Fishing Lure, Metal Lure, Plastic Lure, Jigs | Dinga Fishing Tackle Shop
SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing....
Transcript of SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing....
![Page 1: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/1.jpg)
#RSAC
SESSION ID:
#RSAC
SESSION ID:
Freddy Dezeure
MITRE ATT&CK - THE SEQUELAIR-R02
CEOFreddy Dezeure [email protected]
Rich StruseDirector, Center for Threat-Informed DefenseMITRE [email protected]
![Page 2: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/2.jpg)
#RSAC
2
Presentation builds on our RSA2019 MITRE ATT&CK presentation
Our goal is to provide real hands-on guidance
Everything was built in cooperation with Munich Airport
The Sequel
![Page 3: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/3.jpg)
#RSAC
3
IdentifyProtectDetect
UpdateShare
Agenda
![Page 4: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/4.jpg)
#RSAC
Our Enterprise Is A Financial Service
4
We process money for our clientsOur main risks: – Financial loss – Business continuity – Brand damage – GDPR
Our infrastructure is well protected (we think)We want to perform threat-informed defense
![Page 5: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/5.jpg)
#RSAC
Our Infrastructure
5
“Win10” “Win11”
![Page 6: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/6.jpg)
#RSAC
Our Infrastructure
6
Created in Detection Lab– Installed from GitHub– + One additional host– + Squid proxy– + Caldera
We populated the logfiles by normal user behaviorWe executed our scenario and made screenshots
![Page 7: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/7.jpg)
#RSAC#RSAC
Identify
Our Assets, Our Infrastructure, Our Main Adversaries And Their TTPs
![Page 8: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/8.jpg)
#RSAC
Identify Our Adversaries’ Objectives And Behavior
8
Identify our Adversaries of interest– Open source and commercial threat intelligence– ISACs/ISAOs– NCICC/CERTs
Identify which tactics/techniques they use– ATT&CK Navigator
![Page 9: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/9.jpg)
#RSAC
9
OurAdversaries
OurSystems
OurAssets
MotivesTargets
![Page 10: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/10.jpg)
#RSAC
Our Main Adversaries
10
Cross-sector : targeted ransomware Emotetfollowed by TrickbotFollowed by Ryuk/LockerGoga…
Sectoral : Fin7, Cobalt Group
![Page 11: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/11.jpg)
#RSAC
11
OurAdversaries
OurSystems
OurAssets
TTPs
![Page 12: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/12.jpg)
#RSAC
12
![Page 13: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/13.jpg)
#RSAC
13
![Page 14: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/14.jpg)
#RSAC
14
![Page 15: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/15.jpg)
#RSAC
15
![Page 16: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/16.jpg)
#RSAC
16
![Page 17: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/17.jpg)
#RSAC
We Built And Used A Realistic Exploit
17
Word lure document with PowerShell macro connecting to api.ipify.org to grab external ip of our infrastructure and vizualize it
![Page 18: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/18.jpg)
#RSAC#RSAC
Protect
Design And Validate Our Critical Controls
![Page 19: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/19.jpg)
#RSAC
Design Our Controls
19
Adversaries
Security ControlsAssets
Spear PhishingPowerShell
![Page 20: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/20.jpg)
#RSAC
Mitigations For T1086 PowerShell
20
![Page 21: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/21.jpg)
#RSAC
Mitigation Guidance From The Community
21
![Page 22: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/22.jpg)
#RSAC
Implemented In Our Enterprise Environment
22
With FW policy
Without FW policy
“Win10” “Win11”
![Page 23: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/23.jpg)
#RSAC
Validate Our Controls In Our Lab
23
Adversaries
Security ControlsAssets
Spear PhishingPowerShell
![Page 24: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/24.jpg)
#RSAC
Screenshot of the lure document
24
![Page 25: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/25.jpg)
#RSAC
Result Of The Execution Of The Macro
25
![Page 26: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/26.jpg)
#RSAC
Visibility In Our Environment
26
Screenshot in Splunk logs (Sysmon and proxy)
“Win10” (without FW rule)
![Page 27: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/27.jpg)
#RSAC
Test Our Controls
27
Adversaries
Security ControlsAssets
Spear PhishingPowerShell
![Page 28: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/28.jpg)
#RSAC
CALDERA – MITRE Open Source Research Project
28
Automated adversary emulation– Safely replicate realistic adversary behavior– Repeatable testing and verification of prevention/detection
Features– Uses ATT&CK to create Adversary profiles– Uses AI and modeling to make decisions about actions– Self-cleans after operation completes– Low install overhead– Does not require extensive red team knowledge to operate
![Page 29: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/29.jpg)
#RSAC
Outcome Of Caldera With T1086 In Our Infrastructure
29
![Page 30: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/30.jpg)
#RSAC
Outcome On “Win11” (Protected With FW Policy)
30
![Page 31: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/31.jpg)
#RSAC#RSAC
Detect
Design And Validate Our Analytics
![Page 32: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/32.jpg)
#RSAC
Design Our Detection
32
Gain Visibility – Priorities in log collection
Design Analytics– Write them with knowledge of Our Adversaries– Get them from the community
Deploy– Detect / Hunt / Refine
![Page 33: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/33.jpg)
#RSAC
SIGMA: A Language for Analytics
33
https://github.com/Neo23x0/sigma
![Page 34: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/34.jpg)
#RSAC
34
SIGMA Community Rules Repository
![Page 35: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/35.jpg)
#RSAC
35
Detecting Windows command line executable spawned from Microsoft Office
![Page 36: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/36.jpg)
#RSAC
Detection With SIGMA Rules
36
Splunk alerts detecting PowerShell spawned from Word
![Page 37: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/37.jpg)
#RSAC
Detection With SIGMA Rules (2)
37
Splunk alert detecting PowerShell communicating outside
Alert on “Win10” (without FW rule)
![Page 38: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/38.jpg)
#RSAC
Detection With SIGMA Rules – Building Alerts (3)
38
Splunk alerts built with identified SIGMA rules
Critical alert on “Win10” (without FW rule)
![Page 39: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/39.jpg)
#RSAC
Alerts Triggered By Running Caldera With T1086
39
All alerts are on “Win10” (without FW rule)
![Page 40: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/40.jpg)
#RSAC#RSAC
Update
![Page 41: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/41.jpg)
#RSAC
Update on ATT&CK Developments
41
ATT&CK for ICS, Cloud and more
Subtechniques
Threat Report ATT&CK Mapper (TRAM)
MITRE ENGENUITY
![Page 42: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/42.jpg)
#RSAC#RSAC
Share
Contribute To The Community
![Page 43: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/43.jpg)
#RSAC
Share Insights And Contribute
The MITRE ATT&CK community is very activeSharing TTPs/SIGMA rules is easier and more useful than IOCs– Contribute to MITRE ATT&CK [email protected]– Contribute to SIGMA
https://github.com/Neo23x0/sigma/tree/master/rules
Participate in the Community– MITRE ATT&CKcon– EU ATT&CK User Community
43
![Page 44: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/44.jpg)
#RSAC
EU ATT&CK User Community
44
Mailing list: opt in ? -> email to [email protected] workshop in Brussels 18-19 May 2020The biggest ATT&CK event ever…
![Page 45: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/45.jpg)
#RSAC
“Apply” Slide
45
Next week you should:– Consider Windows Firewall policy to mitigate PowerShell techniques
In the first three months following this presentation you should:– Identify Your Adversaries– Identify and deploy at least three use cases in your organization
Within six months you should:– Permeate your cyber defense using ATT&CK– Share your insights in the SIGMA community
![Page 46: SESSION ID: AIR-R02 MITRE ATT&CK - THE SEQUEL€¦ · Security Controls. Assets. Spear Phishing. PowerShell. #RSAC. Screenshot of the lure document. 24. #RSAC. Result Of The Execution](https://reader033.fdocuments.in/reader033/viewer/2022042806/5f6ef7db194c644d4b12eb53/html5/thumbnails/46.jpg)
#RSAC
Resources And Acknowledgements
46
ATT&CK repository and ATT&CK NavigatorHow to use the MITRE ATT&CK NavigatorPREVENT Legitimate Windows Executables To Be Used To Gain Initial Foothold In Your Infrastructure (@dmargaritis)SIGMA and SIGMA rule collection (Thomas Patzke, Florian Roth)CALDERAEU ATT&CK Community Workshop 18-19 May 2020Munich Airport Information Security HubCenter for Threat-Informed DefenseDetection Lab