BSidesCharm 2022 - Three Bridges & a Compass: Navigating Risk Landscapes with Intelligence

all right i think we're gonna go for it thanks everyone for showing up this morning thanks besides charm for inviting me and for a great past few days i'm gonna jump right into it so welcome to my talk this is titled three bridges and a compass my goal for today is to give you all some very practical workflows for applying intelligence to security efforts and along the way we'll have a chance to walk through a new open source data set and tool that i recently had a chance to publish it's live right now and it's all geared around what i mentioned trying to help organizations of pretty much any size at least think about how better to

start applying intelligence to security real quick background my name is scott small i'm a senior threat intelligence consultant at recorded future so i'm part of our customer success team that means i'm out there having conversations with our clients government agencies large and medium enterprises every single day about intelligence and how it relates to security so i promise that everything i'm going to touch on today is derived from these conversations that i'm having with folks out there in the field and seeing some of the challenges that they're facing in applying intelligence to security and hopefully finding a few kind of workarounds for making that a little bit more streamlined a lot of what i'm going to touch on

today involves the miter attack knowledge base so i do really want to quickly level set with everyone in terms of what is miter attack and i really want to kind of bring it down to earth a little bit i know it i'm we'll be the first to admit it's a bit of a scary and seemingly technical uh kind of framework or knowledge base but if we had to most simply boil it down the miter attack framework is simply a catalog of adversary behavior just to provide a little bit more detail often times you're going to see this knowledge base this catalog displayed in one of these matrix views this is just kind of a snippet of the overall matrix

but i was thinking last night speaking with uh you know uh having a lot of conversations around you know the challenges and all the jargon that we use in the security field so i just wanted to kind of simplify a little bit of what is the moderate tech knowledge base trying to look at quite simply when you look at this matrix view the row at the very top are the end goals or objectives of what an adversary would be trying to accomplish and then the ways or means that they go about trying to accomplish those goals are organized vertically underneath it and i know this is really small text that's kind of intentional we'll get into the

details of a few specific as they're called techniques uh the the columns arrange vertically here but again trying to simplify things this is what this big kind of uh seemingly complicated uh knowledge base or matrix is trying to do so yes let's look at one specific example and talk about the application of minor attack at least how i see it i'm not going to get into the history and some of the original uses of the attack framework it is used in a lot of different ways quite simply the best use of miter attack in my view is for intelligence purposes and we'll kind of talk through what exactly i mean by that with a specific example so the technique

that i've highlighted here on the matrix is called impair defenses it's got a unique identifier associated with it it's quite simply describing ways that adversaries try to get around all these defensive measures that we put into place so there are a number of specific ways that they can go and do that they can try to disable security tools that we put in place or maybe mess with some of our logging functions i'm going to highlight as we go along some of my favorite resources too just in in wrapping my head around mitre attack for intelligence but uh to dig a little bit deeper one of the benefits of having this referenceable catalog of adversary behaviors is we can point back

and look at some of the specific uh like ways command line processes programs that adversaries use to carry out this technique of impairing defenses so what you're seeing listed out right now is a specific technique for turning off an open source kind of uh ransomware uh they call it like a vaccine or an anti-virus program for ransomware what i'm highlighting here is a search that you can run in a security tool it's it's a salmon splunk to try to detect that behavior of turning off the ransomware specific antivirus in reality we as defenders are not dealing with just a single behavior that we're looking at at any given time there are very many that we're potentially

seeing scrolling across you know our feeds and throughout our sims so this is a little bit more of the reality the good news is that just like i highlighted there are you know pre-configured often publicly available searches that you can run across your data sets to try to detect these techniques that same concept in fact applies for a large portion of the overall attack matrix so this is also kind of an intentionally jumbled because this is kind of the reality we have all of these like detection rules that we could start to put in place to try to recognize all these behaviors within our environment so to wrap our heads around kind of starting to put this in place in reality

you're going to have to tune a lot of these searches to your own environment it's really not kind of typically a plug and play exercise so to go about doing that in reality ultimately what we need to do is prioritize which techniques or adversary behaviors we want to drill in a little bit further too we want to investigate and put in new detections in place and end of the day we're going to use intelligence to do that and i'll talk about kind of how that works in just a moment but when we start to do this prioritization we can identify some good rules that we can put in place oftentimes there's multiple of them we can start to tune those according to

all the noise that we're seeing in our own specific environment and then ultimately in the best case scenario and i do want to emphasize this if we put in some new detection rules we're going to go about trying to test to make sure that they actually work as we intended to quite truly it is uh take something as simple as typing one of those commands or searches in wrong into your sim for example and you may not uh able be able to actually detect the technique in place even though maybe the logic underlying logic was all correct so what are you seeing now these are also publicly available resources this comes from atomic red team produced by

red canary and what we're seeing here are some specific quick ways that you can go about testing attacker behavior within your own environment the nice thing about everything you're seeing displayed here on the screen is all of this code contains tags that line up with the miter attack techniques that i'm highlighting like in those blue cells there so it's really easy to easy to perform this alignment we can look at defensive controls and even testing measures we can put in place all kind of hinging on or revolving around miter attack all right just to elaborate so within the matrix right now there are nearly 600 discrete uh adversary behaviors or techniques and what are known as

subtechniques uh what i've kind of been highlighting all along is also this fact that uh there are countless uh very specific ways that those techniques can be put into play so you're seeing now this big list of what are known as sub techniques uh even within those there's tons of different specific ways attackers can carry out these behaviors so again it really is kind of emphasizing that some sort of prioritization is needed to be done just to give some metrics kind of around the scale of this problem and a lot of this was we took a step back and kind of did a review of all of these publicly available data sets with detection rules

and tests that you can run the ones that i've highlighted are just a small sampling of what's out there publicly available for everyone over 9 000 specific detection rules that exist i think the actual actual number is probably quite higher these are just the things that you can find in the open source and are publicly available and then using resources like red canary and organizations like scythe the cyber analytics repository they have these are a number of different data sets uh that include tests that you can run within your own environment we've got well over 2000 of those that are again just available in the open source so this brings me to kind of the the

three bridges of the presentation and we're not going to be talking about these folks i'd love to see someone give a talk with with these three gentlemen on the screen but what i'm going to instead be talking about are the three ways that intelligence can be used as a bridge to better improve security within an organization so three quick ways number one and this is again coming from the intelligence teams that i am specifically working with i'm fortunate to be able to work with a lot of larger organizations that do have those resources to have entire teams dedicated to this i realize that's not always the case so i really want to be emphasizing kind of thought processes here even if

you're a single individual who a small part of your job is keeping track of the trends i do think these these thought processes and concepts can absolutely apply to your day-to-day so the first way that intelligence serves as a bridge is between the external and the internal environments most of the teams that i work with very much of course are keeping track of all the various actor groups and malwares that exist in the world today but what they're often times also being tasked with with is being aware of the internal operating environment within their own organization so is there some new big technology uh rollout or digital transformation being planned within their organization they ideally at least

should be aware of of those factors because they very much can have an impact on the overall kind of risk picture that the organization is faced with second way that intelligence serves as a bridge is between the strategic and the tactical levels of the threat space and this really actually is another key way that minor attack comes into play because they have that higher level structure that that first row of water attackers trying to do but then also all those granular details about how are they doing it down to the level of specific command lines and and processes uh all contained within this single framework we can kind of go between those very high level concepts all the

way down to how could i detect this on an end point within my environment how could i go about unit testing that technique and then the last way is kind of a blending of the two but what i'm very much seeing right now and kind of seeing a ton of growing interest in using moderate attack for intelligence purposes these intelligence teams really are kind of uh perfectly situated to serve as a bridge between the offensive and defensive realms of security so oftentimes kind of being looked at as a go-to as an in-between between the red team operators and those defenders and increasingly i really am seeing intelligence analysts kind of being tasked with or at least maybe a hope or

expectation that they would be able to surface some of these detection rules and testing mechanisms that you could go about putting in a place within your own environment and so i am seeing kind of increased focus on that and again i think by their nature of keeping track of kind of everything that's happening external and internal these teams really potentially are in a good uh position to be able to kind of meet this need and then just a couple specific tools that support all these concepts so we've talked a lot about minor attack the other component of this is truly just our analytical brains as intelligence analysts it really is kind of necessary to we can

do all this automation and we should be doing automation around this but to really kind of sit down take that step back and think about how do these threats actually impact our organization i really do believe that has to be kind of a human analysis component to it all right so i'm going to start to shift gears to this tool that we hope can aid organizations in applying intelligence and where this is all coming from i do want to kind of build up to uh what led to the production of this a lot of this is coming from support that uh our customer success team is doing around threat or risk profiling organization risk or threat profiling exercises for

organizations and all i'm doing here is just highlighting some of the various factors that ideally should be included in a risk profile oftentimes organizations will uh in in a good way start small and kind of focus in on one area of this and what we've traditionally done is being a cyber security intelligence company we focus more kind of on the upper left-hand side with kind of building out a threat profile what actors in malware exist out there and which ones would be most likely to target our specific organization but what we would often see from there we would end up you know we would do all this work we would run searches in our platform come up with

you know a pretty cool looking picture like this this is highlighting potentially the top actor groups that would target us and then it kind of stops there it's a nice picture to look at but what exactly do you do with that information well we started to kind of take the next step and say we've identified so maybe top priority actors let's shorten it down to a short list of the top five what behaviors are associated with them you can look at all the various behaviors they're using see where maybe there's overlapping techniques that they're all using and you come up with another nice graphic which is highlighting you know this is the minor attack matrix again highlighting top

like ttps or behaviors associated with your top priority threats what next i've absolutely received that question on conversations with our clients you know we're moving further along we're saying that we have identified maybe top priority techniques what do we actually do with that intelligence that's kind of where this data set that we've produced has has started to come into play so i'm going to walk through a couple final examples then start to kind of dig into the the tool itself so one of the literally next questions that i received after uh highlighting this heat map for a client was what can we start to do with that my next question back to them was well what

tools do you have in place what capabilities do you have to search within your own network and endpoint data to detect these behaviors fortunately they were using a tool a sim solution like splunk and all this is publicly available i've highlighted the the link back to this repository splunk produces these searches or queries that you can run within the sim to be able to detect adversary behaviors i know there's a lot on the screen right now i'm not trying to overwhelm folks essentially what we're seeing here with the highlighted portion is code or logic that you can run within the sim to be able to detect a specific instance of an attacker technique and ultimately what we can do with this is

highlighted down here at the bottom these are the minor attack codes or identifiers associated with the behavior that we are ultimately trying to detect so in this case uh we're saying let's look for instances of powershell being run let's look for specific event ids and over maybe a certain kind of rapid time frame that's what this specific search is designed to do but ultimately we can kind of line that back up with specific miter attack codes this brings us to if we zoom way out splunk provides again publicly available well over a few hundred of these specific searches that you can go and so it starts to kind of turn into a little bit of just a math game so

highlighting the miter attack codes on the left hand side and highlighting uh just a roll up account of all of the searches that they provide that are associated with those same adversary behaviors so that's good to know we've started to look at some operational ways that we can take this overall original intelligence that we've provided and start to kind of put that into use within our environment one of the other things though in speaking with this client is they let me know that they are also utilizing kind of an open source framework known as sigma this is basically a standard for writing detection rules and so it can actually translate into a number of different specific tools uh like splunk

elasticsearch etc you write the detection in a standard format and you can literally quickly convert it into other tools and so my client was also using this on top of kind of those baseline detections provided by splunk so what we've done now is taking that original spreadsheet that i had add in another column here with all of the roll up of all the detections that are provided by the the sigma standard also lined up with the miter attack techniques and it continued to expand and expand from there and it started to turn into something like this so you can see on the left hand side it started with splunk we add in sigma and we just keep

going and going everything that's included in this spreadsheet right now is publicly available open source data we've got a range of specific network and endpoint related tools there are lots of others out there that you know no fault uh choose not to publicize this information so you could start to plug in you know even your own data and it just kind of keeps expanding from there so at a certain point i realized that i basically recreated the matrix and i almost stopped there because that's what we're all trying to do in cyber security is is yeah basically create the matrix so i almost stopped but i decided to keep going so i did the next most logical

thing which was to put it into an html and javascript web app and that is is what's included in this data set and tool that we've recently had the chance to produce so here's the site this takes you to the the web app version of this everything again is publicly available so the underlying data that big spreadsheet uh that i just highlighted is is there for you to utilize as well the ideal scenario is for folks to go out and grab that data fine-tune it for your own needs you're likely not using both splunk and elastic and you know a third sim uh some organizations may have multiple but you're going to want to fine-tune that data to your own

environment so in that scenario you're actually cutting out some of the columns but i want to give just a moment to kind of walk through what this actually looks like uh we do have a few features in here that uh hopefully make it a little bit easier to start putting that intelligence uh into place so taking a high-level view at what's included here again we've got over 9000 publicly accessible technical controls these detection rules that i've been mentioning also like policy controls as well these are more just you know written format guidance in terms of uh what higher level like counter measures or steps can you take mostly from a policy and process perspective uh to you know better better

kind of prepare and guard your organization for these attacks and then again the part that i get really excited about is the fact that increasingly we're seeing more and more of these offensive security measures literally like unit tests to go out and replicate adversary behavior usually in a pretty safe way within your own environment you're definitely going to want to do this in you know virtual environments hopefully that mimic what's actually in the the production but a lot of this data is publicly available and increasingly actually being uh automated as well the key part of this again is every single thing every resource that's included in the control validation compass is lined up or or tagged

essentially with a miter attack technique or sub technique those most granular layers of it so i'm gonna do the worst thing that i should do and try to do some of this live so uh does anyone have a favorite mitre attack uh technique that they'd like to kind of dig into a little bit don't worry obvious skating files awesome thank you very much all right so we can do the search for the actual t-code if you happen to know it or let's just use a little bit more plain text so we can talk about obfuscated files or information sounds pretty complicated it's a fancy way of saying another way that attackers try to evade the defenses that we put into place uh

by kind of messing with the file contents uh that that would be available within your network so when we search for this specific behavior or technique we can see a number of different data points that all are lined up with this miter attack t code so sticking at the high level we've got this kind of policy and process related guidance uh every single one of these sources we've got tons of kind of supporting resources around i don't expect everyone to be familiar with probably even a fraction of the resource available here but you can click in and learn a little bit more about what all these various you know data sets are trying to do

scroll down a little bit further we're talking now along the lines of the things that we were discussing earlier so these sim detection logics or rules that you could implement and then some of the offensive security tests what you can do from here and this is actually brand new as of last week is it kind of used to stop here we would get a sense of you know which of these specific behaviors maybe have higher concentration of out-of-the-box rules available what we can do now is pivot into [Music] just an additional resource that's all kind of included in the same github repository and this is taking us now directly to the specific in this case

sigma rules that we would be able to run all lined up with obfuscated files that attacker technique and so what you can see here is there is a very large number of them this is kind of highlighting all these specific what are known as implementations or procedures of that specific technique that could possibly exist so again takeaway here this is good news we have access to a lot of these i can pivot directly in to this is the the rule as it's hosted on the sigma repository scroll down and find the exact logic to run this test uh but ultimately we're seeing that again even for this one technique there are 74 detection rules that are

available to detect all these different implementations of it so we're probably ideally going to want to drill in a little bit further beyond that so the way that you do that is to start using further intelligence and i'm going to walk through really kind of one of my most common workflows for just starting to surface more relevant intelligence and kind of drill down to things that would be you know most interesting most notable for a given organization for example and the way that i like to do that a lot is i'm not going to walk through all the the background steps in here there's a ton of good resources i've linked i'm going to share the slides i've linked a ton of

good walkthroughs on how to get to kind of the point that i'm showing on the screen this is a tool published by the mitre attack team that allows you to quickly surface kind of these heat maps of most notable techniques associated with specific adversaries threat actor groups or malware this is called the attack navigator what i'm highlighting here is you can search in plain text for a particular thread actor or malware group that you might find interesting i'm taking a little bit of a jump ahead one of the quickest ways you know you're going to be reading a lot in the news about these various actor groups another big way of surfacing something that would be relevant to you is to look at

what actors have targeted other organizations within your industry this industry basis is really one of the most common ways that you know clients i interact with are kind of going about this but when we get to that point of identifying a specific adversary want to dig into that's where this tool comes in really handy so what i've highlighted here is a very prominent very popular malware known as trickbot within the navigator tool you can kind of pivot through and highlight different all the techniques that are known based on public observations to be associated with a given adversary group so i've already highlighted all this within the attack navigator highlighting specific techniques associated with trick bot

what we can do from there is also utilize the tool come over to this other page we can export the data from attack navigator into just a pretty quick and easy json file a very structured way of kind of transporting this threat intelligence that's what this really is what we're looking at here known observations of techniques associated with a threat you can drop that into the tool here i have a the trick bot example kind of preloaded into the system click run and now what we're seeing are the list of specific behaviors associated with that input file and then all of the various kind of testing or detection rules counter measures associated with these specific techniques so now we've

gone from a standpoint of looking at relevant intelligence for our organization to these very kind of operational measures that we can take again meaning detection rules you can run and test to make sure that they're actually working properly so i actually by default this is sorted from low to high meaning you would want to be these are uh techniques for which there is not a lot of existing out of the box you know logic or detection rules that exist right now so these are something that you know probably manually you're going to want to task some of your security engineers or threat hunters if you have them to try to find some kind of customized ways of detecting these

techniques it's not always going to be possible the way that certain techniques are defined or it may not be very easy at least but you can go that route or if you don't have very much stuff in place right now countermeasures you can start with the things that have a ton of out of the box mechanisms available right now and that's sorted here so you can sort kind of high to low with all of that and again pivoting in more and more into the data here um all right i've got just a couple minutes left so i will try to wrap things up um definitely want to open it up to some questions i think at a high

level some of the things that i've started to do with the tool is i've had the chance to publish some of my first atomic red teams scripts so this is again a publicly available project they highly encourage the community to contribute tests and examples to to the project what i did is i just came in and looked at one of these examples where we didn't have very many tests that were available right now however there are actually detection rules that existed for that technique meaning it's telling you how you would be able to see this behavior within your own environment all it came down to is simply putting it in the format for atomic red team to be able to

run that test in a more like kind of programmatic way i also had the chance to dip my toes into actually producing sigma rules recently i wrote my first one on the basis of some of this intelligence so looking at something on the inverse of what i just described an example where lots of tests existed so you could go out and actually run this in your environment and then just figuring out basically how could i actually go about detecting that in you know within a security tool so at a much higher level i think this is the thing that i'll kind of close out with here [Music] much higher level i know the text is a

little bit small

what we're seeing now is taking a huge step back and looking at these thousands of rules and tests that exist within the the overall data set where are we seeing kind of concentrations or clustering on a minor attack technique basis so the outside wheel is showing that top roll row of the end goals of attackers and now we're seeing where we're seeing clusters of detection rules versus uh you know these offensive security tests so what this is basically kind of highlighting is in this case let's look at discovery i know the colors are a little bit hard to see but what we're saying here is that there are a relatively large amount of tests that

you can go out and run to perform these discovery techniques however there's not an equivalent kind of proportion of detection rules so for maybe more for the community's sake this is something that we would maybe want to increase we would want to beef up the amount of detections that we have in place maybe they get publicized in something like the sigma repository or at least for your own knowledge your awareness within your own environment you would maybe want to focus in on the discovery techniques this is not going to be easy there's likely a reason why we see these distributions that we do i think in this case it's pretty easy to run one of

these discovery techniques it could be something as simple as just trying to search through your data in your system to see if files exist that you could go pull down on the flip side of that trying to detect that behavior and finding just the malicious instances of it is going to be pretty difficult to do because these are all behaviors that everyday users are going to utilize as well so i think there's reasons why we see the distributions we do but i do also think it's really interesting i've never quite seen a breakdown at this scale on these lines so i figured we had the data available why not kind of run this and i'm going to try to get a

visualization like this into the tool itself pretty soon so you could toggle you know different tools and and how they shake out but that's uh that's a goal for this summer so came right up on time i apologize for that but i'm all set definitely uh open to answering any questions and thanks everyone for the time and attention [Applause]

any questions no all right no worries oh yeah sorry

for sure so let me quickly highlight um the miter defend tool

so this is an example of something that we have pretty detailed pretty granular data in here for i'll pivot out directly to the tool itself so this is produced in conjunction with mitre and the nsa this is more i like to kind of call them like higher level or higher level countermeasures or steps that you could take it's a little bit more kind of policy and process based but it actually does kind of divide that line you have some very like technical operational counter measures that you could try to put in place here what they've done this is purely kind of from a defensive perspective what they've done though is mapped a lot of these as they define

them countermeasures within the defend framework to attacker techniques and so you could kind of try to line that up as well so i'm not extremely actually well-versed in operationalizing this data but you can look at you know file content rules this is actually probably pretty similar to some of the examples that we walked through before and it's telling you know a process and policy that you could put into place and then which specific attacker techniques would this kind of line up with going back to the miter attack framework now

all right thanks everyone

you