Wykorzystanie ATT@CK MITRE Do Wykrywania Technik Stosowanych

Thank you for the nice introduction. I would like to welcome everyone to my presentation about the framework "Attack Mitre", which is a knowledge base for learning about the techniques used by the opponents. My name is Jacek Rymudza and I have been dealing with security for 10 years, mainly defensive. This presentation was already presented at the Security B-Sides conference. Has anyone been there? OK, there are a few people. However, this presentation will be extended, so I hope that these people will not get bored. OK, what will I talk about? At the very beginning, I will show, introduce, in short, how to build the organization's threat intelligence. This is something I mentioned two years ago. To get back to the

topic of the framework, we need to talk about the framework of the ATT&CK Mitre. Next, I will talk about ATT&CK Mitre, I will present the example use cases and I will tell you how to monitor the safety of our organizations. A few words about Fredhunting and the organization IC Square Chapter Poland, which I am the representative of. I will invite you all to join our community, both as participants and as agents. I will tell you about it at the end. As I said, 10 years in security. We would like to start our presentation with a quote by a Chinese thinker who once said that in order to win a battle, you need to know about yourself, but also not only about yourself,

but also about the opponent. This is the framework of the Mitre attack, which is focused on behavioral behavior of cyber criminals. to find the paths of presence in our organizations, in our networks. Threat Intelligence. I'm sure you all know what Threat Intelligence is. A brief summary. It is knowledge about motives, methods of action and procedures used by adversaries. Very often, threat intelligence is associated with IOC. However, this is not true. IOC is part of threat intelligence. However, when it comes to the process of building threat knowledge, it is only one section. In short, how can we approach the development of Shared Intelligence in an organization? First, we need to determine the criticality of resources. Which resources are critical

for us? If it is a financial company, then of course the loss of money is important. If we design aircraft, then there is some intellectual value. Depending on the risk, each sector, each company has its own risks. It should be defined not only at the level of cybersecurity and risk analysis, but also confirmed by the company's strategy, i.e. the CEO. Then you have to think about how to identify the editors. Is the editor a cybercrimin who wants to get money? Does he want to get intellectual value? Does he want to deface us, change the page, make fun of us? IOC management. This is an element that every security person who works in security is collecting feeds

for. The most important thing in this case is to collect these feeds in a reasonable way, so that they are updated properly. Due to the IOC parameters that change frequently, A reliable source of IOC is very important for a proper security incident detection. We are trying to automate the use of intelligence in security systems. To avoid doing it manually, we are automating it. Many security boxes are built in at the moment. Another stage of Fred Intelligence is the community. Of course, we also need to gain knowledge about cybercrime activities in the security community. We are talking about various analysis of research. The attack on the MITRE platform, the framework I will talk about, uses the knowledge that was presented

and published by the researchers. The update of the knowledge base. Incidents that seem to be false positives at this point, in a few months, it may turn out that these are just some small parts of the APT attack that is in our organizations. So it is worth having a platform to manage your knowledge in one place. It may be a platform like MISP, which was mentioned yesterday. It may be another platform, but it is worth documenting our incidents, our analyses so that it would be easier to find various types of artifacts. In the future, we will do our own research, here we are talking about threat hunting, and we will do various advanced analyses that we perform, apart from standard security monitoring,

underground monitoring, or other discussion forums. It may not be often, but it happens that some information about the announcement of the purchase of a database is on the Internet. So, by following the Internet properly, you can find out that someone wants to buy a database from your company. And then the problem begins. Which one? How? Do we monitor this company at all? I don't wish it to anyone, but it's worth checking out. I'm not saying that there are some new things on the Internet. You can find some news about malicious programming. Cooperation with companies specializing in this field. Of course, if you are a large organization and your own Fred Intel is not enough for you, you should cooperate with various CERTs,

institutions that specialize in this field, which provide additional feeds, additional information. This is how Fred Intel looks like in the organization. The goal of Freddintel is to learn about the groups of adversaries, their tactics, techniques and procedures, to quickly detect the danger of security. Does anyone know the Bianco Pyramid? No one? Okay, Tomek knows it. The Bianco Pyramid is a A pyramid that tells us how easy it is to hide an intruder, or in other words, how much effort an attacker must put into being unrecognized by our security systems. Yes, that too. You can also say that. You are right, Tom, you are right. Of course, let's go from the very bottom. The hash value is trivial to omitting.

Adding some insignificant payload code, 0 byte, to the hash, to the file... Yes, adding a single bit or byte can cause a completely new hash. So operating in our IOC after hashes does not mean that it is trivial for monitoring for cyber security teams. The IP addresses are regularly changed by the attackers. VPNs, TORs, etc. A weak idea. The domain names are similar. User agents, various artifacts related to the network, such as user agents, are also easy to recognize. However, if we know which tools are used by attackers, and we see the traces, we are able to recognize it through our systems, our systems can detect it, our response team sees the movement of the appropriate tools, then we are

very good. However, if we know the techniques, tactics and procedures, then we are great. And we are striving for this, and this is the goal. which was dedicated to the Mitre company, which created the Mitre framework. Let's move on to the defensive. What is the framework attack Mitre methodology? It is a collection of information about threats, actions of cyber criminals. They use different tools and methods, and they have defined mechanisms of action in breaking security in our organizations. This knowledge was built on public documents. and it is a great knowledge base for every person who is engaged in defense. Of course, this framework also helps in the analysis, assessment of the safety of our organizations, our security

systems, SOCs, etc. What else does it allow? Of course, it reduces the time of detection, The average time of detecting APT attacks is about 150 days. Imagine that someone is sitting in a company for 150 days. and how much information it can extract. The goal of this framework is to shorten the time by applying control points, monitoring infrastructure that can indicate that something suspicious is happening in our country. As I mentioned, the goal is to protect against advanced targeted attacks. The idea of Mitre's attack works based on behavioural behaviour and focuses on what happened after the attack. So what actually changed at the target station, and it concentrates around endpoints. Mitre has prepared frameworks for operating systems: Linux, Windows, Mac. I

will also mention that we have prepared a framework for the hardware where we can model threats from this OT area. Okay, let's go a bit further. On the left side we have a clickchain version. Attack Mitre operates on the last three points and these three points are divided into groups. These are the so-called tactics. These are the tactics. Persistence, privilege, escalation, defensive vision, critical access, discovery, lateral movement, execution, collection, exfiltration, command and control. Such steps are performed by the attacker to get to our organization and get data. And around this is a list of techniques that are which are later used to test the security of our endpoints. I will briefly tell you a few words about each of these tactics.

Initial access, of course, applies to There are several types of phishing. Yesterday I presented a few phishing topics, so I won't go into details here. This is the first stage of phishing. and get into the structure of the organization. False email with a malicious link, etc. Execution - these are a set of techniques that are used to perform local or remote operations on the machine. Another part is persistence. It is related to maintaining access to this environment. The next stage is legal escalation. When we are in the video, we want to take as much access as possible. We inject something, we try to turn off defensive vision, we try to turn off antiviruses, all kinds of antiviruses,

firewalls and other devices that we have. We also have credential access, so various kinds of manipulation on accounts. creating a new account, adding an account to highly privileged groups, etc. These are all the operations we do. We also search for the account of hosts that can be useful for further escalation of attacks. We move to the next hosts, to the next infrastructure elements that we broke into. For example, to the domain controller to get more information. We collect this data. The next step is to collect this data. Exfiltration - we are sending this data outside the company. and then they were taking care to keep access to the environment. Of course, only a fragment is visible here, because these lists of

techniques are cut here. There are over 200 techniques, so only a part of them are here. This is a very atomic approach to monitoring security. So, okay, a few words. How does it look like? How is it described by Mitra? An example of a technique. What does it look like? There is a description of the technique, what it does, what are the attributes, what are the requirements. A very important thing: what data sources should be monitored in order to be able to recognize it. Whether we have an EDR, Sysmon, Windows logic monitoring, or an appropriate audit. We have to determine all this at the level of whether we will be able to see that something is happening. Mitre also developed examples

of attacks. So, there are ratios of what crime groups used this technique and how. How can we protect ourselves from mitigation? There is a literal description of detection. This is a few words that can be found. For each detection, you can build several or even dozens of use cases to detect such a situation, such a threat in the organization. This is a field for everyone who deals with security to be able to design such systems, such analytics of detection of threats, to effectively detect the techniques used by adversaries. Of course, the step is to do mitigation, i.e. to provide automatic blockade of threats in the form of new security systems that can counteract such threats, in fact, the techniques used, a

specific technique. In "Attack on Mitre" there are written down the predators, the adversaries. It's a very large knowledge. If someone doesn't know what APT32 is about, etc., they can read it all in one place. Here I've put a comparison slide of two crime groups: APT28 and Deep Panda. Do you know who is connected to the 28th? Yes, it's the party of the Democrats. It's a group that is connected to the Russian government. It's about the US elections. Deep Panda is a criminal group from China that attacks various kinds of telecommunications companies, financial companies, healthcare companies, health companies. Based on this chart, we can see what techniques were used by one criminal group. The blue line is the APT28 group.

The yellow color is Deep Panda, while the other two groups have the same technique, but it is green. You can see that a lot of these techniques are repeated. If we would apply other crime groups here, it would turn out that covering certain points causes almost... We can see traces of their activity. Of course, we need to remember that these are atomic operations monitored here, so the performance of PowerShell or some other administrative tool, does not mean that it is something valid. Here you have to make a correlation in time, a correlation of these individual techniques to get the context. Of course, a few words about it. In order for us to be able to detect it, we have to

monitor, we have to have logs, we have to have sources that will be used to do this. to have data sources that will allow us to monitor mitigation. Of course, it is ideal to have an EDR system, or some kind of endpoint detection and response, which is not able to detect some things behaviorally. However, as we know, every system is able to, attackers are able to bypass every system, and besides, it can be turned off. So what data sources are needed for monitoring? Windows logs. I focused on Windows here, but of course in the case of other systems, I focused on Linux. Various sensors, such as Fine Integrity Monitoring, which can detect changes on the PICs, are very useful when

analyzing incidents. Various tools that monitor autoruns. Flows, antivirus systems, ETH, all that is installed on the endpoint. Or some internal HIPs, firewalls on the endpoint. We need all of these things. Of course, here, at each technical point, it is written what are the recommendations to find a specific adversary. Let's move on to some use cases. I have prepared a few simple ones, but it's about visualizing the approach. This concerns the domain generation algorithm and the first phase before the attack. But it can also be in command and control. A friend of mine has just sent me a research of a film that made a set of regexes to detect to detect DGA. Based on the regex set, we can detect a significant percentage

of real random generated domains, which are used by attackers. An interesting approach, so I wanted to mention it here. Maybe this information will be useful to someone. Another use case is service execution. For example, monitoring of PS Exec tools. This is one of the techniques used in ATT&CK. It is from the category of tactics execution. Generally, monitoring of PS Exec... Does anyone monitor PS Exec? Generally speaking, these are atomic things, but you can try to approach it. However, the very execution of a PXX without any other context can generate a lot of false positives. You can try to do some kind of wall-listing for computers, etc. However, you have to be aware that there can

be a lot of false positives. verifying their organization at the FredHunter level, we should know more or less who is doing what, when such processes are being performed, etc. Another case is privilege escalation. Such information is available on Mitra, i.e. the description of tactics, because one technique can be used in many techniques. So, it can be available for many techniques. What platforms are the most vulnerable to this threat? What are the required permissions? What use cases can be detected? Of course, the sharing of accounts, logging into multiple machines for one user and vice versa. Such standard use cases that are monitored in every SIEM. logging in after working hours, logging in after a worker is out of the company, who is

in the company, but has not logged in, but someone logs in to his domain account and does not connect through VPN. So there are various correlations on the accounts, strange situations, anomalies. This is what each of you who is engaged in the defense is probably detecting now. As you can see, there is only one technique, and there are many possibilities of discovery. Using service or administrative accounts can be suspicious. Another case of privilege escalation is when someone works in Soku. So, people from SOKU know these events by heart. It is worth monitoring the event 4672, which indicates that that there is a violation of the higher operation with higher violation. What can indicate that something bad is happening? If we correlate it

with the start of a process, we can detect some actions. Of course, we can also use the hash from the Sysmon, so we can make a correlation with the total value or some other source of knowledge. In short, this is another example of turning off the defensive. Security tools. You can turn off the firewall in Windows. You can detect it once, 50/25. You can also monitor the registers. The four is off. But you have to remember that there are many security systems. We get this information from Windows logs, but we also have the power off of various types of devices. of third-party applications, where you have to think about the processes, how to scale them, whether to connect it to

some known hashes of the given application and monitor it at the endpoint level, to detect, for example, the shutdown of a specific process. Manipulating logs, cleaning logs, is a standard case. Attackers also use different tricks by filling in the log buffer. The buffer is filled in so that the log is visible in the Windows system, even at the endpoint. If these logs are sent to SIEM, then these information will be there. However, it is easier to generate a error that will overwrite the Windows log, so that the next information is not added to it. At this point, we can detect various kinds of events, for example, 1104, the filling of the Windows log. Several such

cases detected using of systems in the CM class or Log Management class. How to monitor temporary detection, adding a user to a highly privileged group and its removal? With Planq, you can do it in the way of nested search. In the specified time range, you can monitor the occurrence of two events: adding a user to the Domain Admins group, adding a user and removing this user. It's a simple case, but it can already cause some threat or a checkpoint that should be lit when detecting such a situation. Another thing is the BruteForce attacks. These attacks are detected by each company in every possible way. But this is also one of the techniques. As we can see, some techniques are

easy to detect. by Mitre's attack. However, some of them are very complicated. And the appearance of a single artifact, a single event, a single alert does not mean that it is an incident. You need to be able to correlate them in time, according to the relevant attributes, to have a situational context of what happened. For example, using administrative tools used by administrators for daily work is used by almost all criminal groups. If we will monitor, if we will create traps, or various rules that will detect individual incidents of such a situation, we will have a lot of false positives. Correlation with other elements will result in higher risk score in the context of a given activity, a given IP, user, etc. One of

the research groups, I don't know if it's a research group, but one of the firms prepared a work and assign appropriate Windows events and information about systems that should be monitored in the context of detecting specific techniques. The list is quite long, because there are many techniques, but at the bottom is a link and at the very end is a reference to this document, so that if someone is interested, they can use this knowledge while building their own use cases. Let's move on to tools, because there are many tools that help in safety testing. One of them is Atomic Red Team, another one is APT-Stimulator, Caldera and many others. I will show you the results of

the first two open source tools. Of course, Atomic Red Team is open source, ATT&CK Mitre is not. There is documentation for each technique, it is described exactly what the technique is doing, so to speak, a copy-based technique. Additionally, there is information on how to test it in the environment, for example, in the event of a collision of a certain technique, You should make such a command in the command line, and it generates the appropriate event. The SOC team should detect that something has happened, or the security system should block it. Here you can see that the log has been deleted, so we can do it manually. There are also tools like APT Simulator, which does it automatically. You

can choose categories, that is, the tactic used by the attacker, and fly with such an automatic on a sample endpoint from our organization to see what happened, whether the team saw that something was happening, whether there were any attacks. You can also select zero and start all tactics at once. But with this mode, it is 100% sure that the security team will detect anomalies. During this test, we can see that Windows Defender or Firewall noticed something suspicious. One of the security systems even blocked something. The goal of this Mitra attack is to check the effectiveness of our security systems and also to check the possibility of detection of individual threats. And so, in the context of the tests, we can

check whether our antivirus blocked the proper activity, whether our NIC-EDR, the log monitoring system, was able to detect a certain technique that was prepared by Mitra. OK, now, finally, the maturity level. To measure the level of maturity, we need to have a reference point. Of course, ATT&CK Mitra is a hardcore version of monitoring the level of maturity and organization security, because it is a very detailed approach, an atomic approach to individual control points. There are a lot of control points, so it takes a lot of effort to do it right. So, as in life, it always starts with critical things. It always starts with the most painful things in the film. And it should be addressed in the first place. It's hard to see, I'm sorry,

I'll tell you what I mean. The Mitre organization has also prepared to measure the level of organization maturity. Of course, we can mark it ourselves. In short, we can mark the green color the techniques covered by our security team. So, the ones we know, we know that we can detect them, the SOC team knows how to react, and so on. In yellow, we indicate the ones that are partially detected. Some cases are detected, some techniques are detected, some are not. We have something done in this area, but the red ones These are all the ones that have not been addressed at all. We have no idea how to detect them, we do nothing with them. Of course, depending on the risk analysis and approach of each organization, we

should concentrate on which strategy to adopt, what tools we need to cover these techniques, or how to improve the defensive monitoring. of our systems, which we use to monitor security. This is a very useful tool. Of course, as I mentioned before, there are many of these levels. So it takes a lot of work to get to the point. There are also other frameworks for monitoring cybersecurity, such as CIS Controls. At the end of the presentation, I added a link to the mapping of techniques used in the ATT&CK framework from CIS Controls. If someone uses CIS Controls, In short, it is 20 control points that are used by the organization to measure safety in particular areas. This is to measure the level of

maturity, at what level the company is.

OK, a few words about threat hunting. We monitor various anomalies. If the Mitra attack is too difficult at the beginning, we can use it as an element of threat hunting. We should search for things that we monitor, i.e. all anomalies, various non-typical ones. and then build use cases from it to automatically detect threats. This is the essence of the FredHunting operation. And very often the approach to the attack meter is related to FredHunting. I mentioned at the beginning that there is a framework for industrial systems. And it is also the case. In one presentation, it is shown how Stuxnet used the techniques used by Stuxnet. They are colored in red. However, how do you build

a threat model in industrial systems? I encourage anyone interested in this topic to read the presentation. There is also a link to the presentation in the reference. It is very eye-opening, especially now that more and more people are talking about the SCADA system, to monitor it. and there is a good material for simulating and modeling the threats of these systems. I think useful links can help you in getting to know this topic. Now I will move on to the end of my presentation. I would like to say a few words about the Association of Experts for the Security of Information and ESC Square Chapter Poland. What are we doing? Does anyone have a CISP? Is there anyone

with a CISP in the room? There are quite a few people. Do you know how many CISPs are there? How many? At this moment there are 509. It is not that much, so this certificate should be very respected in our country. In the US it is over 80,000, but there are not many CISPs in our country. However, to come to our meetings, we have monthly meetings. But we are a chapter. We are a chapter. Ah, okay. The last two meetings were about anti-fraud, right. So, in short, we invite everyone to participate in our meetings, whether as a listener or as a pre-agent. We will definitely find some time. We have meetings on Thursdays at 6 p.m. once a month. What projects are we working on? We

talked a lot about awareness during yesterday's panel. We have a awareness training course. We have it translated into Polish, because we received the materials from the company that cooperates with ESC2. They said that if you translate into Polish, you can benefit from it. We did it for seniors, because that's what we were recommended, because everyone is now doing education for children. We have been given an order to start with seniors, but we will have workshops for older and younger children. If anyone would like to participate in such projects, we invite you. We also have a project called Meduza, a platform for Red Team and Blue Team. It is a coordinated project. If we get a proper university in Italy, we

will get a grant for it. This is a big topic, so we are waiting for the decision of the European Commission. If someone wants to join this project, we invite them. We also participate in various debates, in various opinions, documents. If you have any other ideas related to security, please contact us. As I said, 135 chapters in 405 countries, one chapter in Poland. I think that the meetings are very interesting, the discussions are conducted. Information about the chapter can be found here on the website Here is the page for our chapter, IST Square Chapter Poland, here is LinkedIn, etc. And the next meeting is about machine learning, the one that the guys discussed yesterday, that it can be a threat, so we can

talk about it. As far as I know, an expert from Israel will come, who will show us how cool it is, so I invite you to come. So, here, October 25th, at 6 p.m. If someone is not a member of our association, we ask for registration by EWN. And then, the workshops from Forensic on the open source platform, Kacper Kulczycki will present them. He will have it in November, November 22nd, I think. So, we invite you here. We invite you to join us. That's all from me. I don't know if there are any questions for the attack.mitres methodology or for the association. If there are any questions, please. There are no questions, it was a boring presentation. Thank you

very much.