loading

Logout succeed

Logout succeed. See you again!

search
Advance search
xAdvance search
submenu
search
search
xAdvance search
Students access

Copyright © 2016 S| 1p l|u nk Inc. Detec%ng  The  Adversary  Post-­‐compromise  With  Threat   Models  And  Behavioral  Analy%cs   Michael Kemmerer MITRE Por$ons  of  this  technical  data  were  produced  for  the    U.S.  Government  under  Contract  No.  W15P7T-­‐13-­‐C-­‐A802,     and  are  subject  to  the  Rights  in  Technical  Data-­‐Noncommercial     Items  clause  at  DFARS  252.227-­‐7013  (FEB2012)   ©2015  The  MITRE  Corpora$on.  All  rights  reserved   2 Two  Projects,  One  Goal   Adversarial  Tac%cs,  Techniques  and   The  Fort  Meade  eXperiment  (FMX)   Common  Knowledge  (ATT&CK™)   146  days  -­‐  The  median  $me  an  adversary  is  in  a   network  before  being  detected   -­‐Mandiant,    M-­‐Trends  2016   3 Cyber  ANack  Lifecycle   Recon   Deliver   Control   Maintain   Weaponize   Exploit   Execute   Tradi$onal  CND   ATT&CK  /  FMX   4 Threat  Based  Modeling   ATT&CK   •  Cyber  threat   •  Data  sources   analysis   •  Analy%cs   •  Adversary  model   •  Research   •  Priori%za%on   •  Post-­‐ •  Industry  reports   compromise   techniques   Adversary   FMX   Behavior   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   5 ATT&CK:  Deconstruc%ng  the  Lifecycle    Persistence   •   Privilege  Escala$on   •   Creden$al  Access   •   Host  Enumera$on   •   Defense  Evasion   •   Lateral  Movement   •   Execu$on   •  Addi%onal  Tac%cs  Coming  Soon    Command  and  Control   •   Exfiltra$on •  Threat  data  informed  adversary  model     Higher  fidelity  on  right-­‐of-­‐exploit,  post-­‐access  phases     Describes  behavior  sans  adversary  tools   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   6 The  ATT&CK  Model   •  Consists  of:     1.  Tac%c  phases  derived  from  Cyber  ANack  Lifecycle   2.  List  of  techniques  available  to  adversaries  for  each  phase   3.  Possible  methods  of  detec%on  and  mi%ga%on   4.  Documented  adversary  use  of  techniques   •  Publically  available  adversary  informa$on  is  a  problem   –  Not  granular  enough   –  Insufficient  volume   Image  source:  www.mrpotatohead.net   Mr.  Potato  Head  is  a  registered  trademark  of  Hasbro  Inc.   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   7 Example  of  Technique  Details     Persistence  –  New  Windows  Service   •  Descrip$on:  When  Windows  starts,  it  also  starts  programs  called  services.  A   service's  configura%on  informa%on,  including  the  service's  executable,  is  stored  in   the  registry.  Adversaries  may  install  a  new  service  which  will  be  executed  at  startup   by  directly  modifying  the  registry  or  by  using  tools.   •  Placorm:  Windows   •  Permissions  required:  Administrator,  SYSTEM   •  Effec$ve  permissions:  SYSTEM   •  Use:  Part  of  ini%al  infec%on  vector  or  used  during  opera%on  to  locally  or  remotely   execute  persistent  malware.  May  be  used  for  privilege  escala%on.   •  Detec$on:  Monitor  new  service  crea%on.  Look  for  out  of  the  ordinary  service  names   and  ac%vity  that  does  not  correlate  with  known-­‐good  soiware,  patches,  etc.  New   services  may  show  up  as  outlier  processes  that  have  not  been  seen  before  when   compared  against  historical  data.   •  Data  Sources:  Windows  Registry,  process  monitoring   Informa%on  on  Threat  Actors  and  Tools  Coming  Soon   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   8 ATT&CK  Matrix™  Tac%cs  and  Techniques   Privilege   Defense   Creden$al   Host   Lateral   Persistence   Execu$on   C2   Exfiltra$on   Escala$on   Evasion   Access   Enumera$on   Movement   Legi$mate  Creden$als   Creden$al   Account   Applica$on   Commonly   Automated  or   Accessibility  Features   Binary  Padding   Dumping   enumera$on   deployment   Command  Line   used  port   scripted   AddMonitor   DLL  Side-­‐ Creden$als  in   File  system   sojware   File  Access   Comm  through   exfiDltartaa$  on   DLL  Search  Order  Hijack   Loading   Files   enumera$on   Exploita$on  of   PowerShell   removable   compressed   Vulnerability   media   Edit  Default  File  Handlers   Disabling   Network   Group   Process   Data  encrypted   New  Service   Security  Tools   Sniffing   permission   Logon  scripts   Hollowing   Custom   Path  Intercep$on   User   enumera$on   Registry   applica$on   Data  size  limits   Scheduled  Task   File  System   Interac$on   Pass  the  hash   Rundll32   layer  protocol   Data  staged   Logical  Offsets   Local  network   Service  File  Permission  Weakness   Creden$al   connec$on   Pass  the  $cket   Scheduled  Task   Custom   Exfil  over  C2   Process   manipula$on   enumera$on   Peer   encryp$on   channel   Shortcut  Modifica$on   Hollowing   connec$ons   Service   cipher   Exfil  over   Web  shell   Rootkit   Local   Remote   Manipula$on   Data   alternate   obfusca$on   channel  to  C2   BIOS   Bypass  UAC   networking   Desktop   Third  Party   Fallback   network   DLL  Injec$on   enumera$on   Protocol   Sojware   channels   Hypervisor  Rootkit   Indicator   Opera$ng   Windows  management   Mul$band   Exfil  over  other   Exploita$on  of   blocking  on   system   instrumenta$on   comm   network   Logon  Scripts   Vulnerability   host   enumera$on   Mul$layer   medium   Indicator   Windows  remote  management   encryp$on   Master  Boot   removal  from   Owner/User   Peer   Exfil  over   Record   tools   enumera$on   Remote   connec$ons   physical   Mod.  Exist’g   Indicator   Process   Services   Standard  app   medium   Service   removal  from   enumera$on   Rethprliocuag$ho  n   layer  protocol   From  local   host   Registry  Run  Keys   Masquerad-­‐ing   sSoejcuwraitrye     remmoevdaiab  le   Staanpdpa  lrady  nero  n-­‐ system   SerWv.  eRaekgn.  ePsesr  m.   NTAFSi  rEixbtuetnedse  d   enuSmerevriace$  on   TawiSnehtb  asrrhoeaodrt  e  d   Sptraontdoacordl     Frormes  noeutrwceo  rk   Windows  Mgmt   Obfuscated   enumera$on   content   encryp$on   From   Instr.  Event  Subsc.   Payload   Window   Windows   cipher   removable   Winlogon  Helper   Rundll32   enumera$on   admin  shares   Uncommonly   media   DLL   Scrip$ng   used  port   Scheduled   Sojware   Updated  Figure  Coming  Soon   transfer   Packing   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   Timestomp   9 Use  Cases   Gap  analysis  with  current  defenses     Priori%ze  detec%on/mi%ga%on  of  heavily  used  techniques     Informa%on  sharing     Track  a  specific  adversary’s  set  of  techniques     Simula%ons,  exercises     New  technologies,  research     ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   10

ebook img

Detecjng The Adversary Post-‐compromise With Threat Models And Behavioral Analyjcs PDF

pages33 Pages
release year2016
file size7.98 MB
languageEnglish

Preview Detecjng The Adversary Post-‐compromise With Threat Models And Behavioral Analyjcs

Copyright © 2016 S| 1p l|u nk Inc. Detec%ng  The  Adversary  Post-­‐compromise  With  Threat   Models  And  Behavioral  Analy%cs   Michael Kemmerer MITRE Por$ons  of  this  technical  data  were  produced  for  the    U.S.  Government  under  Contract  No.  W15P7T-­‐13-­‐C-­‐A802,     and  are  subject  to  the  Rights  in  Technical  Data-­‐Noncommercial     Items  clause  at  DFARS  252.227-­‐7013  (FEB2012)   ©2015  The  MITRE  Corpora$on.  All  rights  reserved   2 Two  Projects,  One  Goal   Adversarial  Tac%cs,  Techniques  and   The  Fort  Meade  eXperiment  (FMX)   Common  Knowledge  (ATT&CK™)   146  days  -­‐  The  median  $me  an  adversary  is  in  a   network  before  being  detected   -­‐Mandiant,    M-­‐Trends  2016   3 Cyber  ANack  Lifecycle   Recon   Deliver   Control   Maintain   Weaponize   Exploit   Execute   Tradi$onal  CND   ATT&CK  /  FMX   4 Threat  Based  Modeling   ATT&CK   •  Cyber  threat   •  Data  sources   analysis   •  Analy%cs   •  Adversary  model   •  Research   •  Priori%za%on   •  Post-­‐ •  Industry  reports   compromise   techniques   Adversary   FMX   Behavior   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   5 ATT&CK:  Deconstruc%ng  the  Lifecycle    Persistence   •   Privilege  Escala$on   •   Creden$al  Access   •   Host  Enumera$on   •   Defense  Evasion   •   Lateral  Movement   •   Execu$on   •  Addi%onal  Tac%cs  Coming  Soon    Command  and  Control   •   Exfiltra$on •  Threat  data  informed  adversary  model     Higher  fidelity  on  right-­‐of-­‐exploit,  post-­‐access  phases     Describes  behavior  sans  adversary  tools   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   6 The  ATT&CK  Model   •  Consists  of:     1.  Tac%c  phases  derived  from  Cyber  ANack  Lifecycle   2.  List  of  techniques  available  to  adversaries  for  each  phase   3.  Possible  methods  of  detec%on  and  mi%ga%on   4.  Documented  adversary  use  of  techniques   •  Publically  available  adversary  informa$on  is  a  problem   –  Not  granular  enough   –  Insufficient  volume   Image  source:  www.mrpotatohead.net   Mr.  Potato  Head  is  a  registered  trademark  of  Hasbro  Inc.   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   7 Example  of  Technique  Details     Persistence  –  New  Windows  Service   •  Descrip$on:  When  Windows  starts,  it  also  starts  programs  called  services.  A   service's  configura%on  informa%on,  including  the  service's  executable,  is  stored  in   the  registry.  Adversaries  may  install  a  new  service  which  will  be  executed  at  startup   by  directly  modifying  the  registry  or  by  using  tools.   •  Placorm:  Windows   •  Permissions  required:  Administrator,  SYSTEM   •  Effec$ve  permissions:  SYSTEM   •  Use:  Part  of  ini%al  infec%on  vector  or  used  during  opera%on  to  locally  or  remotely   execute  persistent  malware.  May  be  used  for  privilege  escala%on.   •  Detec$on:  Monitor  new  service  crea%on.  Look  for  out  of  the  ordinary  service  names   and  ac%vity  that  does  not  correlate  with  known-­‐good  soiware,  patches,  etc.  New   services  may  show  up  as  outlier  processes  that  have  not  been  seen  before  when   compared  against  historical  data.   •  Data  Sources:  Windows  Registry,  process  monitoring   Informa%on  on  Threat  Actors  and  Tools  Coming  Soon   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   8 ATT&CK  Matrix™  Tac%cs  and  Techniques   Privilege   Defense   Creden$al   Host   Lateral   Persistence   Execu$on   C2   Exfiltra$on   Escala$on   Evasion   Access   Enumera$on   Movement   Legi$mate  Creden$als   Creden$al   Account   Applica$on   Commonly   Automated  or   Accessibility  Features   Binary  Padding   Dumping   enumera$on   deployment   Command  Line   used  port   scripted   AddMonitor   DLL  Side-­‐ Creden$als  in   File  system   sojware   File  Access   Comm  through   exfiDltartaa$  on   DLL  Search  Order  Hijack   Loading   Files   enumera$on   Exploita$on  of   PowerShell   removable   compressed   Vulnerability   media   Edit  Default  File  Handlers   Disabling   Network   Group   Process   Data  encrypted   New  Service   Security  Tools   Sniffing   permission   Logon  scripts   Hollowing   Custom   Path  Intercep$on   User   enumera$on   Registry   applica$on   Data  size  limits   Scheduled  Task   File  System   Interac$on   Pass  the  hash   Rundll32   layer  protocol   Data  staged   Logical  Offsets   Local  network   Service  File  Permission  Weakness   Creden$al   connec$on   Pass  the  $cket   Scheduled  Task   Custom   Exfil  over  C2   Process   manipula$on   enumera$on   Peer   encryp$on   channel   Shortcut  Modifica$on   Hollowing   connec$ons   Service   cipher   Exfil  over   Web  shell   Rootkit   Local   Remote   Manipula$on   Data   alternate   obfusca$on   channel  to  C2   BIOS   Bypass  UAC   networking   Desktop   Third  Party   Fallback   network   DLL  Injec$on   enumera$on   Protocol   Sojware   channels   Hypervisor  Rootkit   Indicator   Opera$ng   Windows  management   Mul$band   Exfil  over  other   Exploita$on  of   blocking  on   system   instrumenta$on   comm   network   Logon  Scripts   Vulnerability   host   enumera$on   Mul$layer   medium   Indicator   Windows  remote  management   encryp$on   Master  Boot   removal  from   Owner/User   Peer   Exfil  over   Record   tools   enumera$on   Remote   connec$ons   physical   Mod.  Exist’g   Indicator   Process   Services   Standard  app   medium   Service   removal  from   enumera$on   Rethprliocuag$ho  n   layer  protocol   From  local   host   Registry  Run  Keys   Masquerad-­‐ing   sSoejcuwraitrye     remmoevdaiab  le   Staanpdpa  lrady  nero  n-­‐ system   SerWv.  eRaekgn.  ePsesr  m.   NTAFSi  rEixbtuetnedse  d   enuSmerevriace$  on   TawiSnehtb  asrrhoeaodrt  e  d   Sptraontdoacordl     Frormes  noeutrwceo  rk   Windows  Mgmt   Obfuscated   enumera$on   content   encryp$on   From   Instr.  Event  Subsc.   Payload   Window   Windows   cipher   removable   Winlogon  Helper   Rundll32   enumera$on   admin  shares   Uncommonly   media   DLL   Scrip$ng   used  port   Scheduled   Sojware   Updated  Figure  Coming  Soon   transfer   Packing   ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   Timestomp   9 Use  Cases   Gap  analysis  with  current  defenses     Priori%ze  detec%on/mi%ga%on  of  heavily  used  techniques     Informa%on  sharing     Track  a  specific  adversary’s  set  of  techniques     Simula%ons,  exercises     New  technologies,  research     ©  2015  The  MITRE  Corpora%on.  All  rights  reserved.      For  Public  Release   10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.