MITRE ATT&CK Framework For Threat Hunting - Seth Brunt and Abby Warnes

Cheers hi everyone i'm seth the savvy and quick run-through of who we are and all the busy stuff at the top when I'm not doing typical stuff family DIY inventing my own board game and watching rugby any chance I get a B hi I'm avi so I'm a recent graduate from this University doing forensics computer and cybersecurity my current role at the moment is a cyber threat hunter and this is my first job since coming out of uni so between finishing Yulia and starting my job I managed to travel around Southeast Asia to make the most of my time off so you're welcome to catch me later if you wanted any more information about me it's time for me as well ok so

start off how many people here know about the attack matrix and mitre one or two excellent because I didn't want to go into too much of it I'm really high level might is a not-for-profit organization the first to have the dog TLD they invent it's the CVE database for vulnerability and patch management and all of that that became a common language for the vulnerability managers and IT teams out there to understand which vulnerabilities they had to look like what they've done is exactly the same but for TTP so tools techniques and processes of the attack routes why did I choose attack to set up a dedicated fret hunting service I didn't want to reinvent the wheel

there's two hundred-plus techniques created by a load of really good analysts out there who all of the information is based on publicly available information all the references are on the tack framework um so ya don't want to reinvent the wheel and ya create loads and loads of 278 or whatever John's created they're already there use them and it's also about having that common language so as a technician I might have be looking at hunting on a technique I might be a checkpoint a Cisco technician and understand how to look for that in Cisco and SharePoint so somebody else within the team might be the juniper or Palo Alto they can interpret the technique and then

translate it to the language of their tools and technologies obviously different languages as well is English Chinese German and it's also there to help me identify the gaps in our defenses so if we're looking at as many of the techniques as possible each of those techniques relies on a data source those data source are fed by your security controls your a/v your EDR your endpoint detect and response tools your proxies all of those feed into the data sources and those give you the detection capabilities against each of the techniques if you find you haven't got a data source you've got a gap in your detection capabilities and possibly your prevention technologies as well so you

need to pass that on to your security engineering and your security architecture teams they can take those gaps raise them to the business give them the what the risk is to the business of having that gap in your defenses and hopefully either close it down or accept the risk so that's why I chose March or a tap framework to set up the dedicated service and just quickly the fret hunting services they're at John's already mentioned in his talk earlier it's that continuous improvement cycle it's not just standing still it's ensuring your business is moving forward all the time and looking for new stuff and we have a dedicated sock they do the known stuff and the known unknown we

look for the unknown it is unknown only to our business it's not unknown necessarily across the internet so that's why and where do you start so my to attack framework has two hundred-plus techniques in it I naively thought and we actually recruited the team most and started in July I thought between July and Christmas I came two hundred-plus techniques we get all of them done neither not two so there are a number of techniques in there that require things like physical forensics etc if you're looking at firmware and bios and stuff like that you can't automate that you can't grab the log logs back automatically you actually have to sit down and do forensic there are a number of

techniques in there that you just can't do in an automated fashion in a fast fashion so it wasn't achievable then obviously gaining access so this age-old problem for IT and security it's getting access to the tools and the data to actually look for the detections look to create actions look for activity and sorry we still have that problem we were global we're a global business so getting access to the data over in one of the international markets that can be a challenge as well if we're lucky in UK we can get however the data pretty quickly but if we have to send off it could take half a day a day a week or even a month to get that data back so we

write the detection we contact the market you given the information and eventually we get the infant there the data back so we can do some analysis then eventually we get access to the tools more data and we've got a small bit of malicious activity in a whole load of normal activity the needle in the haystack or needle in the needle as was said earlier a needle in a needle step and it's trying to find that one piece of malicious activity amongst all of the other suspicious activity that your developers your IT admins your other security people all of it all that all of them are doing things like PowerShell commands and stuff like that if they're sending PowerShell up to

Amazon things like that they're going to be using base64 to encode it and that's gonna flag on one of our optimization techniques so yeah eventually you get there there are other hurdles but I'm trying to stick to free free things from slow

so what tolling do we need so the most important thing is record everything record what you do in your incident tracker this has two benefits one of them is helping the juniors within the team or helping other analysts in the team if you've record it once somebody else can use what you've already done and build on that so they're not doing the same thing again not duplicating effort you're only doing it once secondly top tip and I'll come back to this later is records anytime you have a true positive and actual cyber incidence of malicious activity within your environment try and track the technique number in noir instant tracker against that security incident that's on this

later but it helps you prioritize it helps you start an attack is very much an endpoint centric so it's all about the endpoint so having a good ADR tool this one was mention earlier if you get chance search for Microsoft blog for weapons there's a really good using power bi and sis mom to do fret hunting there's free stuff out there obviously there's all of the commercial stuff you come Blackfyre ihx tiny and cisco amp and plenty of others out there that you can use as well but most of the techniques are based around activity on your endpoints your workstations your laptops your servers so having a good EDR tool is key for threat hunting in my

opinion lastly threat hunt threat hunting scene so we've actually set up a separate scene for fret hunting we our security operations center have a court that the enterprise scene feeding them in alerts and but that's been tuned for that for the known known and the known unknowns so that's the stuff that we know about we know how to deal with we don't want to be giving them all of the false positive all of suspicious but not necessarily bad activity because otherwise they'd be wasting their cycles not actually fixing bad stuff they'd be there trying to tune stuff out that's our job as for hunting is to chew down to a state that they can just get

straight into the incident and follow the playbook and I said we've done it separately you can do it within your existing scene if you're able to segregate it out or just keep the data to the side but for us it was easier to set it up on a separate system sorry so I mentioned prioritization earlier where do we start how do I fix that problem and so it's not right technique prevalence what I said about recording the technique number or numbers within the incident tracker that then gives me a prevalence of which techniques have been used against my environment now if I haven't got automatic automated response to those techniques I need to develop those automated responses to

them so I'm going to prioritize any techniques I'm actually seeing used against us the more they use the more likely unfried that the higher our prioritize them and then I'm going to deprioritize those techniques I've already looked at in the last 30 days because I don't want to be looking at the same techniques again and again and again unless I prioritize them in other words obviously so we've got a scoring mechanism to try and narrow it down and on the left there data sources so mention it already you need to do the mapping against your data sources against your security tools to understand which ones you've got and where your gaps are now obviously you

want to prioritize the ones that answer to the most techniques process monitoring is 149 of the techniques if you've got process monitoring probably through a new dr tool you you will be able to detect some of the activity of those techniques but obviously there are others in there from my previous experience you've got PowerShell that only answers one technique you know cover that a bit more in a bit and you've got email you've got properties and DNS records or they only own your although they only answer one technique they only give you the detection bilities and against one or two techniques my experience is that I can get a lot of information out those log

sources out of those data sources so I would prioritize those above and finally threat intelligence so threat intelligence will pass this various groups that might be likely to attack us or attack the industry so will collate those groups we'll look at the techniques that those groups have known to have used any technique that's been used by multiple groups will get a higher priority than those techniques that are used by only one or two groups because again I want to get as much bang for my buck as possible I want to get as many techniques that are applicable to my business investigated because I'm more likely to catch the bad guys and girls when they attack us if they're if

they're aimed us so threat Intel is really useful nope sorry and and that's that's those are the cool ways there are some other prioritizations that we do as well but that then gives us a top-20 that we really focus down on within the business and we look at all of the techniques but those top 20 are the ones that are most applicable to us and were really important moving on I'll quickly run through a process not that quickly sorry to spit up right well I'll start the fire we've prioritized our technique we've taken our technique from the attack framework we've got all the information out of attack and how it's used by the different groups and we'll

create detection for it and we might start with a very wide detection for that technique and we might then start narrowing it down based on the threat Intel we've had and based on the data we have available etc once we've written a detection we then go and collect the data as I said that could be pretty much instantly if we've got it available in an answer where I assume in the UK market but as it's it could take a lot longer if it's an international market so we get hold of the data eventually we feed all of that information into our threat hunting scene and we perform analysis then we start the analysis tuning model and we

go around that circle quite a few times to try and get rid of as many false positives as possible to get rid of the developers sending encoded commands to AWS because we know that team we know that they do that on a daily basis we should have other techniques and detections in place if they're cop if their accounts compromised what I'm trying to do is just find this particular technique so I want to narrow it down so that I get just a true positive alerting out of it once we've done that tuning cycle we tuck it into our dashboards on our scene and we monitor it for a while we then will pass off to the red team and get them to run

a test against it and hopefully that should flag in our dashboard and we should see that it's actually working if it doesn't then we go back into the tuning cycle and try and fix where we broke it and if we do find something too positive we've passed it on to our Intel team and they can share it with trusted partners but they can also then give us additional information so I think it was Dan was talking about the TAC team it's if we find it in one point in the TAC chain and we can find the most likely other techniques that those groups would use or that multiple groups are used we can go and try and look for activity

there we could try and find out how did they get into the environment and what what they were trying to get and what they're trying to get after when we've done all of the tuning we can we've got it to a really good stage they're only fires on a true positive we pass it over to the shop we write the playbook so they can eradicate containing the cover bit hot on the back there and so that's the process so I mentioned the cyber attack chain kill chain Lockheed Martin all that this is actually the 12 tactics so these are column headers in the framework here they loosely translate to the the cyber kill chain down at this

end down here you've got exfiltration and impact are the two tactics in the framework those are the ones that actually have an impact of the business and there is some impact further up the chain but it's more resource utilization than actual cost of the business when the bad guys and girls still copy your data they're stealing your IP when they're deleting or encrypting your data they're impacting your productivity when they're changing your data changing our customers account to their accounts and we have pay them instead of our customer they're costing us money and reputation or damage so we want to stop them we want to stop much further up to the kill chain so we want to detect them much

further up the kill chain so our job in threat hunting is to keep pushing pushing the attackers further up the kill chain it's not just fret hunting the whole the cyber operations needs to keep pushing them up so that that's our main goal and as I said I've built the team in start the team in January 2018 actually recruited by July I've got three juniors and free seniors including myself now what the attack framework has is as I said all of that common knowledge built by senior analysts really good analysts who know their stuff by using the framework I'm able to that the juniors are able to not just rely on the seniors in a team to get to

share their experience but they're able to use all of the information on the attack matrix so it's a force multiplier it allows you to have more senior analysts in your team than you actually have and tunnel vision so I might be really good at finding PowerShell I might stop the attackers every time they use passion against me no matter what PowerShell commands or how they've tried to hide I always find them when they're using PowerShell and I'm really good at that I really enjoy looking at looking when they're using PowerShell they'll work out that they can't get past me if they use any partial commands now if I just sit there and focus on it they will

pivot past me they will use another tactic another technique to escalate their privileges to move laterally and if I just look at partial all the time I will miss them so by using the framework by looking at what other techniques they could be using against you you stop tunnel vision so this is why I believe we have it gives benefit to use the attack framework and on that note I will hand over to other thank you so the following slides an example of how I have performed a threat hunt and investigation using the might attack framework and I must add that the tools technologies and groups used throughout this run-through I made up do to protect

to protect the identities of the innocent so it starts off by our threat entire team feeding me information with potential groups that could potentially harm our company so the might of type framework features multiple attack groups however for this example I've used asmath group and Gorgon group so when looking at the two groups that threaten time provided in my to attack it is seen that each group includes a list of techniques that they have potentially used to harm companies so my job as a threat hunter is to create detections for each of these techniques so that we have the ability to find and contain against them so for this example I try to look at any common technique

situated across break groups and it turns out there are ten common techniques so the next stage is prioritization so cephus already mentioned prioritizing techniques so once narrowing down the top 20 common techniques I notice I personally hadn't visited security disabled and security tools in the last 30 days and in addition I did speak to a few members of the team and I found out there was in a global detection currently in place so they're moving on to pick him what attack group to focus on so as you can see both groups have used the technique differently Gorgon group use task kill command to disable security tools whereas Lazarus group disable them through using SSH so I decide

to focus on Gorgon group as I thought I could probably create the detection and I look quite easy and in addition I don't have a look around and we did already have detection in place for all azimuth group as we monitor an SSH so then moving on to the data sources so when you click into the technique I'm able to see what data sources the technique requires and as a team we've been able to map out each data source to our existing tools and this is being great as a new starter as still getting to know the environment so it has sped up my hunting process because I Nabal a tool tool account so for this technique I knew that we had

command line monitoring in place which will enable me to patch to the use of tasks he'll be in use however it isn't as always easy as it sounds as I am part of a global team is sometimes difficult to retrieve data due to access issues and these problems I'm still having today so therefore sometimes have to contact international markets or security engineers to help me gain access to this certain data I mean it can be very long process but again it's been great before a new starter as I'm able to get to these people in different teams and even in different countries so then moving on to creating the detection as you can see I created a PowerShell script that

allows me to collect my online information from one endpoint detection and response tool I can't lie I did start with an old script embedded by one of our seniors in our team but I managed to adapt it to alert for this particular technique so this this script will alert me when task Hill has been used to say about any of our security tools in our environment and then I also wrote this this detection in another detection and response tool so as you can see in this in this tool I use the query in the console to create alerts so you may wonder why I've created two different detection and two different tools so this is just to guarantee a wider

coverage across different markets so then where does all the days ago all the things to capture fees and so our hunting scene where we can tune out any false positives so when I first break the detection there was a lot of noise which you can see and as a team we are constantly moving tech needs in and out of the dashboard as prioritization changes so the lower priority hadn't sit in secondary dashboards where we still monitor them individually but just not as regularly as I stopped when - I mean it should also be noted that these are just top top 20 random techniques I've picked but even our own top 20 techniques can be very noisy at times so then moving on to

tune in the detection I was able to determine that the 1500 alerts were all down to three privileged accounts used by our team our IT team so they have the responsibility of deploying I got the update and security tours and as it turns out security tools can be in a pain so I'll install therefore they use tasks of a lot however before it's glued in the three privileged accounts from my hunt I checked in these counts that were monitored and controlled through other created detection that we have in place so if their account ever did become compromised we would know about it elsewhere so then once this detection is tuned and the alerting is in place I

will pass the entire red team who were kindly test if the detection works so in this case we just get our red team to read a skill on their machine and killed off one of our security tools and then if the detection does work and then would appear on the dashboard which you can see there and this is a very helpful process as we can actually know whether our detection works or whether we use go back and tune it again so it comes back with the right information so then surface or dimension it is important to record all of this into in an instant tracker even if it is a false positive so other members of the team know what

I've been up to and then they can maybe use the existing tools or detection to develop it further so within the security ticket I would start by referencing the merit attack technique I've been working on and then along with the technique number our next step would be to write the potential potential impacts with our company mention war detection is currently in place and then any mitigate mitigation steps that we may need to take if our company was ever to be affected by this technique so when I'm when the detection gets to a stage where it is only firing through positives I would create a playbook for our soul alerts again they will know how to

contain eradicate and recover against this technique so then to summarize my experience using the motor type framework I think it's been a great experience that it has sped up my hunted it allowed me to plan out what I should be hunting for and by us mapping data sources to our tools I know we're so heading to as I am relatively new to this cyber security industry it has increased my knowledge and skills in common attack types and it showed me how I can detect and prevent against certain techniques whilst I could stand here and this many benefits about using my to attack I think it's important for you to know like how long it's taken me to get

here and so our team did form about a year ago and to gain an understanding of how each different detection works and how to detect them has probably taken me at least four to six months I think it's important to try find the baseline data of your company so that understanding any false positives and then adapting each technique to make sure that we have the best detection monitoring and response available to these potential attacks thank you all for listening to my run through and now pass you back to sir you are mentioned a few final tips okay so three is the magic number still and I've already said it had the technique number two your incident tickets it

helps you prioritize it helps you understand which ones you need to look at more automate and get into a known name true positive for the stock to be able to respond to it and prioritize the twenty techniques so as Katie Nichols from mitre and Brian Mayer I think it is from red Canary did a talk back in January where they did the top twenty mitre techniques they're seeing used in mitre and in red Canary they were different because they've got different customers or a different infrastructure and now different organizations and there are a few similarities but they weren't necessarily in at the same level within that those top twenty and so I just took that as a starter for ten well

Dhafir 20 even and focused in almost 20 it will really help you do not try and eat the whole whale in one go do not do hall 217 do not try and do it we failed you will for help narrow down to the top 20 and then keep those 20 up today as the business changes and the attacks change reprioritize which techniques you're going to focus on wall or to make detection of the techniques I get bored very easily I don't want to do the same thing again and again again I want to look at new stuff all the time automate it get it into the stock if you can automate the protection prevention remediation automate it just get it out

of your hair don't don't redo stuff all the time and those are kind of my three tips for the thing anything else as Abe you said come and find us after the talk and we'll go through more you want any information it's free go and have a look at at ikomaya dot org thank you very much [Applause] does anyone have any questions yes he said you've got like a red team that you pass stuff off to their internal how much are you worried about if they just test your existing hypothesis that do you ever bring in like external red teamers to just without giving them any information about what you've done you do an attack part and see if we detect

it or do you rely just on your internal team yes so that yeah we use internal and external red tubes we also have some automated testing as well so yes we do

global you read it no I'm just just really quickly do you ever like looking to detail of the unknown unknown so these sort of abnormal ease around things are just just a bit odd a bit weird something is not wrong and how do you if you do can you actually apply that to to Montee absolutely so mitre isn't every technique that can be used that the point is is if we're looking at as wide a range of possible of the mitre techniques these are the most common techniques the apt groups out there a lot of them almost all of them have been mapped into those techniques they might use zero days they might use new

techniques that not being documented anywhere before but at some point they will have to do they'll have to film that tactic and the chances are they might use a zero day to get into your business but then they'll live off the land so we'll be looking at their activity that could be administrator old could be malicious we're always trying to find it you might not find them at the first stage and we might not find them in the middle but we should find something in there if we keep looking at the whole as much of the attack framework as much as many of the techniques as possible anymore No thank you very much chisel [Applause]