ATT&CK Yourself: Using Discrete Adversary TTPs to Make Your Network and Systems More Defendable

[Music] who remembers this game alright so any pitch score you got to get four checkers in a row to win does anybody have an idea of how many different possible combinations of all the checkers that are in the game anybody want to wager guess you got it right it's a lot thousand so it's it's just short of four trillion different combinations now for winning combinations so like to get four in a row there are just short of two trillion and I hope that's accurate I looked that up on the internet and if if it's not accurate that I'm being told really hard so yeah the other thing about it it's interesting is that there is a way that

you can win every time so if you play first you play in the middle and at most it will take you 41 moves to win all right so why are we talking about neck form why am I telling you so you know we thought that when we think about defending our networks from an adversary it's a little bit like a game of Connect four and what I like how I like to compare penetration testing so penetration test and usually we're trying to make you meet some objective and it's very similar to we're trying to get the four checkers in a row so that we can get domain admin and own all the things right but what about all these

other combinations of things that are out there how can we take those and you know enumerate all the different combination of factors that could lead to a compromise so instead of asking this question that we do for pin testing you know how can an attacker do bad things to your system that's that's interesting and that's where I mean look I don't want to you know rag on Pintus it has its place and I we appreciate that I come from a world right you know I had a contestant team that I was managing rocky park we have 25 people we've made a living doing this stuff so so I don't want to take too much away from it but what if we could

take it kind of to the next level and say instead of just what you know bad things in the attacker do what if we could say you know of always an attacker can do bad things how can we observe detect and prevent I think about that think about our the checkers in our Kinect for game so with that I want to set apart the objectives I have for our talk here so one I want to introduce miters attack framework so to get through this grant to figure out how do we had already new mairead some of these things that an attacker could do so all the checker combinations in the Kinect for game to look at how we can break

down on that framework into some objective test cases so something that's it's out of the realm of things on spreadsheets and into the realm of like figuring out what kind of things we can do and then also take all that and figure out how do we do how do we take that learn from it to do better defense so that's what the primary objective is our second objective would be to just use as many memes as possible to keep you guys away all right no mean yet but we're getting there who knows what this is somebody say it guilty all right so probably no surprise I come from Lockheed Martin's we have to we have to

pitch this but this kind of starts a foundation right when you ask the question how how do we understand the way that an attacker moves through an environment it's kind of hard not to have that conversation about talking about some version of this right and is there anyone in the room who has not seen this before it's okay if you have it it's okay so I'll give you the one-minute version here this describes you know the steps that an attacker takes and there are so many cool things that we can do with this from a defender perspective one simple example so from the Security Operations Center security analyst perspective I want to look at this and understand

like where did I detect this event happening how far down into the kill chain did we go before we were able to detect it and then once we do that let's say we caught an outbound C to channel because it was going to a teen s that we know is bad yeah find out intelligence we kind of blocked it you know we saved the day but what we just stopped there no we take that and figure out you know from like a root cause analysis perspective how do we how all this happen is you know to the extent that we can sometimes it's hard to get much past delivery but usually delivery we can try

to figure out right how did they get into our environment was the portable media was a spirit routine you know what was it that's what we call a late phase detection but what if we had an early detection way up here at deliver and our email security suite caught it locked it again do we just stop there I mean depending on size of the shop you have in capabilities you have maybe but for some of the larger shops we don't stop there because we want to blow out you know what would have happened if that campaign is successful so that's a target kill chain in a nutshell one use case a lot of other use cases for it but one of the

things that it that it didn't do when we started looking at creating some kind of sort of threat emulation or really understanding level it didn't didn't get it defined down to that level so we looked around out there there's got to be something else right there's got to be more beyond just describing it conceptually and that's where we introduced miners attack through so who's heard of the attack framework prior to this phew so we put it this way more people have heard of the cyber kill chain then attack so I'm happy that I can share this with you here today because it's really cool so what is it so I'm going to read the definition all

goes for this but attack for enterprise and we'll learn what that distinction is here a little bit is it threat model and work for describing the actions and adversary may take while operating with an enterprise network yeah that's a little bit of a mouthful but that sounds kind of like you know trying to understand all those different ways that we can win the connect for game right so they have these print this framework they have it broken out for major operating systems so a Windows version OS X version Linux version and it focuses on so this should look familiar this is a slight adaptation of the cyber feel train graphic that they use the serve as a reference so the attack

platform the attack for enterprise Puckle focuses on three steps there's a good reason for that these are the ones that technically are the easiest to get down and really understand granular we'll see in a future part of our discussion here how it's a little bit different than some of these early stages so the attacker focuses here and then here are a kind of things that it breaks down so out of control execute and maintain again thinking about this as steps that an attacker takes you see here in the list certain tactics that they might use so we want to establish persistence right they want to escalate privileges so you know if you're a pen tester these sound like things that you

would typically do in your pin test engagement right all the different things lateral movement these are all tactics that an attacker can use and the attack framework kind of models as hell for us but push it I should've put the but wait there's more graphic here because it doesn't stop there it goes down another level it says you know within that category of tactics you know really what are they doing right so or one of the things that they're doing a technique flow so I chose a lateral movement it's always a fun one and you can see the list here and I'm going to pick on Remote Desktop Protocol and this could give you a feel for how

this is broken out so miner has a wiki where all of this is kind of linked and connected and you can just kind of click through I've taken some liberties to display it this way but if you go to the miner site ultimately you click on row Desktop Protocol and you're going to get this page here that kind of says there's my desktop profile why do we care about it from a lateral movement perspective beyond that it's probably very hard to read back oh yes but down here you see examples of Fred actors that have actually used it to throw a cursing campaigns that have used remote desktop protocol as a lateral movement you also see some other sort of

metadata that goes along with this in the framework so this includes things like what operating systems supply to permissions are required and what are log data sources where we can observe this comes very important I want to give one more example just to kind of round it out here so if we go down to community control you'll see this is abbreviated because there's a very long list they don't I should have grabbed the exact number I don't know how many different techniques that they have enumerated it's continually changing this clock so we'll pick on this one standard application layer protocol so if I am you know late in that cyber kill chain my malware has done its thing and

now it's making a call back out to my domain maybe I'm using a standard application layer protocol as a technique to accomplish that here's the description of how that works here are the photo cures that have used that and as you can imagine let's see two channels it's all kinds of different see two channels that you can get into that are more or less up to stated on the network and yeah this is just the purpose of example everyone kind of grasping how we're breaking this down into you know from the stage of the attack to the technique - sorry - the tactic - the technique level about this point hoping that your wheels are spinning a little bit you

know if you think about how I could use this as a defender so this doesn't just you know to speak to you know a pen tester or someone who wants to go design an attack as a defender I'm thinking about you know me there might be some value that we can see there alright so I promised that we would talk about the early stage of the attacks and this is something that my ever likes to refer to as left of exploit so the left of exploit things have the same kind of break you know break down and sort of matrix of techniques tactics and techniques and that they call it cleverly pre attack right so this is

adversarial tactics techniques and common knowledge for left of it so if you start thinking about okay I could put these together I can do different things with them what you'll find though at the left of exploits are for free attack there are a lot more sort of policy oriented things a little bit more strategic level than tactical level not in every case but kind of generally speaking that's true and you know why is it there's there's a few reasons why that is what is you know it's hard especially back of the recon and weaponized sort of stage of the attack it's a little bit harder to get this ability to observe what's happening at that phase not impossible always but

certainly we know a lot more about how an adversary could operate in our network we have the opportunity to observe that the law all right let's must break it down though so we've talked about tactics and techniques but how it like if I'm an attacker how do i do be getting down to something where i'm interested or someone who wants to use this as a offensive framework how do I actually get down to a level where I can maybe make some objective test cases based on the Franklin and here's our dream but I want to show just a few examples of the things that we're looking at in terms of getting this broken down into procedures perceive

your level test case right so create a new service named in CSS RV so some very sort of granular level things and these are things that you know we this is you know threat intelligence kind of things that we can put back into this framework and we can turn those into test cases to see do we have are we doing something about this if it's in the environment and it really enables us to ask three questions all right hopefully so three questions that the memes get heavier is what yes question one did we observe it so you think about this this is your own network and you're taking some test pieces out of here you know you execute

those and ask yourself first question did we observe okay and that's worth recording in itself it's a measure of visibility right if if it's something on the endpoint it's a privilege escalation that happens on the endpoint do you have any point security tool that can see that or is it just going to be completely possible its first place second important question is did we detect it so what is more about a capability to even see it the second one is did we have something automated in place that was able to detect that activity so whether it was network-based intrusion detection host-based intrusion detection or some other security control that we had the detective the third

question is did we prevent it so you know are we able actually able to execute the test case successfully were we able to escalate privileges were we able to create that service or was it blocked and so these are three the questions three right from that we can start populating the sort of heat map view if you will of what capabilities we have specific to an adversary technique and the reason why I love this is because this is your really objective view now for those of you in the front row can see this well yeah don't overanalyze this too much because I made this random dates oh oh but I actually looked at it that's like really are we or was it

there was something are we really gonna be able to observe the tech detective walk over right it firmware with customs maybe if you're that yeah if you're if you can that's fantastic especially in the world that I come from I think I mention I spend a lot of time in the district control system side of things so this ability there is really tough sometimes but you start seeing how this could come together in a test really understand it a pretty granular level what is what is possible here that one and I was talking some a little bit earlier about this and like the number of new test cases that are possibly is huge so you gotta prioritize right so

we're not gonna test every single possible one of the four trillion or two trillion connect four possibilities but we can you know prioritize those based on what we know to be active or if there are some things that we know we need to highlight in our environment big we know that we're just not detecting watching anything our security operations center just know what they're doing and you know we want I want to find out where do they not have this book so there are some like specific things that you can do and ways to use this to help bring some of those issues to life and I'm going to go through this really quickly so so in

terms of benefit you know we've seen some of the examples I want to talk a little bit about the concept of using this in purple teaming right so we're used to traditional you know red team attacker or blue team defender here a lot now about purple teaming using this framework and this concept and purple team engagements really kind of perfect right because you have the ability to to see you know if you're working in conjunction with your defenders you can run a test case and then really be able to go back and populate this based on what they were able to see you detect and it takes you know while it's adversarial in the sense that we're

modeling our serial techniques it takes some of the adversarial feel away from it and it's like they were all trying to get better here together right so we're gonna run this and then we're gonna check all of our instrumentation in the sea do we even have the ability to observe it so detection so that's that's one aspect of this Vanessa next aspect of it is really a capabilities baseline so once you have developed that prioritized list or you know of the test cases we can come in and say here's where we're at today we can run those again six months from now and see how our capability seven minutes and you know at that point maybe maybe

you picked a hundred test cases to begin with you know the most common things that you want it to be able to observe detect and prevent and maybe you dive a little bit deeper and then think about some of the metrics that you could pull back out of this right because you could then go bring it back up to the sort of top level soccer field chain and say we're really good detecting c24 it but maybe we just have a complete lack of disability on our email system and our delivery our ability to detect something back at the delivery stage is really poor and so we can we can use that thing to start thinking about how do we prioritize our

cyber security investments so that we're not just following whatever the latest you know marketing material says but we're tailoring something and building a custom set of capabilities in our environment to meet the needs you know that we have or the gaps that we have based on real objective input and I think that's really where this offers value and again back to the comparison and testing then you know a lot of times in the briefing a pin test to a group of executives or even the board sometimes and we tell the story of you know at the right level you know based on Ben's guidance right you're not gonna not gonna you know basically tell them you

know how we were able to compromise their domain what that means in terms of business impact to them but it's it's typically we were given an objective and we demonstrated that we could meet that objective that's not to say that if you close the gaps that you had allowed us to get you know to meet that objective that everything is fixed because it's not and our are thinking am I thinking on this kind of objective testing is that we're taking a step toward a more comprehensive approach and you know again it's it's not a fit probably for every enterprise for every organization but for many organizations I think this kind of thing is a concept will really

help you in the purple team style engagement capability of your defense and ultimately make your networks and systems more effective and that's it so I that blue that really really quickly so I have I have time for questions I think and I'd be happy to bit where can I get the attack framework is that something I can play with personally or somebody um yeah you can you can get that critical I know you it's already pick but I appreciate it so yeah if you go to attack that mitre got boring there you'll see the wiki page that I kind of highlighted before that will allow you to do all the you dive into it also if you are used to or

have we just ask Louis asked a question who has the capability to do something with sticks the sticks protocol a couple means so there is a sticks representation of the entire at least on the enterprise framework side of it you may know it do you know if there's a sticks okay there may be four for the pre attack as well I know attack for enterprise and sticks representation also a another part of attack that didn't mention is they they have it's a little bit newer but they also have a mobile application framework as well our mobile attack framework and I think it's also really promising and interesting I think it still needs some more industry participation to expand

out the matrix of techniques who else's question yes sir

let me to make sure I heard you're talking about classifying data to make

yeah yeah so I think the question is can't you know is there anything that I would recommend for doing prioritization based on classification of the data and the answer is yes and I'll tell you where like at a very tactical level where this has come into play when we've done similar things to this in the past one of our test cases has been to excellent rate some data and we'll excellent rate in you know 15 20 50 different ways right in terms of size type of data you know so we'll mock up ppi mock up credit card number social security information zip it up and exfil it out of your network and see if you

notice and it's amazing oh I didn't lost in the noise but I'm not asking your question quite yet but I'm just using that as an example that so we do take kind of a data centric approach especially when we're looking at organizations that have PPI or have some high value intellectual property that they're trying to protect we will mock up test case scenarios that go right at the heart of what is important to their business so it comes into play from that perspective I think the other place just in terms of you've got this notion of test potential test cases out here I think the weirwood come into play in terms of prioritization for that could

be the systems that you know if you've done data classification you know where the highest classification level of data exists in your environment you might do some targeting of those environments with specific test cases to see let's answer your question no but the most the most fun example the data classification stuff is doing exfiltration so didn't mention this and we didn't see an example but if I go back to this version of the guillotine this act on objectives right here is where we find things like data exfiltration if that's the intent of the Takas is to ultimately steal data from your organization we'll see that here and again really fun test cases to be made with locking up

that data or if you have permission let me just preface all of this of course is kind of commissioning but if you if you have permission to do so and you have some of the real data sometimes what we'll do is look for you know if an organization has a good data phospho patient program usually have a document marking that goes with that that's the other thing we'll do is exfil documents that have their markings on them that determine their capability you need resources 3 & 4 like you mean like getting back to a left of exploit capabilities and

well the attack framework itself you know does that with pre attack and I didn't show you all of the examples here but like in terms of additional resources to really figure out how do we get better at detecting at that level everything else pop in my head but Revie sense you might else have any anything at these early stages that they have seen that might help answer the question I can't put it out every but that's a tactic that is if you're stood up there was a lot of stuff that I'm gonna go yeah so it was more than two yeah do you mean at the pre attack was here yeah it was some nice things in that yeah I

would highly encourage you to to go dig it so each one of these just I didn't show any that well yeah but each one of these just like just like we saw here just one of these tactics it's broken out of the techniques and so you have that ear to that made answer a bunch of your question when you sir when you see like the breakout of the priority definition build capabilities great questions

any other questions yeah yeah so I think the question and correct me if I'm not getting the right but I think the question is in terms of the way that this is done by other organizations in industry what are the common falter how are they not getting it right kind of is that where you're going yeah how do we do things better I think so so yes I see a lot of things not done well but I flip side of that I see a lot of firms that are facing their capabilities and doing things well that's a really generic answer but else out kind of a little more real I think a lot of the things that been hit on his

presentation are challenges that our industry has especially consulting firms right you just put it say this it's it's not that special to go into an environment it's the way that it's you know and you you can if it's maybe it's impact and if you can find a good way to explain it to the business again depends point to to cause them to take action to do something to to fix the challenges that are there then you've won but if you if you just want to go in and celebrate and be like you know hey I got got domain admin and we're you know we own your in you know your Blue team guys come with Hector - hundun

you know that's not what my perspective and I don't want to castigate out there there are certainly firms that do that there are I would say increasingly understanding in here it's not it's not just yeah I think I think the days of you know we're gonna drop in show you how awesome we are we're we tack source and see you later I know ones getting value out of that that's you know I think that's why the purple team concept is becoming so big and not just for external consultants for large organizations that have interest in business right it's the same kind of thing there are some big companies that have internal red of blue organizations that historically I mean

it's I mean they're you know each one groups it's like guys we're all here to this do we have the same mission so I think that that as well as really being able to put to take these technical concepts and put them in language that the business can understand and make decisions about well if I had to like boil down everything I mean I've been doing cyber security consulting in one way or another for I guess the full term full-time consultant role over ten years now almost everyone the question that organizations want to answer is how do I evaluate a prior presidents after security investments I know you know I I think there's a little Airness now

that it's that's part of the cost of doing business but how do I take that and understand really where to spend my money is who's seen all of the vendors that are out there I mean Aaron are countless vendors even in just just in my world I spend a lot of time I mentioned focused on ICS in ICS there's this you know the hotness is this network cannot believe it it's a big deal they're like 20-some companies out there doing it and it's great and it's it's great that we have the focus they're not all 20 of those companies are gonna make it but they organizations have all these messages coming in from those 20 companies and

you know thousands of others that buy our stuff and we will help you be more secure and without really something of decorative hold that up against a really effective way to prioritize that will likely be disappointing to its own sake any other questions very good I appreciate the interaction thank you guys for having me here and thank you Beth for setting up this event really excited

[Applause] [Music]