Learning Security by ATT&CK'ing Yourself

[Applause] so for this thing working do I need to get closer this close so I might just as yell instead my name is Travis I work at tripwire right across the river here in Portland I do a lot of research around the defense defensive side of security so today I'm going to talk about how the attack framework can actually be used as a teaching tool to teach younger people some of you my men Gallus might recognize me from previous years where i've talked about how we've brought on interns in the past and tried to teach them security sometimes it's been successful sometimes it hasn't and using the attack framework this year with the one of our interns worked out really

well so I'm going to talk about how we use that and how you might be able to use it yourselves so a couple days ago Tuesday I was in DC giving a similar presentation I had to send my slides ahead of time to to mitre and they said yeah everything looks good but your second slide is terrifying which is this one here everybody agrees have a really good-looking Sun right so the purpose is really the goal of teaching is to pass on our knowledge to the younger generation or maybe they're older who knows to really make better versions of ourselves to TAS on the best parts of ourselves the best knowledge so they can be better in their lives as

well so wrong way I have used this clicker yet so what we did starting out in 2015 we brought on some interns and I said all right we're gonna turn it up to 11 we're gonna load up some Kali Linux we use the damn vulnerable web app we're gonna snus in full and scanning we're gonna use nmap we're gonna use Metasploit and we're gonna dispose to exploit all summer long there's gonna be a lot of fun everybody's gonna love it and they just kind of looked around like this didn't really know what was going on so what we did the the next year is we try to engage them a little bit more try to pique their interest so we bought

a internet controlled robot off of Amazon it's about 80 bucks plus you need the Raspberry Pi and things like that so about a hundred dollars wheel to get this robot that they were to build themselves build the hardware built install the software see how the software worked and what we did is we taught them how to then attack that and break into that they went through and then they fixed the vulnerabilities that they saw patch it as much as they would harden as much as they could and then we open it up to our security team so then they could try to hack it themselves the first year really good they actually were able to protect it

the second year they were very close we gave I think that I could to our time limit and we were very close to breaking into it then the intern walked away and had all the passwords on his desktop so that's how we were able to break into it so a really good teaching moment to never leave your passwords on your desktop he was very sad about that but it was still not quite as successful as we had wanted it to be and then I came across the the Bloom's taxonomy for for learning and I realized we were really skipping to step three in the the learning objectives the application of how you actually apply this knowledge

and we were skipping over the building blocks of you know the learning where we need that knowledge first you need to understand what that is and then comprehend it before you can actually apply it and then move on to other things that's why everybody remembers from their their college days it's like read the book three times the same kind of thing where you need to understand it you need to comprehend it and then go across it and then when it came across this is when I was actually deep into the attack framework and I said okay well there's a lot of knowledge in that attack framework how can we use it anybody that's not familiar with attack

it stands for adversaries Tech tactics techniques and common knowledge so that knowledge is a key aspect of the attack framework so describing what the attack framework is if anybody's not familiar at this is the Lockheed Martin cyber kill chain which really describes an overall attack strategy of attackers where they're gonna start with reconnaissance they're gonna weaponize things deliver it to you exploits and then eventually get down to their whatever their actions on objectives are on the right it was a great way to describe the the security lifecycle of an attacker and where the attack framework really fits in is in the the later portion of that actual attack kill chain it's one they've already gained a

foothold into your environment so we talked to two organizations and say you need to adopt the attack framework and it's really focused on when they've already gained a foothold that can be scary but we know that attackers are gonna get in and we need to do something about that so what it is it's a collection of 10 that's weird so it's actually 11 tactics that the header is really cut off here which is unfortunate don't know why that's doing that it looks really cool but anyways what should be at the top up here is just the headers are the different tactics so these are the things like persistence these the objectives that an attacker is gonna try

to get to persistence to vent defensive evasion if I go back it's these ones here credential access discovery lateral movement commanding control and they really describe what the attacker is going to try to do and then the individual cells which we would see in here I'm really sad way that's not working great is the actual what we call techniques and that's how they're gonna gain that objective so if they want persistence they do something like registry run keys or if they want command and control they're gonna exfiltrated Atta over the network so on and so forth so what I did is I took that framework and then I start splitting out all those different techniques and I split them up into five

different objectives and I'm a big fan of the attack acronym and I tried to make one myself and then by the time I got down to the bottom like this is just way too hard we're just gonna put hard it's what I did so the blue is really techniques that are going to be leveraged by other techniques so things like you're gonna run and executable or you're going to query the registry those aren't actual exploits themselves you're gonna be able to do but they're gonna be leveraged later so there's not really something that you can actually dig into on on that green are like a really easy ones so easy my grandma could probably do

them so things like replacing a registry key for registry run keys or the set HD keys to replace you know set HD with with CMD so you can get a command prompt really easy things to do yellow are things that are still pretty easy but you need some type of framework around it that really enables it to be really easy to use so if you had something like Metasploit or cobalt strike or some of the proof of concept code that you seen on github that's where those would really come into play orange is really split between what's easy and what's kind of not so easy and what's really hard but requires some level of infrastructure to set up so you might

need a web server that you can pop a web shell onto or to place a shared content onto or you need a command and control infrastructure set up you know some of these things are pretty easy to do they're not you know pretty actually pretty simple to do but they actually require some level investment to get that up and running and then the final one is just things that are just hard right so things that you need custom DLL for or you need to have very in-depth knowledge of the operating system or the actual hardware to implant root kits or boot kits things like that so what it looks like here's a better understanding this is kind of what that that previous

one was trying to show can i zoom in up top so these are the different tactics across the top so this is a export from a tool that they have it's called a TAC navigator really nice tool you can get it from their website so these are the ones that are the blue ones the graphical user interface user execution in query registry that we'd want to go through the green ones these are the things that are very simple to do so if you have the junior level person that's gonna want to go through and research attack or you want to have a somebody to teach somebody to attack these are the green ones that you'd want to actually

go through and do yellow you know like I said the harder ones things that are you need some type of level exploitation of anything where you need Metasploit or installing root certificates pass the hash input capture write simple things to do but usually enabled a little bit better when you have some type of tool to be able to do it so I like to not do these ones even first maybe and skip over these ones until 2nd or 3rd that we're gonna go true so they have an understanding of what's going on so they don't just you know load up Metasploit and say you know i pushed a button now i have root that's really cool alright

they want to have that level of understanding orange so again like I said the the ones that need some level of you know infrastructure to be able to set up red ones these and ones that are really really hard you need so you know some type of custom DLL or you know understanding of the firmware being able to understand how the memory structure works of the operating system so these the ones like your senior level people are gonna be doing or like the you know people and their if they're in college they're their master thesis kind of kind of thing that's these are the ones that they're gonna be actually investigating so we put it all together we get the

attack rainbow as I call it so these the ones that are put all together on a single pane of glass so down here on my github page I've actually provided JSON output for the attack navigator we can actually go through and see him and then start digging around it and what I like about going through this strategy that I went through is if you look at something like persistence or defensive evasion and nearly pretty much every one of these tactics these columns - of course discovery you have a split between things that are very easy to do a little bit harder to do and very hard to do so as you know from our team and

tripwire we have you know security researchers and we have multiple people wanting to look at this we can have our you know we want to focus on persistence you know this month or sprint if you guys are fans of agile so let's you know split these up you know the junior level people we can start looking at these green ones senior level people you work on the red one so we can start meeting in the middle somewhere so something like persistence has red yellow green blue orange they have all of them so you can really start spreading this across your entire team so the actual attack Navigator it's on their website it's that's not the link there they recently

put a new feature in where you can load in these JSON formats of these different tabs directly from a URL so you can just take the you know the raw github user content for any one of these ones that we have here and just load it directly into the attack navigator which they host on their website so you actually don't need to do anything to be able start digging into these ones and you just put it in there and it loads it in split up by you know different tabs for whatever you know a specific color if you want all of them for the full rainbow for full effect it's a really neat little feature that you can go

check out immediately if you want to have fun this weekend just looking at attack so how we actually used it in practice so here's how we actually went under this workflow with our Thor intern this year first we chose a specific tactic with persistence because that one's a little bit easier to use especially for people that aren't familiar with security our intern this year had some level of understanding of computer science in general but was brand new to security so we said ok you know while you're here we're gonna start working on persistence so let's choose one of the individual tactics or sorry one of the individual techniques which are inside the persistence column so

let's start with the registry gun keys so once we choose this there's some things that we want to start looking at how would you actually exploit this specific technique or test it depending on if you need to have you know choose your words wisely you know if you once you exploit it there's mitigation steps that are provided by the attack framework reached one of these individual techniques so you can use still bypass those mitigations because they're not always complete and if you can what artifacts are left behind if you've mitigated it or if you've tried to mitigate it or try to exploit it when it's mitigated or you just exporting it without mitigation so what artifacts are left behind so if we

don't have a complete coverage of preventative measures in our infrastructure what can we see that's left behind that we can use that as detection techniques and then finally are there anything is there anything on you know the that you found in your research that is not actually in the technique itself so that we can then provide that feedback back to the attack community the attack framework itself is very community driven they're relying a lot on researchers to actually give feedback back to the framework itself so we started digging into the actual attack framework there's a description on the top this is a screenshot of their older website where cuz the description what it is so like this one for example

is saying if you want to you know you know abuse this specific technique place registry key in the registry run key location but actually doesn't tell you you know what those locations are sometimes it's just you know you can do registry run keys or you know whatever you could do technique X and it doesn't really provide that level of information which is where you'd actually have to start digging into a little bit more as what's in the attack framework each one of the different techniques that we have on the attack framework itself provides examples so these are actual real world examples of this technique being abused in the wild by different threat actors or pieces of malware we're going to see

okay apt 29 use registry keys or things like that and this is a really good way for security organizations to provide a justification for investing in attack where we can say you know we want to invest in this because we've actually seen this in the wild and this is actually happening to people around the world that we need to look at so being able to dig into different ones of these we can see on some of them if I you know some of them actually have you know this registry key here and things like that so we can start taking note of what you know these artifacts are for the specific the specific technique and this is very Wikipedia ish so you

can kind of see on each the end of each one they have links to the actual referenced articles these are links to could be you know for this example links to Microsoft or it could be links to security vendors doing there you know published research so thing you know tripwire could be one could be semantic or McAfee or red canary or whoever would be they'd be all out there and then you start clicking on them and the perfect example I always start I try to start with this one when I'm teaching attack is if you go to the the first link you can see actually clicked on its different color is a documentation from Microsoft that says here's the registry

run keys and there are four of them on there does anybody know how many registry run Keys there are a lot more than four so this it's not very well documented and even the attack framework doesn't document them because there's so many of them they just say use the sysinternals what are the auto runs use that to be able to detect all of them and even sysinternals doesn't document what they have and it's very difficult to find so being able to click through all of these you're gonna be able to see a lot of different you know artifacts that are left behind and more information about what the specific technique is and get a more in-depth

level of understanding than you're actually gonna get from the attack frameworks the attack framework is great but this is way too much information to put on us individual webpage so it's great references to go look back and go through and no matter what you're gonna have to probably load up your friend google and do some original research yourself there's a ton of information about security on the web the great thing about security researchers and the security at you know world itself is we like to talk about what we're doing and show our research so there's a ton of information out there so load up the you know the google friend and and see what you can find there every single

technique is gonna have something out there in the wild and then finally is actually go through and exploit this technique and there's a lot of talk about you know automating workflows and and and orchestrating things together this is a exercise that needs to be done very manual that's its kind of feels weird to say that but you need to do this a very manual very step-by-step process so you're not just loading up something and pushing a button saying hey look I got results now you need to load up the registry you need to you know right click and say I want to create a new key and type it in and then actually you know

Sarge the system and see what it's doing and you get a much better understanding of what's going on and then you're gonna get something like this when they login or if you're like you know a security researcher you're just gonna load up calculator so here's the the objectives that I try to get out of the you know what I'm trying to teach them and say okay well what did you learn so was it in the actual attack framework that you pulled it out of or was it from your original research that you you clicked on a link and things like that and you know for me personally that's just so I can then provide that feedback

back to the attack community there are entering this year he'd working on something and he actually is now listed as a contributor to the attack framework even though he had no you know history in the security world because he went through these steps and he found things that you know were on the internet and were talked about tested him himself went through the manual process and now he's you know listed as an attack contributor and then looking at the the mitigations versus the detection because every technique lists out here's the mitigation factors here's the detection factors you know did they work to the mitigation factors work almost every single one of the windows techniques says use application whitelisting such

as AppLocker to stop this and if we go back to you know this one here we would have application whitelisting and our users need to load up you know chrome and an explorer or whatever would be so application whitelisting isn't gonna solve this technique right it's not gonna stop that so did it work and how would you i should go about bypassing it so you can then feed into then how would you detect it it's okay well we're not going to be able to prevent this specific attack but we can detect it because now we're monitoring the registry run keys and so on and so forth and then being able to see okay what worked what didn't what can be added so

then we can then provide that back to the feet the community because it's a very community driven project and that's the very you know good power about the attack framework and then once they get into actually how you know they're getting into how they can exploit it so a lot of times it's very difficult to actually go through and understand what you're doing when you're attacking things so here's three resources which I use heavily when I'm going through and testing any attack framework first one is the adversary emulation plans from mitre themselves so they are going through and doing EDR evaluations endpoint detection response so testing tools like tripwires see how they you know actually you know they say we do

attack but then they're actually at party that says yeah they actually do it correctly or there maybe they don't but it goes through and they have emulation plans for example like a PT three or Gothic panda or some fancy but I don't know one of the Bears or pandas and it says okay here are for this specific apt group we know that they did these 24 different techniques and they list them out and it says for this specific technique here's how you would run something like a PowerShell commander a Windows internal command or if you have Metasploit here's the Metasploit module that you would use to load up once you've gained access to that machine if

you use cobalt strike here's the cobalt strike module you would use so very broken down so it makes people that are not very red team familiar or don't know the offensive side of security makes it very easy to go through and actually understand how they can actually exploit or test individual techniques the next one is a apt simulator that's on github it's really good about just testing the defenses or detection measures overall not map to attack whatsoever and it does things like change host keys and sorry read entries in the host file so don't run this probably don't run any of them on production systems but really good it's really good tool and then the last

one is a really really really good tool from red Canary called atomic red team wave talk to that guy if you want to know more about it but it's a really good tool it has all these different measures that are mapped directly into the attack framework and allows you to automate the the red team aspects of some of these very easily so you can say I want to test the registry run keys or you can actually go through and I think they can automate it so it'll just pull a random one at general right so very very very very good tool to use so I'm running low on time so I'm just gonna cut it short there because I can take

any questions if you have but go through and the teaching the younger kids about security is a critical to our environment in our industry in general and the attack framework is a really really good tool because there's a ton of knowledge in there I mean I've been in the security industry for a long time and when I first started going through it I've learned so much about it so you know everybody that guarantee everybody in this room is gonna learn something from this framework so for that I'll open up to questions and go from there yes sir

which product of the tack framework the attack framework itself can go to attack my torgue and it's all listed on there they do have that they do have a github page as well that has a lot of the attacks stuff on there but if you go just go to attack that matter that org that's where you gonna find all the information on that cool if there's no questions and thank you and I'll be up here if you want to talk in person in private

you