items                            I TC    T
                                   pace after ilename                    aunchctl                                 udo                                   Ima e ile    ecution                ptions
                                                                                                                                                        In ection
                                  Third party      oftware               C           D D         I     ddition    udo Cachin                            Indicator loc in
                                  Trap                                   ocal       ob     chedulin               alid     ccounts                      Indicator         emoval from Tools
                                  Trusted Developer          tilities    o in Item                                   eb   hell                          Indicator         emoval on         ost
                                    ser   ecution                        o on        cripts                                                             Indirect Command                ecution
                                     indows ana ement                                Driver                                                             Install         oot Certificate
                                  Instrumentation
                                     indows emote                           odify        istin        ervice                                            Install til
                                    ana ement
                                                                         etsh        elper D                                                             aunchctl
                                                                         ew      ervice                                                                  C          I      i ac in
                                                                         ffice       pplication         tartup                                              asqueradin
                                                                         ath Interception                                                                   odify       e istry
                                                                         list       odification                                                            shta
                                                                         ort     noc in                                                                   etwor    hare Connection
                                                                                                                                                          emoval
                                                                         ort     onitors                                                                  T     ile ttributes
                                                                         c common                                                                         bfuscated iles or
                                                                                                                                                        Information
                                                                         e opened             pplications                                                 list odification
                                                                         edundant ccess                                                                  ort      noc in
                                                                         e istry un eys                   tart                                           rocess Doppel               n in
                                                                         older
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution
                                                                         cheduled Tas      unlimited 18-1528-33.
                                                                                  rocess ollowin
                                                                         creensaver                                                                      rocess In ection
| 12 |

 Comparing APT28 and APT29
          Initial                                                                                                     Privilege                                Defense                                Credential                                                         Lateral                                                                                 Command
                                      Execution Persistence                                                          Escalation                                Evasion                                 Access
                                                                                                                                                                                                                                           Discovery
                                                                                                                                                                                                                                                                        Movement
                                                                                                                                                                                                                                                                                                         Collection                 Exfiltration
                                                                                                                                                                                                                                                                                                                                                                and Control
         Access
 Initial Access                   E ecution                              ersistence                               rivilege Escalation                       efense Evasion                         Credential Access                     iscovery                      ateral Movement                Collection                 E filtration                  Command And Control
 Drive by Compromise               pple cript                           bash profile and bashrc                   ccess To en            anipulation     ccess To en              anipulation        ccount     anipulation              ccount Discovery            pple cript                        udio Capture                utomated     filtration     Commonly sed ort
    ploit ublic acin              C      T                               ccessibility            eatures          ccessibility          eatures          inary          addin                        ash     istory                      pplication   indow          pplication Deployment             utomated Collection       Data Compressed               Communication Throu h
  pplication                                                                                                                                                                                                                            Discovery                    oftware                                                                                    emovable edia
  ardware dditions                Command         ine Interface          ppCert D          s                      ppCert D         s                     IT         obs                              rute    orce                        rowser oo mar DiscoveryDistributed
                                                                                                                                                                                                                                                                     b ect odel
                                                                                                                                                                                                                                                                                Component             Clipboard Data            Data ncrypted                  Connection ro y
  eplication Throu h              Control     anel Items                 ppInit D         s                       ppInit D        s                      ypass           ser    ccount ControlCredential Dumpin                          ile and Directory Discovery  ploitation of emote             Data from Information     Data Transfer i e imits        Custom Command and
  emovable edia                                                                                                                                                                                                                                                      ervices                           epositories                                             Control rotocol
  pearphishin    ttachment        Dynamic Data         chan e            pplication           himmin              pplication          himmin            Clear Command              istory          Credentials in        iles            etwor     ervice   cannin     o on    cripts                 Data from ocal ystem         filtration ver lternative   Custom Crypto raphic
                                                                                                                                                                                                                                                                                                                                 rotocol                        rotocol
  pearphishin       in              ecution throu h       I              uthentication               ac a e       ypass       ser       ccount ControlC        T                                   Credentials in e istry                etwor     hare Discovery      ass the    ash                 Data from etwor     hared    filtration ver Command      Data ncodin
                                                                                                                                                                                                                                                                                                      Drive                     and Control Channel
  pearphishin      via   ervice     ecution throu h odule                IT         obs                          D        earch        rder   i ac in   Code        i nin                            ploitation for Credential           assword     olicy Discovery   ass the Tic et                 Data from emovable edia etworfiltration ver ther         Data    bfuscation
                                   oad                                                                                                                                                              ccess                                                                                                                                    edium
  upply Chain Compromise            ploitation for Client                oot it                                  Dylib i ac in                  Component irmware                                   orced uthentication                  eripheral Device Discovery    emote Des top        rotocol   Data ta ed                   filtration ver hysical      Domain      rontin
                                    ecution                                                                                                                                                                                                                                                                                       edium
 Trusted   elationship             raphical ser Interface                rowser    tensions                          ploitation for rivile e    Component b ect odel        oo in                                                        ermission    roups Discovery emote      ile Copy              mail Collection           cheduled Transfer              allbac     Channels
                                                                                                                   scalation                      i ac in
  alid   ccounts                  Install til                           Chan e Default ile                           tra   indow emory          Control anel Items        Input Capture                                                  rocess Discovery              emote ervices                  Input Capture                                             ulti hop     ro y
                                                                         ssociation                              In ection
                                   aunchctl                             Component irmware                          ile ystem ermissions         DC hadow                  Input rompt                                                    uery    e istry               eplication Throu h              an in the   rowser                                       ulti   ta e Channels
                                                                                                                     ea ness                                                                                                                                           emovable edia
                                   ocal      ob   chedulin              Component b ect odel                        oo in                       Deobfuscate Decode iles or erberoastin                                                   emote     ystem Discovery     hared    ebroot                 creen Capture                                            ultiband Communication
                                                                         i ac in                                                                Information
                                             Driver                     Create ccount                            Ima e ile        ecution ptionsDisablin    ecurity Tools   eychain                                                      ecurity   oftware Discovery          i ac in                  ideo Capture                                             ultilayer    ncryption
                                                                                                                 In ection
                                      shta                              D        earch         rder    i ac in     aunch Daemon                 D      earch rder i ac in            T                                        oisonin    ystem Information DiscoveryTaint hared Content                                                                         ort    noc in
                                   ower hell                            Dylib       i ac in                       ew      ervice                        D       ide oadin                            etwor      niffin                   ystem etwor                Third party oftware                                                                         emote      ccess Tools
                                                                                                                                                                                                                                        Confi uration Discovery
                                   e svcs         e asm                    ternal emote ervices                   ath Interception                          ploitation for Defense                   assword        ilter D              ystem etwor Connections indows dmin hares                                                                              emote ile Copy
                                                                                                                                                          vasion                                                                        Discovery
                                   e svr                                 ile ystem ermissions                     list     odification                      tra   indow emory                        rivate eys                          ystem wner ser               indows emote                                                                              tandard pplication ayer
                                                                           ea ness                                                                      In ection                                                                       Discovery                     ana ement                                                                                 rotocol
                                   undll                                  idden iles and Directories              ort     onitors                         ile Deletion                               eplication Throu h                  ystem ervice Discovery                                                                                                 tandard Crypto raphic
                                                                                                                                                                                                     emovable edia                                                                                                                                              rotocol
                                   cheduled Tas                          oo in                                    rocess In ection                       ile    ystem          o ical     ffsets     ecurityd emory                      ystem Time Discovery                                                                                                   tandard on pplication
                                                                                                                                                                                                                                                                                                                                                                ayer rotocol
                                   criptin                                ypervisor                               cheduled Tas              ate eeper ypass                                        Two actor uthentication                                                                                                                                      ncommonly sed ort
                                                                                                                                                                                                   Interception
                                   ervice    ecution                    Ima e ile      ecution             ptions ervice e istry ermissions idden iles and Directories                                                                                                                                                                                          eb     ervice
                                                                        In ection                                  ea ness
                                   i ned inary ro y                       ernel odules and                        etuid and et id           idden sers
                                     ecution                               tensions

                                                                                                                                                                                                                    Overlay known gaps
                                   i ned cript ro y                       aunch    ent                            ID      istory In ection               idden           indow
                                     ecution
                                   ource                                 aunch Daemon                             tartup Items                            I TC    T
                                   pace after ilename                    aunchctl                                 udo                                   Ima e ile    ecution                ptions
                                                                                                                                                        In ection
                                  Third party      oftware               C           D D         I     ddition    udo Cachin                            Indicator loc in
                                  Trap                                   ocal       ob     chedulin               alid     ccounts                      Indicator         emoval from Tools
                                  Trusted Developer          tilities    o in Item                                   eb   hell                          Indicator         emoval on         ost
                                    ser   ecution
                                     indows ana ement
                                  Instrumentation
                                     indows emote
                                    ana ement
                                                                         o on

                                                                            odify
                                                                                     cripts
                                                                                     Driver
                                                                                         istin        ervice
                                                                                                                                                        Indirect Command
                                                                                                                                                        Install
                                                                                                                                                        Install til
                                                                                                                                                                        oot Certificate
                                                                                                                                                                                        ecution

                                                                                                                                                                                                                                                                     APT28
                                                                         etsh        elper D                                                             aunchctl
                                                                         ew      ervice                                                                  C          I      i ac in
                                                                         ffice       pplication
                                                                         ath Interception
                                                                         list       odification
                                                                                                        tartup                                              asqueradin
                                                                                                                                                            odify
                                                                                                                                                           shta
                                                                                                                                                                        e istry                                                                                      APT29
                                                                         ort     noc in                                                                   etwor    hare Connection
                                                                                                                                                          emoval
                                                                         ort
                                                                         c common
                                                                         e opened
                                                                                 onitors

                                                                                              pplications
                                                                                                                                                          T     ile ttributes
                                                                                                                                                          bfuscated iles or
                                                                                                                                                        Information
                                                                                                                                                          list odification
                                                                                                                                                                                                                                                                     Both groups
                                                                         edundant ccess                                                                  ort      noc in
                                                                         e istry un eys                   tart                                           rocess Doppel               n in
                                                                         older
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution
                                                                         cheduled Tas      unlimited 18-1528-33.
                                                                                  rocess ollowin
                                                                         creensaver                                                                      rocess In ection
| 13 |

 VERIS
 ▪ Vocabulary for Event Recording and Incident Sharing (VERIS)
        – Actors: Whose actions affected the asset?
        – Actions: What actions affected the asset?
        – Assets: Which assets were affected?
        – Attributes: How the asset was affected?
 ▪      When is it useful?
        – Organizing incident data - example: Verizon Data Breach Investigations
          Reports (DBIR) (https://enterprise.verizon.com/resources/reports/DBIR_2019_Report.pdf)
        – To track trends and patterns in incidents
 ▪      Limitations
        – Flexible – need to decide amon your team how you “bin” information
 http://veriscommunity.net/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 14 |

 Combining Frameworks: Diamond Model + Kill Chain

                                          http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 15 |

 Combining Frameworks: Kill Chain + ATT&CK

                                                               https://pan-unit42.github.io/playbook_viewer/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 16 |

 Other Structured Tools: Processes
 ▪ Processes
         – Intelligence Cycle
               ▪ https://en.wikipedia.org/wiki/Intelligence_cycle
         – F3EAD - Find, Fix, Finish, Exploit, Analyze
               ▪ https://medium.com/@sroberts/intelligence-concepts-f3ead-964a0653be13
         – SANS Incident Response Cycle
               ▪ https://medium.com/@sroberts/intelligence-concepts-the-sans-incident-response-
                     process-45e3fa451777

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 17 |

 Other Structured Tools: Standards and Models

                                                                                                                   https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

                                                                                                                                     avid Bianco’s
                                                                                                                                    Pyramid of Pain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
| 18 |

                                                 likethecoins@gmail.com
                                                       @likethecoins

                                                        Slides available at
                                                     https://goo.gl/KNumpw

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-33.
You can also read
NEXT SLIDES ... Cancel