Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and...

1

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y

.govCAR.gov Cybersecurity Architecture Review

March 26 2019

2

The CAR methodology provides:• Threat-based assessment of cyber capabilities.• A look at the problem of cyber security the way an

adversary does.• Directly identifies where mitigations can be applied

for the best defense against all phases of a cyber-attack.

• Enhances cybersecurity by analyzing capabilitiesagainst the current cyber threats to highlight gaps,and identify and prioritize areas for futureinvestments.

About : Cyber Architectural Review

3

The Department of Defense Cybersecurity Analysis and Review (DoDCAR) was created by the DoD CIO, NSA, and DISA in June of 2015 to analyze the existing architecture and proposed changes and make recommendations Developed a threat-based methodology that provided a

single evaluation framework across the full scope (holistic) of the DoD Architecture, including the DoD boundary and individual services and agencies Architectural recommendations used to drive budget (POM)

and programmatic changes

DoDCAR

3

4

.govCAR began in April 2017 and leverages the same methodology and is part of the DoDCAR community

Goal: Inform DHS’s approach to assisting Departments and Agencies with insight and knowledge to make prioritized cybersecurity investment decisions across the .gov environment Create a threat-based security architecture review that provides an end-

to-end holistic assessment that is composed of capabilities provided by DHS or the individual Departments and Agencies.

Create a common framework to discuss and assess cybersecurity architectural choices: For a shared Federal IT Infrastructure To inform DHS’s approach for its capabilities To enable Departments and Agencies to make threat-based risk decisions

Be transparent and traceable

.govCAR

4

5

.govCAR: Move to Stronger Risk Management

Compliance

Risk determination based on checklist

Cyber Hygiene

Risk determination based on automated asset and account management

Risk determination based on performance-based measures

Threat-based Approach.govCAR

5

6

Determine if my current cyber security capabilities are protecting me against threats, by evaluating: architectures of architectures (layered architecture) enterprise architectures and capabilities (vendor independent

descriptions of building blocks, e.g., firewall) security stack architectures and capabilities

If not, where are the gaps/ unwanted duplications?

Support investment direction and decisions

Can evaluate people, policy and process capabilities, but has been primarily used for technology (materiel) evaluation

Utilizing .govCAR

6

7

Have provided actionable recommendations, backed by extensive data and analysis, for targeting cybersecurity investments on department and agency networks, and for DHS services

Provided input for decision-making and revectoring on CDM and TIC RA v3.

Cybersecurity Threat Framework mentioned in OMB report: Federal Cybersecurity Risk Determination Report and Action Plan

Special tasking to determine if there is a clear security distinction for DHS between using a single or multi-tenant deployment model for MS Office 365

Director for Network Security Deployment at DHS, signed out a memo directing the NCPS and CDM program to incorporate the current .govCAR recommendations into the planning and delivery of evolving capabilities (August 2018)

Newly formed CISA CTO using .govCAR results to drive technology investigations

Impact of .govCAR

7

8

.govCAR Methodology

8

Section 4

Sections 2 & 3

Section 5

Section 6

Section 7

9

SPINs to date

SPIN 1• NCPS• TIC

SPIN 2• D/A Endpoint

SPIN 3• IaaS• SaaS

SPIN 4• D/A Data

Center

SPIN 5• Mobile

10

Spin 1-5 Architecture View

SPIN 3+ Cloud

SPIN 4+ Data Center

SPIN 1NCPS + TIC

SPIN 2D/A Endpoint

SPIN 5+ Mobile

SPIN 5+ MobileSPIN 5

+ Mobile

11

LayersGroupings of Capabilities at logical and/or physical locations in the Architecture that generally represent boundaries between segments of the Architecture

CapabilitiesArchitecture capabilities have one or more features that are described in a generic nature (i.e., not a specific product, but generally included in products in that category) and in sufficient detail to allow scoring for P/D/R against threat actions

Architectural Layers and Capabilities

11

12

Data Flows: Data Center example

12

Flows represent avenues of approach or attack paths for the adversary

Architectural Layers

13

Cyber Threat Framework

13

Phase 0 - Administer Phase 1 - Prepare Phase 3 - Propagate Phases 1-4

Intent/Resource Development

Reconnaissance/ Staging Weaponization DeliveryInitial Compromise/

ExploitationInstallation Persistence Privilege Escalation Defense Evasion Credential Access

Host Enumeration/ Internal Reconnaissance

Lateral Movement ExecutionCommand & Control

(C2)

Monitor (Observation)/

ExfiltrationAlter/Deceive…


Crawling Internet WebsitesAdd Exploits to

Application Data FilesSpear-phishing Emails w/

AttachmentsTargets Application

VulnerabilityWriting to Disk Legitimate Credentials Legitimate Credentials Legitimate Credentials Credential Dumping Account Enumeration

Application Deployment Software

Command Line Commonly used portAutomated or Scripted

ExfiltrationDistributed Denial of Service

(DDOS)

Network Mapping (e.g. NMAP)Spear-phishing email

w/Malicious LinkTarget Operating System

VulnerabilityIn Memory Malware Accessibility Features Accessibility Features Binary Padding Network Sniffing File System Enumeration Exploitation of Vulnerability File Access

Comm through removable media

Data CompressedPartial disk/OS deletion

(corruption)

Social Media WebsitesTargets Application

Vulnerability RemotelyInterpreted Scripts Automatic Loading at Startup

Automatic Loading at Startup

Disabling Security Tools User InteractionGroup Permission

EnumerationLogon Scripts Interpreted Scripts

Custom Application Layer Protocol

Data Size limitsFull disk/OS deletion

(bricking)

Mid-Points Removable Media (i.e. USB)Targets Web Application

Vulnerabilities (ex. XSS, CSRF)

Replace legitimate binary with Malicious (ex:

Havex)Library Search Hijack Library Search Hijack Library Search Hijack Password Recovery

Local Network Connection Enumeration

Authentication Assertion Misuse

Process InjectionCommunications

EncryptedData Staged Data Alteration

Vulnerability Scan Credential Pharming Trojan New Service New Service File System Logical Offsets Credential ManipulationLocal Networking

EnumerationRemote Services

Configuration Modification to

Facilitate LaunchData Obfuscation Exfil over C2 channel

Data Encrypted and Unavailable (Crypto Locker)

SQL Injection Social Engineering Path Interception Path Interception File Deletion Hijack Active CredentialOperating System

EnumerationPeer Connections

Use of Trusted Process to Execute

Untrusted CodeFallback Channels

Exfil over Alternate Channel to a C2

NetworkData Deletion (Partial)

Deploy Exploit using Advertising

Legitimate Access Scheduled Task Scheduled Task Indicator Blocking on Host Credentials in File Owner/User Enumeration Remote Interactive Logon Scheduled Task Multiband commExfiltration Over other

Network MediumData Deletion (full)

DNS/Cache Poisoning Defeat EncryptionService File Permission

WeaknessService File Permission

WeaknessIndicator Removal from

ToolsProcess Enumeration Remote Management Services

Service Manipulation

Multilayer EncryptionExfiltration from Local

SystemDenial of Service

Virtualization Attacks Exploit Weak Access Controls Link Modification Link ModificationIndicator Removal from

HostSecurity Software

EnumerationReplication through removable media

Third Party Software

Peer ConnectionsExfil over network

resourcesCause Physical Effects

Connection of Rogue Network Devices

Edit Default File HandlersManipulate Trusted

ProcessManipulate Trusted

ProcessService Enumeration Shared Webroot

Remote Management

Services

Standard app layer protocol

Scheduled Transfer

Trusted Website BIOS Process Injection Process Injection Window Enumeration Taint Shared ContentAPIs to Facilitate

LaunchStandard non-app layer

protocolData Encrypted

Legitimate Remote Access Hypervisor RootkitExploitation of

Vulnerability (ex. XSS, CSRF, OS/Software)

Masquerading Remote File SharesStandard Encryption

CipherExfil over Physical

Medium

Crosstalk (Data Emanation)Weak Access Control for

Service Configuration

Weak Access Control for Service

ConfigurationFile System Hiding

Uncommonly Used Port

Crosstalk (Data Emanation)

Device Swapping (Cross Domain Violation)

Master Boot Record Obfuscated PayloadCustom encryption

cipherData Encoded

Exploit Cross Domain or Multi-Level Solution

MisconfigurationModify Existing Services Rootkit

Multiple Protocols Combined

Cross Domain or Multi-Level Solution

Traversal

Physical Network Bridge Logon ScriptsUse of Trusted Process to Execute Untrusted Code

Defeat Encryption

Data Encoded Security Support Provider ScriptingExploit Weak Access

ControlsAutomatically Transported

Trusted ServicesWeb Shell Software Packing

Cross Domain or Multi-Level Solution Traversal

Signed Malicious Content

Supply Chain / Trusted Source Compromise

Sandbox Detection

Insider Threat/Close Access Malicious Behavior Delays

Wireless AccessCompromise Common Network Infrastructure

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Initial Sources: NSA Threat Operations Center’s (NTOC)

Adversary Lifecycle Analysis (ALA); Lockheed Martin’s

Cyber Kill Chain and MITRE’s Adversarial Tactics,Techniques, & Common Knowledge (ATT&CK)

Pre-Event

UNCLASSIFIED//FOR OFFICIAL USE ONLYThreat Framework v2.0

Phase 2 - Engage Phase 3 - Propagate Phase 4 - Effect

Get In Stay In Act

Set of threat actions requiring counteraction by Protect / Detect / Respond

STAGESThe progression of cyber

threats over time to achieve objectives

OBJECTIVESThe purpose of conducting an action or series of actions

ACTIONSActions and associated

resources used by a threat actor to satisfy an objective

Installation

Pre-Event Get-In Stay-In Act


Reconnaissance/ Staging

Weaponize

Delivery

Initial Compromise/ Exploitation

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Host Enumeration/ Internal Recon

Lateral Movement

Monitor / Exfiltration

Alter/Deceive

Execution

Command & Control

1

5

1

23

9

4

18

13

21

7

11

11

12

15

17

9

.govCAR 2.0 based on NSA 2.0

14

.govCAR Scoring Sheet

Protect Detect Respond Protect Detect Respond

Capabilities

To create new Capabilities, select the entire row of an Is En

hanc

%

Scor

ing

Com

ple

Layer1

A Description M M S None None L

Rationale

Layer2

B Description N/A N/A N/A L L L

Rationale 0%

B (Enhancement) Description N/A N/A N/A M M M

Rationale 0%

Stage

Objective

only covers one possible vector

coverage include additional but not all vectors

govCAR Mitigation Draft Scoring Sheet

Detailed Capability Description En

h

% S

core

s Don

e

Threat Action Y Threat Action z

Threat Action Description Threat Action Description

P/D has some allowed paths. All actions are logged

Threat action is permitted but logged. Logs only persist 1 week

Threat ‘Actions’ From

the Framework

Security Capabilities for

as-implemented, as-funded, and

as-recommended

architecture configurations

Logical Groupings of

Capabilities by Tier

SME Scoring: SignificantModerateLimited

NIST CyberSecurityFramework Mitigation

Functions

15

AnalysisUnderstand the threat -- Make informed risk decisions

Security Capability Coverage (Protect, Detect, Respond)

Threat Action Heat Map (Observed Adversary Actions)

Observed Actions + Lack of Coverage = Gaps to be Addressed

Administer Phase 1 - PreparePhase 3 -

Propagate Phases 1-4



Weaponization DeliveryInitial Compromise/

ExploitationInstallation Persistence


Defense EvasionCredential

Access

Host Enumeration/

Internal Reconnaissance

Lateral Movement ExecutionCommand & Control (C2)




Crawling Internet Websites

Add Exploits to Application Data

Files

Spear-phishing Emails w/ Attachments

Targets Application Vulnerability Writing to Disk Legitimate Credentials

Legitimate Credentials Legitimate Credentials Credential Dumping

Account Enumeration

Application Deployment Software Command Line

Commonly used port

Automated or Scripted

Exfiltration

Distributed Denial of Service (DDOS)

Network Mapping (e.g. NMAP)

Spear-phishing email w/Malicious Link

Target Operating System Vulnerability

In Memory Malware Accessibility Features Accessibility Features

Binary Padding Network Sniffing File System Enumeration

Exploitation of Vulnerability

File Access Comm through removable media

Data Compressed Partial disk/OS deletion (corruption)


Vulnerability Remotely Interpreted ScriptsAutomatic Loading at

StartupAutomatic Loading

at StartupDisabling Security

Tools User InteractionGroup Permission

Enumeration Logon ScriptsInterpreted

ScriptsCustom Application

Layer Protocol Data Size limitsFull disk/OS deletion

(bricking)

Mid-Points Removable Media (i.e. USB)

Targets Web Application Vulnerabilities (ex. XSS,

CSRF)

Replace legitimate binary with

Malicious (ex: Havex)Library Search Hijack Library Search

HijackLibrary Search Hijack Password Recovery

Local Network Connection

Enumeration


Process Injection

Communications Encrypted

Data Staged Data Alteration

Vulnerability Scan Credential Pharming Trojan New Service New Service File System Logical Offsets

Credential Manipulation

Local Networking Enumeration

Remote Services


Facilitate Launch

Data Obfuscation Exfil over C2 channel

Data Encrypted and Unavailable (Crypto

Locker)

SQL Injection Social Engineering Path Interception Path Interception File Deletion Hijack Active Credential

Operating System Enumeration

Peer Connections

Use of Trusted Process to

Execute Untrusted Code

Fallback ChannelsExfil over

Alternate Channel to a C2 Network

Data Deletion (Partial)

Deploy Exploit using Advertising Legitimate Access Scheduled Task Scheduled Task

Indicator Blocking on Host Credentials in File

Owner/User Enumeration

Remote Interactive Logon Scheduled Task Multiband comm

Exfiltration Over other Network

MediumData Deletion (full)


Weakness

Service File Permission Weakness

Indicator Removal from Tools Process Enumeration

Remote Management Services


Multilayer Encryption

Exfiltration from Local System Denial of Service

Virtualization AttacksExploit Weak Access

Controls Link Modification Link ModificationIndicator Removal

from HostSecurity Software

EnumerationReplication through

removable mediaThird Party

Software Peer ConnectionsExfil over network

resources Cause Physical Effects


Edit Default File Handlers

Manipulate Trusted Process

Manipulate Trusted Process Service Enumeration Shared Webroot

Remote Management

Services


Scheduled Transfer

Trusted Website BIOS Process Injection Process InjectionWindow

Enumeration Taint Shared ContentAPIs to

Facilitate Launch

Standard non-app layer protocol Data Encrypted

Legitimate Remote Access

Hypervisor Rootkit

Exploitation of Vulnerability (ex.

XSS, CSRF, OS/Software)

Masquerading Remote File Shares Standard Encryption Cipher

Exfil over Physical Medium


Weak Access Control for Service Configuration


ConfigurationFile System Hiding Uncommonly Used

PortCrosstalk (Data

Emanation)


Master Boot Record Obfuscated Payload Custom encryption cipher

Data Encoded




Cross Domain or Multi-Level

Solution Traversal

Physical Network Bridge Logon Scripts


Untrusted CodeDefeat Encryption

Data Encoded Security Support Provider

Scripting Exploit Weak Access Controls

Automatically Transported Trusted

ServicesWeb Shell Software Packing

Legend:Cross Domain or Multi-

Level Solution Traversal


High prioritySupply Chain / Trusted

Source Compromise Sandbox Detection

Mid Priority Insider Threat/Close Access

Malicious Behavior Delays

Low Priority Wireless Access

Compromise Common Network Infrastructure

// Threat Framework v2.0





Administer Phase 1 - PreparePhase 3 -

Propagate Phases 1-4



Weaponization DeliveryInitial Compromise/

ExploitationInstallation Persistence


Defense EvasionCredential

Access

Host Enumeration/

Internal Reconnaissance

Lateral Movement ExecutionCommand & Control (C2)





Add Exploits to Application Data

Files


Targets Application Vulnerability Writing to Disk Legitimate Credentials

Legitimate Credentials Legitimate Credentials Credential Dumping

Account Enumeration

Application Deployment Software Command Line

Commonly used port

Automated or Scripted

Exfiltration





In Memory Malware Accessibility Features Accessibility Features

Binary Padding Network Sniffing File System Enumeration

Exploitation of Vulnerability

File Access Comm through removable media

Data Compressed Partial disk/OS deletion (corruption)


Vulnerability Remotely Interpreted ScriptsAutomatic Loading at

StartupAutomatic Loading

at StartupDisabling Security

Tools User InteractionGroup Permission

Enumeration Logon ScriptsInterpreted

ScriptsCustom Application

Layer Protocol Data Size limitsFull disk/OS deletion

(bricking)

Mid-Points Removable Media (i.e. USB)


CSRF)

Replace legitimate binary with

Malicious (ex: Havex)Library Search Hijack Library Search

HijackLibrary Search Hijack Password Recovery

Local Network Connection

Enumeration


Process Injection



Vulnerability Scan Credential Pharming Trojan New Service New Service File System Logical Offsets

Credential Manipulation


Remote Services


Facilitate Launch

Data Obfuscation Exfil over C2 channel

Data Encrypted and Unavailable (Crypto

Locker)

SQL Injection Social Engineering Path Interception Path Interception File Deletion Hijack Active Credential

Operating System Enumeration

Peer Connections

Use of Trusted Process to

Execute Untrusted Code

Fallback ChannelsExfil over

Alternate Channel to a C2 Network


Deploy Exploit using Advertising Legitimate Access Scheduled Task Scheduled Task

Indicator Blocking on Host Credentials in File

Owner/User Enumeration

Remote Interactive Logon Scheduled Task Multiband comm

Exfiltration Over other Network

MediumData Deletion (full)


Weakness

Service File Permission Weakness

Indicator Removal from Tools Process Enumeration

Remote Management Services


Multilayer Encryption

Exfiltration from Local System Denial of Service

Virtualization AttacksExploit Weak Access

Controls Link Modification Link ModificationIndicator Removal

from HostSecurity Software

EnumerationReplication through

removable mediaThird Party

Software Peer ConnectionsExfil over network

resources Cause Physical Effects


Edit Default File Handlers

Manipulate Trusted Process

Manipulate Trusted Process Service Enumeration Shared Webroot

Remote Management

Services


Scheduled Transfer

Trusted Website BIOS Process Injection Process InjectionWindow

Enumeration Taint Shared ContentAPIs to

Facilitate Launch

Standard non-app layer protocol Data Encrypted

Legitimate Remote Access

Hypervisor Rootkit

Exploitation of Vulnerability (ex.

XSS, CSRF, OS/Software)

Masquerading Remote File Shares Standard Encryption Cipher

Exfil over Physical Medium


Weak Access Control for Service Configuration


ConfigurationFile System Hiding Uncommonly Used

PortCrosstalk (Data

Emanation)


Master Boot Record Obfuscated Payload Custom encryption cipher

Data Encoded




Cross Domain or Multi-Level

Solution Traversal

Physical Network Bridge Logon Scripts


Untrusted CodeDefeat Encryption

Data Encoded Security Support Provider

Scripting Exploit Weak Access Controls

Automatically Transported Trusted

ServicesWeb Shell Software Packing

Cross Domain or Multi-Level Solution

Traversal


Full CoverageSupply Chain / Trusted

Source Compromise Sandbox Detection

Partial Coverage Insider Threat/Close Access

Malicious Behavior Delays

No Coverage Wireless Access

Compromise Common N k I f

Threat Framework v2.0





Legend

16

Joint

Assess current cyber security capabilities for effectiveness against threats and

gaps efficacy of current investment strategy

Evaluate multi-layer complex security architectures architecture based on vendor neutral capabilities security stack (defense in depth) architectures people, policy and process non-materiel capabilities

Support – Investment direction and decisions especially at the portfolio level

.govCAR does not Evaluate vendor specific implementations of a capability Provide mission-based/cyber key terrain-based analysis (no impact

analysis) Delineate detailed implementation tradeoffs

.govCAR Provides Ability to:

17

PDR Protect, Detect, RespondSME Subject Matter Expert

Threat Coverage, Prioritization, & Gap ID

Capability Get In (Engage; Access)

Enterprise Perimeter (IAP) Protect Detect RespondProtectDetectRespond Protect Detect RespondStrategic Sensor N/A S N/A N/A M N/A N/A N/A N/AECOS (Trickler) L N/A M N/A L N/A M L N/AWeb Content Filter L N/A N/A N/A M N/A M S N/ANGFW (url reputation) L N/A N/A N/A L N/A N/A N/A N/AIPS N/A N/A M N/A N/A N/A N/A S N/AZND Web N/A N/A N/A L S N/A N/A L N/AZND Mail S N/A L S N/A N/A M L N/AEEMSG N/A N/A N/A N/A N/A N/A N/A N/A MECOS (NETFLOW) N/A N/A N/A S N/A N/A N/A N/A N/AECOS (Packet Capture) N/A N/A L L S N/A M L SSSL Proxy/Inspection N/A N/A M N/A N/A N/A N/A S N/AECOS (IDS) N/A N/A N/A N/A N/A S L M N/ADDoS Detection/Mitigation internal S N/A N/A N/A L N/A N/A N/A N/ADDoS Detection/Mitigation external M N/A N/A N/A N/A N/A N/A N/A N/AACLs and Whitelist N/A M N/A N/A L N/A N/A M N/ASDN N/A N/A M N/A N/A N/A N/A S N/ADNS Proxy and Recursive Services N/A M N/A L L M N/A N/A MEnterprise Remote Access N/A N/A N/A N/A N/A N/A N/A N/A N/ACloud: IPS N/A L N/A N/A S N/A L N/A N/ACloud: NGFW N/A N/A N/A N/A N/A N/A N/A N/A N/ACloud: PCAP N/A S M N/A N/A N/A N/A N/A N/ACloud: FWD Proxy N/A S L L N/A N/A N/A N/A N/ACloud: Premise Router/ MeetMe M L N/A N/A N/A L N/A L MCyber SA: Security Event Management (as is) N/A N/A N/A L L N/A N/A N/A LCyber SA: Security Event Management (as planned)N/A N/A L S N/A N/A S N/A N/ACyber SA: Big Data Fusion Analytics (as is) N/A L N/A M N/A N/A N/A M N/ACyber SA: Big Data Fusion Analytics (as planned) N/A N/A L N/A N/A N/A N/A N/A N/ACyber SA: Continuous Security Monitoring N/A N/A M N/A M S L N/A N/ACyber SA: DCO/Analyst Collaboration (as is) S N/A N/A N/A N/A N/A N/A M MCyber SA: DCO/Analyst Collaboration (as planned) N/A N/A L N/A N/A M M N/A N/A

DeliverySpear-phishing Emails w/

attachmentsWebsites

as implementedas implemented as implemented

Removable Media (i.e. USB)

Capability Mitigation Scoring

Based on SME assessmentAdminister

Stage 1 - Prepare

Stage 3 - Propagate Stage 1-4



Weaponization DeliveryInitial

Compromise/ Exploitation

Installation PersistencePrivilege

EscalationDefense Evasion Credential Access

Host Enumeration/

Internal Lateral Movement Execution

Command & Control (C2)





Add Exploits to Application Data Files


Targets Application Vulnerability

Writing to Disk Legitimate Credentials Legitimate Credentials Legitimate Credentials Credential Dumping Account EnumerationApplication Deployment

SoftwareCommand Line Commonly used port

Automated or Scripted Exfiltration





In Memory Malware Accessibility Features Accessibility Features Binary Padding Network Sniffing File System EnumerationExploitation of Vulnerability

File AccessComm through removable

mediaData Compressed

Partial disk/OS deletion (corruption)


Vulnerability RemotelyInterpreted Scripts AddMonitor AddMonitor DLL Side Loading User Interaction

Group Permission Enumeration

Logon Scripts PowerShellCustom Application Layer

ProtocolData Size limits

Full disk/OS deletion (bricking)

Mid-PointsRemovable Media (i.e.

USB)


CSRF)

Replace legitimate binary with Malicious (ex: Havex)

DLL Search Order Hijack DLL Search Order Hijack Disabling Security Tools Brute ForceLocal Network Connection

EnumerationPass the Hash Process Hollowing



Vulnerability Scan Credential Pharming Trojan New Service New ServiceFile System Logical

OffsetsCredential Manipulation


Pass the Ticket Registry Data Obfuscation Exfil over C2 channelData Encrypted and Unavailable (Crypto

Locker)

SQL Injection Social Engineering Path Interception Path Interception Process Hollowing Hijack Active CredentialOperating System

EnumerationPeer Connections Rundll32 Fallback Channels

Exfil over Alternate Channel to a C2 Network


Deploy Exploit using Advertising

Legitimate Access Scheduled Task Scheduled Task Indicator Blocking on Host Credentials in File Owner/User Enumeration Remote Desktop Protocol Scheduled Task Multiband commExfiltration Over other

Network MediumData Deletion (full)

DNS/Cache PoisoningService File Permission

WeaknessService File Permission

WeaknessIndicator Removal from

ToolsProcess Enumeration

Windows Management Instrumentation

Service Manipulation Multilayer EncryptionExfiltration from Local

System

Virtualization Attacks Shortcut Modification Shortcut ModificationIndicator Removal from

HostSecurity Software

EnumerationWindows remote

managementThird Party Software Peer Connections

Exfil over network resources


Edit Default File Handlers Bypass UAC Bypass UAC Service Enumeration Remote ServicesWindows management

instrumentationStandard app layer

protocolScheduled Transfer

Trusted Website BIOS DLL Injection DLL Injection Window EnumerationReplication through

removable mediaWindows remote

managementStandard non-app layer

protocolData Encrypted

Legitimate Remote Access Hypervisor RootkitExploitation of

Vulnerability (ex. XSS, CSRF, OS/Software)

Masquerading Shared Webroot CreateProcessStandard Encryption

CipherExfil over Physical

Medium

Logon ScriptsService Registry

Permissions WeaknessNTFS Extended Attributes Taint Shared Content Uncommonly Used Port

Master Boot Record AppInit DLLs Obfuscated PayloadWindows Admin Shares

(C$, ADMIN$)Custom encryption cipher

Modify Existing Services RootkitMultiple Protocols

CombinedRegistry Run Keys (Startup

Folder addition)Rundll32

Serv. Reg. Perm. Weakness

Scripting

Windows Mgmt Instr. Event Subsc.

Software Packing

Winlogon Helper DLL Signed Malicious ContentAppInit DLLs File Deletion

Security Support Provider Sandbox Detection

Web Shell Malicious Behavior Delays

U//FOUO Threat Framework V1.1

Stage 2 - Engage Stage 3 - Propagate Stage 4 - Effect

Initial Sources: NSA Threat Operations Center’s (NTOC)Adversary Lifecycle Analysis (ALA); Lockheed Martin’s


PDR Protect, Detect, RespondSME Subject Matter Expert

Threat Action Heat Map – Structures Prioritization

Heat Map

Based on actual intel threat data

Security Capability Coverage – effectiveness for PDR

Threat Framework

Priority Gap in PDR

Threat Framework

18

Joint

Top Recommendations from Spins 1-4

Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and...

Documents

Transcript of Presentation title slide - 42 pt Times New Roman, White · .govCAR began in April 2017 and...