MITRE ATT&CK Enterprise FrameworkPete White – Senior Sales Engineer

October 2019

2©LogRhythm 2019. All rights reserved. Company Confidential

What is the MITRE ATT&CK Enterprise Framework?

• ATT&CK = Adversarial Tactics, Techniques, and Common Knowledge• MITRE started project in 2013 to document common tactics, techniques, and procedures (TTPs)

that Advanced Persistent Threat (APT) actors use against Windows enterprise networks• Network defence through a predominately endpoint focused lens• Based on real world threat intelligence and Red Team research• Provides contextual understanding of malicious behaviour and focus on how adversaries interact

with systems during an operation• Supports testing and analysis of defence options• Has been expanded to include Linux & MacOS OS coverage• 11 stage framework of Tactics:

• Tactics are further broken down into Techniques (223 as of April, 2019)

Initial Access Execution Persistence Privilege Escalation

DefenseEvasion

Credential Access Discovery Lateral

Movement Collection Exfiltration Command And Control

3©LogRhythm 2019. All rights reserved. Company Confidential

What is the MITRE ATT&CK Enterprise Framework?

Tactics

Techniques

4©LogRhythm 2019. All rights reserved. Company Confidential

What is the MITRE ATT&CK Enterprise Framework?

5©LogRhythm 2019. All rights reserved. Company Confidential

What is the MITRE ATT&CK Enterprise Framework?

6©LogRhythm 2019. All rights reserved. Company Confidential

What the MITRE ATT&CK Enterprise Framework Isn’t

• A silver bullet to security• A replacement for Indicators Of Compromise (IOC) or signature based techniques• A replacement for cyber security best practices e.g.

- Staff education, adequate physical security, good password hygiene, least privilege modelling, security policies and procedures

• A list of fully achievable objectives• A static list• A list of tactics that are followed in a linear order. An adversary could miss out tactics to achieve

their goal• A list of tactics that cover all technologies and/or attack vectors, remember it’s network /

endpoint focused. For Application tactics check out CAPEC (Common Attack Pattern Enumeration and Classification) as a complement:

- https://capec.mitre.org/about/attack_comparison.html• Applicable to all, remember this is APT focused i.e. State sponsored actors

Where Do I Start?

Threat Perspective – What’s Important to your Business?TOP ATTACK VECTORS TOP ADVERSARY GROUPS

Sources: • Deloitte Threat Intelligence & Analysis program• CISO_Threat-Perspectives_Jacky-Fox_Gina-Dollard_AppSecEU2018.pptx

LEVEL OF CONCERNHIGH MED LOW

Ransomware takes

applications hostage

Malware targeting company devices or applications to

reach clients

Data breach

GDPR compliance

Legacy technology fails to provide adequate

protection and stability in the face of new

attacks

Unaddressed Software

Vulnerabilities

Cyber espionage

Phishing

Web Application

Attacks

Spam

Physical actions

Exploit kits

Data breaches

Ransomware

Botnets

Social engineering

Network Devices Misconfiguration

Firewall Misconfiguration

Disruption of Communications

(DDOS)

Malware Corporate espionage groups

Organizedcrime groups

Insider

Nation state entity

Lone-wolf cyber criminals

Hacktivists

Script Kiddie

Researcher/journalist

TOP THREAT SCENARIOS

9©LogRhythm 2019. All rights reserved. Company Confidential

Where Do I Start?

Top 10 ATT&CK Techniques by Prevalence• PowerShell was a component of 1,774 confirmed threats

Source: Red Canary Threat Detection Report - 2019

10©LogRhythm 2019. All rights reserved. Company Confidential

Where Do I Start?

Top 10 ATT&CK Techniques by Industry

Source: Red Canary Threat Detection Report - 2019

11©LogRhythm 2019. All rights reserved. Company Confidential

Log Sources• Windows Event Logs (Security, Powershell)• Linux Event Logs

• MacOS Event Logs (if applicable)

• Windows Sysmon and/or EDR (e.g. Carbon Black / Cylance)• Firewalls & Routers

• IDS/IPS

• Web Proxy

• VPN

• DNS

• DHCP

• Mail Logs

• DLP

• Identity/Authentication (AD/LDAP/Radius) • Anti-Virus• LogRhythm Network Monitor/Netflow or 3rd Party product• LogRhythm File Integrity Monitor and/or 3rd Party product• LogRhythm Process Monitor and/or EDR (e.g. Carbon Black / Cylance)• LogRhythm Registry Monitor (Windows) and/or EDR (e.g. Carbon Black / Cylance)• Database Logs

• Cloud Infrastructure Audit logs (AWS CloudTrail, Azure Event Hubs, Google Cloud)

• Office 365

Minimum requirements for LogRhythm MITRE ATT&CK Module functionality

Going Beyond the Module Content

13©LogRhythm 2019. All rights reserved. Company Confidential

Useful Resources For Windows

From - https://www.malwarearchaeology.com/cheat-sheets

Windows Cheat Sheets• The Windows Logging Cheat Sheet• The Windows Advanced Logging Cheat Sheet• The Windows File Auditing Logging Cheat Sheet• The Windows Registry Auditing Logging Cheat Sheet• The Windows PowerShell Logging Cheat Sheet• The Windows Sysmon Logging Cheat Sheet (coming soon)

MITRE ATT&CK Cheat Sheets• The Windows ATT&CK Logging Cheat Sheet

14©LogRhythm 2019. All rights reserved. Company Confidential

Useful Resources For Windows

15©LogRhythm 2019. All rights reserved. Company Confidential

Useful Resources For Linux

• A Linux Auditd rule set mapped to MITRE's Attack Framework:- https://github.com/bfuzzy/auditd-attack

Testing & Validation

17©LogRhythm 2019. All rights reserved. Company Confidential

Testing & Validation - Overview

• The ATT&CK framework is build upon the notion of validation through regular assessments against ATT&CK tactics to measure the performance of their threat hunting, breach detection and incident response procedures against the latest attack techniques.

• A scenario-based assessment exercise aligned to the MITRE ATT&CK framework will typically follow the process below:

• Red Team1. Identify TTPs to test2. Gather information about technologies and processes in place at target organisation3. Devise attack scenario using select TTPs4. Launch attack to simulate threat

• Blue Team5. Detect and respond to TTPs

• Red & Blue Team Validation Review6. Evaluate performance of both teams and improve processes / detection capabilities

18©LogRhythm 2019. All rights reserved. Company Confidential

Testing & Validation – (Open Source) Tools

Threat Hunter Playbook:• https://github.com/Cyb3rWard0g/ThreatHunter-Playbook

Atomic Red Team:• https://redcanary.com/atomic-red-team/

Mitre Caldera:• https://github.com/mitre/caldera

Endgame Red Team Automation:• https://github.com/endgameinc/RTA

Uber Metta:• https://github.com/uber-common/metta

Disclaimer: LogRhythm does not provide any recommendation as to the suitability of the tools listed above. They are listed here for educational purposes only. Please validate any selected tools according to your own business application security practices.

Links & Resources

20©LogRhythm 2019. All rights reserved. Company Confidential

Links & ResourcesMITRE ATT&CK Website:

https://attack.mitre.org/

MITRE ATT&CK Navigator:

https://mitre-attack.github.io/attack-navigator/enterprise/

Building MITRE ATT&CK Technique Detection into Your Security Monitoring Environment:

• https://logrhythm.com/webcasts/uws-building-mitre-attack-technique-detection/

Prioritizing the Remediation of MITRE ATT&CK Framework Gaps:

• https://blog.netspi.com/prioritizing-the-remediation-of-mitre-attck-framework-gaps/

Red Canary – Threat Detection Report 2019:

• https://redcanary.com/resources/guides/threat-detection-report/

ATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework:

• https://cj.msu.edu/assets/ICC-2018-PPT-Kopacsi.pdf

Verizon Data Breach Investigations Report 2018:

• https://enterprise.verizon.com/verizon-insights-lab/dbir/tool/

ATT&CK Tools:

• https://github.com/nshalabi/ATTACK-Tools

ATT&CK Framework Board:

• https://attack.mitre.org/docs/ATTACK_Framework_Board_4x3.pdf

Utilizing the Framework in LogRhythm

22©LogRhythm 2019. All rights reserved. Company Confidential

LogRhythm Threat Lifecycle -> ATT&CK Tactics Mapping

23©LogRhythm 2019. All rights reserved. Company Confidential

Current Capabilities

• LogRhythm is capable of detecting a high percentage of the ATT&CK techniques*- Dependent on applicable log sources being available- Existing content may detect an ATT&CK technique being executed but most likely the

detection will not be specific to that technique- MITRE define detection in five different ways:

> Telemetry> Indicator of Compromise> Enrichment> General Behavior> Specific Behavior

• Today, we can detect ATT&CK techniques through General Behavior (i.e. Cyberattack Lifecycle aligned), Enrichment, Indicator of Compromise and Telemetry

* Some Techniques are not log based, i.e. System Firmware

LogRhythm MITRE ATT&CK Module

25©LogRhythm 2019. All rights reserved. Company Confidential

The LogRhythm MITRE ATT&CK Module

• Released in April, 2019. Contains 18 new AI Engine rules:AI Rule ID AI Rule Name Log Sources Recommended

1449 Credential Access : Credential Dumping

LogRhythm File Monitor (Windows)LogRhythm Process Monitor (Windows)LogRhythm Registry Integrity MonitorMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9

1452 Discovery : System Service DiscoveryMS Windows Event Logging - PowerShellMS Windows Event Logging XML - SecurityMS Windows Event Logging XML - Sysmon 8/9

1453 Discovery : Query RegistryMS Windows Event Logging - PowerShellMS Windows Event Logging XML - SecurityMS Windows Event Logging XML - Sysmon 8/9

1454 Discovery : System Network Configuration Disc MS Windows Event Logging XML - Security

1455 Discovery : System Owner-User DiscoveryMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9

1456 Exfiltration : Exfiltration Over Alt Protocol Network Devices

1457 Discovery : Remote System DiscoveryLogRhythm File Monitor (Windows)LogRhythm Process Monitor (Windows)MS Windows Event Logging XML - Sysmon 8/9

26©LogRhythm 2019. All rights reserved. Company Confidential

The LogRhythm MITRE ATT&CK Module

AI Rule ID AI Rule Name Log Sources Recommended

1459 Multiple : New ServiceLogRhythm Registry Integrity MonitorMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9

1460 Persistence : Registry Run Keys/Startup Folder MS Windows Event Logging XML - Sysmon 8/9

1461 Multiple : ScriptingMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9

1462 Lateral Movement : Windows Admin Shares MS Windows Event Logging - PowerShell1463 Discovery : System Information Discovery MS Windows Event Logging - PowerShell

1464 Execution : PowerShellMS Windows Event Logging - PowerShellMS Windows Event Logging XML - Sysmon 8/9

1465 Execution : Execution through API Antivirus, IDS, EDR solutions

1466 Initial Access : Drive-By Compromise LogRhythm File Integrity Monitor

1467 Discovery : Process Discovery MS Windows Event Logging XML - Security

1468 Execution : Windows Mgmt InstrumentationMS Windows Event Logging XML - SecurityMS Windows Event Logging XML - Sysmon 8/9MS Windows Event Logging - PowerShell

1469 Defense Evasion : Timestomp MS Windows Event Logging XML - Sysmon 8/9

Note: Rule names and content may be subject to change prior to release