MITRE ATT&CK Cyber Threat Intelligence Certification

Resources

• Cybereason Operation Cobalt Kitty - Original Report

• Cybereason Operation Cobalt Kitty - Exercise

• Cybereason Operation Cobalt Kitty - Exercise Hints

• Cybereason Operation Cobalt Kitty - Exercise Answers

• Making Defensive Recommendations Guided Exercise

• Making Defensive Recommendations Unguided Exercise

• ticket-473822

• ticket-473822 answers

• ticket-473845

• ticket-473845 answers

https://www.mitre.org/sites/default/files/publications/mitre-getting-started-with-attack-october-2019.pdf

What is Cyber Threat Intelligence

Threat intelligence is actionable knowledge and insight on adversaries and their malicious activities enabling defenders and their organizations to reduce harm through better security decision-making.

How ATT&CK can help

• Use knowledge of adversary behaviors to inform defenders

• Structuring threat intelligence with ATT&CK allows us to

  • Compare behaviors

    • Groups to each other

    • Groups over time

    • Groups to defenses

  • Communicate in a common language

Mapping to ATT&CK from Narrative Reports

• Recognize the prerequisites to ATT&CK mapping

• Understand the challenges and advantages of mapping to ATT&CK

• Learn the ATT&CK process for mapping to narrative reporting

Challenges, Advantages, and the ATT&CK Mapping Process

Mapping to ATT&CK: Challenges and Advantages

• Challenges

  • Mapping to ATT&CK requires a shift in thinking

  • The volume of ATT&CK techniques and sub-techniques can seem overwhelming

  • The "technical" detail of some ATT&CK techniques can seem complex

• Advantages

  • Forces a shift in thinking about behaviors: from indicators

  • Allows opportunities to discover new adversary techniques

  • Facilitates enhanced learning of the "technical" side

ATT&CK Mapping Process

1. Find the Behavior

2. Research the Behavior

3. Translate into a Tactic

4. Identify Techniques or Sub-techniques

5. Compare your Results to Other Analysts

1. Finding the Behavior

1. Look for what the adversary or software does during the steps of the compromise

2. Focus on pre-compromise, initial compromise and post-compromise details

   • Identify how th adversary gained initial access and how they moved through the compromise of the victim network / system

3. Look for the "verbs" in the narrative reporting to identify adversary behavior, such as:

   • 'used e-mail attachments'

   • 'create scheduled task'

   • 'installed tools'

4. Information that may not be useful for ATT&CK mapping are those that don't provide details about adversary behavior, such as:

   • Static malware analysis (hashes)

   • Infrastructure registration info (IP addr, etc.)

   • Stand-alone industry / victim targeting info

-- Example Report (Operation Doubletap) --

https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html

FireEye APT39 - Original Report FireEye APT39 - Exercise FireEye APT39 - Exercise Answers

The most interesting PDB string is the “4113.pdb,” which appears to reference CVE-2014-4113. This CVE is a local kernel vulnerability that, with successful exploitation, would give any user SYSTEM access on the machine.

The malware component, test.exe, uses the Windows command "cmd.exe" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task:

schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON     /ru "System"

When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. The malware sends the SOCKS5 connection request "05 01 00" and verifies the server response starts with "05 00".

2. Research the Behavior

• Perform additional research on unfamiliar adversary / software behaviors

  • Examine details about network protocols that were used including their OSI layer / capabilities, assigned port number, associated service, and any potential vulnerabilities that can be leveraged by adversaries, such as SMB

  • Collaborate with your own org (defenders / red teamers)

  • Leverage external resources

• Understanding core behaviors helps with next steps and enhances analytic skills

Taking the example above - if you don't understand SOCKS, then look into it using Google, Wikipedia, etc. Look / research TCP 1913 (armadp).

3. Translating the Behavior into a Tactic

1. Understand the 14 Tactics and why they matter

2. Practice identifying a behavior in narrative reproting

3. Learn how to translate behaviors into Tactics

Tactics

1. Reconnaisance: The adversary is trying to gather information they can use to plan future operations.

2. Resource Development: The adversary is trying to establish resources they can use to support operations. (VPNs, domains, tools, etc.)

3. Initial Access: Initial Access consist of techniques that use various entry vectors to gain their initial foothold within a network.

4. Execution: Execution consists of techniques that result in adversary-controlled code running on a local or remote system. (buffer overflows, etc.)

5. Persistence: Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed creds, and other interruptions that could cut off their access.

6. Privilege Escalation: Privilege Esc consists of techniques that adversaries use to gain higher-level permissions on system or network.

7. Defense Evasion: Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.

8. Credential Access: Credential Access consists of techniques for stealing creds like account names and passwords.

9. Discovery: Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.

10. Lateral Movement: Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

11. Collection: Collection consists of techniques adversaries may use to gather information and the sources info is collected from that are relevant to following through on the adversary's objectives.

12. Command and Control: C2 consists of techniques that adversaries may use to communicate with systems under their control within a victim network.

13. Exfiltration: Exfil consists of techniques that adversaries may use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption.

14. Impact: Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

4. Identify What Technique & Sub Techniques Apply

• Identifying the technique or sub-technique is often the most challenging step

  • Techniques and subs are not always easy to identify

  • Some techniques help facilitate more than one tactics, and this is reflected throughout ATT&CK

    • For example, Hijack Execution Flow: DLL Side-Loading [T1574.002] falls under Persistence, Privilege Escalation, Defense Evasion

• Not every behavior is necessarily a technique or sub-technique

  • Not all adversary behaviors can or should be used as a basis for alerting or providing data to an analyst - not every behavior that can be mapped is malicious

    • Context is key: assessing the circumstances around the behavior can help identify if its malicious in nature (e.g., tools used by attackers that are not explicitly malicious, but their hostile usage is)

  • Not all possible techniques are documented, nor will they ever be.

Key Strategies

Strategy 1. Review the list of Techniques and Sub-techniques for the Tactic you previously identified

• When figuring out what sub-techniques to apply to behaviors, leverage the same key strategies used for finding Techniques

• Review the behavior for associated Tactic, assess the corresponding list of Techniques and Sub-techniques, or work through keyword searches/procedure level details

• Level of Report Detail:

  • Sometimes it makes more sense to map the Technique first before moving to the Sub-techniques

  • Other times, based on the level of detail in the report, it might be simpler to identify the sub-technique immediately

Strategy 2. Search attack.mitre.org

• Try keyword searches in the search bar

• Use "Ctrl+F" keyword searches across the list of techniques

• Details and Commands Strings

  • Try "procedure"-level detail

  • Try specific command strings

Example

• Take adversary behaviors such as:

  • (1) 'used email attachments'

  • (2) 'create scheduled taks'

  • (3) 'installed tools'

• Use the ATT&CK search bar:

  • (1) Phishing: Spearphishing Attachment, Sub-technique T1566.001

  • (2) Scheduled Task/Job, T1053 (potential Sub-technique T1053.005)

  • (3) Ingress Tool Transfer, T1105

Strategy 3. Assess a few Group and Software pages to understand how ATT&CK performs technique analysis

Mapping to a Narrative Report

Exercise 1

• Analyze a threat report using the ATT&CK mapping process to find the techniques and sub-techniques

  • 21 highlighted techniques and sub-techniques in the Cybereason Cobalt Kitty report

• Review the Cobalt Kitty report

• Use the PDF or a text document / piece of paper to record your results

• Write down the ATT&CK tactic and technique or sub-technique you think applies to each behavior

• Remember:

  • Do search bar and keyword searches of the ATT&CK website

  • You don't have to be perfect!

  • Use this as a chance to dive into ATT&CK

Cybereason Operation Cobalt Kitty - Exercise Hints

Exercise 1: Review

1. What were the easiest and hardest techniques or sub-techniques to identify?

2. How did you identify each technique or sub?

3. What challenges did you have? How did you address them?

Exercise 1: Solution

Cybereason Operation Cobalt Kitty - Exercise Answers

Additional Exercise

FireEye APT39 - Original Report FireEye APT39 - Exercise FireEye APT39 - Exercise Answers

Hedging your Biases

• Comparing your results to other analysts helps hedge against analyst biases

• Be consistent in how you map and apply techniques: If other analysts can't review your mappings, ensure you're consistent in how you think of and apply a technique.

• Skipping steps increases your bias, and it won't work every time.

Biases in ATT&CK Mapped Data

• It is critical to recognize our biases in CTI

• Two key types of bias in technique examples in ATT&CK

  • Bias introduced by us as consumers

  • Bias inherent in the sources we use

• Understanding these biases is the crucial first step in effectively leveraging this data

Source Biases

Most behaviors in ATT&CK are drawn from Security Vendors:

• 92% of the data comes from security vendors (IR)

• 5% from Press Reports

• 3% from Publicly available Govt Reports

Availability Bias:

• Reporting and Attribution skewed towards the incident response data / specific behaviors each vendor sees regularly

• Familiar behaviors vs ALL possible behaviors

Visibility Bias:

• Data aligned with sensors vs ALL activity

Victim Bias:

• Report development impacted by the interest the vicbim / target engenders, and how open they are to reporting

Novelty Bias:

• Marketing and Level of Impact can motivate what type of reports are produced

• APT10 - no reporting while they were operating on smaller fish, but got attention when they attacked Service Providers

Consumer Biases

• Novelty Bias: Repetitive behaviors vs Exciting Emerging Threats

• Availability Bias: Techniques we remember vs techniques we're not as familiar with

Strategies for Hedging Biases

1. Collaborate and identify ways to mitigate biases. Diversity of thought makes for stronger teams

2. Adjust & Calibrate your data sources. Understand how your data is possibly skeweed

3. Diverse Sources: Add different data sources (including your own). Best data is that you collected on your own

4. Prioritize the Known over the unknown, as opposted to absolute comparison

Mapping to ATT&CK from Raw Data

Focuses on analyzing behaviors directly from source data. Uses the same ATT&CK Mapping Process as described earlier.

Challenges and Advantages from Raw Data

Challenges:

• A more advanced level of knowledge may be required

• You may need to review a lot more data that require different levels of expertise

• Adversary intent and tactics may be more difficult to identify, and require additional sources

Advantages:

• Likely more information available at the procedure level / more detail in the data

• Not reinterpreting another analyst's prose / more insight into the behaviors

• Facilitates enhanced learning of the "technical" side

Comparison of Raw Data and Narrative Reporting process

Identify and Research Behaviors

Step 1. Identify the behavior

Look through the commands and activities performed by an adversary and note them down.

Step 2. Research the behavior

The analysis process for raw data can leverage some of the same concepts as analysis for narrative reporting

Key Differences:

• Assessing raw data may require expertise in the specific data type

  • Network, forensics, malware, Windows cmd line, etc

• Additional data sources may also be required to gain enough context about what the behavior is

  • Additional questions to responders / analysts

Might require one to do research, for example, if the command line parameters are complex, or unclear, use a search engine or other resources. It might require using a sandbox to observe behavior.

Translate Behaviors to Tactics, Techniques and Sub-Techniques

Step 3. Translate the Behavior to Tactic

ipconfig /all

• Specific procedure only mapped to System Network Configuration Discovery

• System Network Configuration Discovery -> Discovery

• Seen being run via Sysmon -> Execution

.\recycler.exe -a hpfGzq5yKw C:\$Recycle.Bin\old C:\$Recycle.Bin\Shockware_network.vsdx

• We figured out researching this that vsdx is Visio data

• Moderate confidence Exfiltration, commands around this could make clearer

• Seen being run via Sysmon -> Execution

Step 4. Figure out what Technique or Sub Applies

• Similar to working with finished reporting we may jump straight here

  • Procedure may map directly to Tactic/Technique/Sub

  • May have enough experience to compress steps (remember, this may increase your bias, and won't always work)

ipconfig /all

• Specific procedure in System Network Configuration Discovery (T1016)

• Also Command and Scripting Interpreter (T1059)

.\recycler.exe -a hpfGzq5yKw C:\$Recycle.Bin\old C:\$Recycle.Bin\Shockware_network.vsdx

• We figured out researching this that a -hp compresses / encrypts

• Appears to be Archive Collected Data (T1560)

• Also Command and Scripting Interpreter (T1059)

Concurrent Techniques

• Assess what's happening - and how it's happening

• Certain tactics commonly have concurrent techniques

  • Some techniques are describing how things are happening, while other techniques are describing what's happening

• Examples:

  • Phishing: Spearphishing Attachment + User Execution (Initial Access + Execution)

  • Data from Local System + Email Collection (2x Collection)

  • Process Discovery + Command and Scripting Interpreter (Discovery + Execution)

Step 5. Compare your results to other Analysts

• Hedging biases by leveraging diverse skillsets

• Mapping from raw data may need a broader set of skills / experience to work with different types of data

Raw Data to Narrative Reporting

Exercise 2: Working with raw data

• You're going to be examining two tickets from a simulated incident

• Ticket 473822

  • Series of commands interactively executed via cmd.exe on an end system

• Ticket-473845

  • Pieces of a malware analysis of the primary RAT used in the incident

• Use whatever to record your results or download and edit

• Identify as many behaviors as possible

• Annotate the behaviors that are ATT&CK techniques or sub-techniques

Exercise 2: Review

• What questions would you have asked of your incident responders?

• What was easier/harder than working with narrative reporting?

• What other types of data do you commonly encounter with behaviors?

• Did you notice any behaviors that you couldn't find a technique or sub-technique for?

Exercise 2: Solution

Ticket-473822 answers Ticket-473845 answers

Ticket 473822

ipconfig /all                             # System Network Configuration Discovery (T1016)            
arp -a                                    # System Network Configuration Discovery (T1016)            
echo %USERDOMAIN%\%USERNAME%              # System Owner / User Discovery (T1013)
tasklist /v                               # Process Discovery (T1057)
sc query                                  # System Service Discovery (T1007)
systeminfo                                # System Information Discovery (T1082)
net group "Domain Admins" /domain         # Permission Groups Discovery: Domain Groups (T1069.002)      
net user /domain                          # Account Discovery: Domain Account (T1087.002)
net group "Domain Controllers" /domain    # Remote System Discovery (T1018)
netsh advfirewall show allprofiles        # System Network Configuration Discovery (T1016)
netstat -ano                              # System Network Connections Discovery (T1049)

As can be seen, all of the above techniques are the Discovery tactic.

Ticket 473845

Ticket: 473845 Incident: Tangerine Yellow Date: 2/16/2019 10:14:44 Description: Pineapple RAT analysis Status: Assigned

MD5 = dcf574b977e291e159b3efeddc9e5075 SHA1 = bc50bfce0ad9753a6be7448e350a15c1b7f719cc SHA256 = 18548a48f2c30070dc3982bb04ab004a9491aa5c1933ad73a84c0de1d816cd13 Filename = winspoo1.exe --> Defense Evasion - Masquerading (T1036)

Analysis notes:

C2 protocol is base64 encoded commands Command and Control - Data Encoding: Standard Encoding (T1132.001) over https Command and Control - Application Layer Protocol: Web Protocols (T1071.001).

The RAT beacons every 30 seconds requesting a command.

So far the following commands have been discovered and analyzed: UPLOAD file (upload a file server->client) DOWNLOAD file (download a file client->server) Command and Control - Ingress Tool Transfer (T1105) SHELL command (runs a command via cmd.exe) Execution - Command and Scripting Interpreter (T1059) PSHELL command (runs a command via powershell.exe) Execution - Command and Scripting Interpreter: PowerShell (T1059.001) EXEC path (executes a program at the path given via CreateProcess) SLEEP n (skips n beacons) Execution - Native API (T1106)

Sandbox execution artifacts for winspoo1.exe

Network traffic:

10.1.1.1:12442 -> 8.8.8.8:53 (query A www.m1tre.org) 8.8.8.8:53 -> 10.1.1.1:12442 (response A www.m1tre.org A 129.83.44.12) 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123

File activity: Copy C:\winspoo1.exe -> C:\Windows\System32\winspool.exe Defense Evasion - Masquerading (T1036)

Registry keys added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winspool REG_SZ "C:\Windows\System32\winspool.exe" Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)

• If you are creating reporting with ATT&CK, we recommend keeping the techniques and sub-techniques with the related procedures for context

  • Allows other analysts to examine the mapping for themselves

  • Ensures team is on teh same page with the mapping

  • Allows much easier capture of how a technique was done

  • Contributes to simpler process for crafting defenses against specific adversaries

Effective Reporting Methods

1. During operation Tangerine Yellow, the actors used Pineapple RAT to execute ipconfig /all via the Windows command shell.

   1. Discovery - System Network Configuration Discovery (T1016)

   2. Execution - Command and Scripting Interpreter (T1059)

2. System Network Configuration Discovery (T1016) and Command and Scripting Interpreter (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ipconfig /all via the Windows command shell.

Storing and Analyzing ATT&CK Mapped Data

• Consider who (or what) will be consuming the mapped CTI

• Identify the most effective storage platform for your environment and requirements

Considerations for storage and analysis

• Who's consuming it?

  • Human or machine?

• What are the intelligence requirements? How will you provide context?

  • Include full text?

• How will it be detailed?

  • Just a Technique / sub-technique or Procedure?

• How will you capture that detail?

  • (Free text?) How will you link it to other CTI?

  • Incident, group, campaign, indicator?

• How will you import and export data?

  • What format will you use?

MISP is great for storing, sharing, and displaying CTI ATT&CK mapped data.

Expressing and Storing ATT&CK mapped data

Depending on the vendor, one may see the following:

• Techniques shown at the bottom of the report

• Techniques shown at the beginning of the report

• Sub-techniques may not be shown

• Techniques with some description of how an attacker used that specific technique / sub

• Best is the example of CISA which has the techniques / subs inline

• Digital Shadows not only shows the tactic and technique, but also advice on mitigation.

Also see Unit 42's Playbook Viewer

Analyzing ATT&CK mapped data

This is done using the ATT&CK navigator. If looking at two APT groups, they can be separated into two separate layers, then combined using a combine feature. Each layer with its selected techniques / subs can be given a score. So layer a** gets a score of 1, and layer b a score of 2. The expression for the combined layer is a + b. The coloring can then have a low value of 1, and a high of 3 (score of 1 + score of 2 = total score of 3), which would then show you overlaps between the two APT groups in a color coded display.

Exercise 3

Use the report for Cobalt Kitty:

Cybereason Operation Cobalt Kitty - Original Report Cybereason Operation Cobalt Kitty - Exercise Cybereason Operation Cobalt Kitty - Exercise Hints Cybereason Operation Cobalt Kitty - Exercise Answers

• Combine techniques of APT39 and APT32 (Cobalt Kitty / OceanLotus) into separate layers with a unique score for each layer

• Combine the layers to create a third layer

• Color score your third layer

• Make a list of the techniques / subs that overlap between the two groups

Making Defensive Recommendations from ATT&CK-mapped Data

• Learn the process for making defensive recommendations based on ATT&CK mapped data

• Identify the priority techniques and sub-techniques for your enterprise

• Understand your enterprise capabilities and constraints

• Practice making customized defensive recommendations

The Defensive Recommendations Process

How do we make the intelligence actionable?

1. Determine priority techniques and sub-techniques

2. Research how techniques and subs are being used

3. Research defensive options related to technique and sub-technique

4. Research organizational capability / constraints

5. Determine what trade-offs are for org on specific options

6. Make defensive recommendations

Step 0. Determine Priority Techniques

There are multiple ways to prioritize - leveraging CTI

1. Data sources: what data do you have already?

2. Threat intelligence: what are your adversaries doing?

3. Tools: what can your current tools cover?

4. Red team: what can you see red teamers doing?

Step 1. Research how techniques and subs are used

• What specific procedures are being used for a given technique or sub-technique

  • Important that the defensive response corresponds with activity

APT39 leverage spearphishing emails with maliciouis attachments and/or hyperlinks typically resulting in a POWBAT infection

• Execution - User Execution (T1204)

  • User Execution: Malicious Link (T1204.001)

  • User Execution: Malicious Attachment (T1204.002)

Another report on Operation Cobalt Kitty, also reports spearphishing along with links to malicious sites or weaponized Word docs. Same techniques / subs.

Step 2. Research Defensive Options

• Some sources providing defensive information indexed to ATT&CK

ATT&CK -> Cyber Analytics Repo (CAR) -> Roberto Rodriguez's ThreatHunter Playbook -> Atomic Threat Coverage

• Supplement with your own research

• Look at the Data Sources per technique, along with Mitigations

• Go through Detections to understand how to pick up the specific techniques

• User training

• Application control

• Block unknown files in transit

• NIPS

• File detonation systems

• Monitor command-line arguments

  • Windows Event Log 4688

  • Sysmon

• Anti-virus

• Endpoint sensing

Step 3. Research Organizational Capabilities / Constraints

• What data sources, defenses, mitigrations are already collected / in place?

  • Some options may be inexpensive / simple

  • Possibly new analytics on existing sources

• What products are already deployed that may have additional capabilities?

  • E.g. able to gather new data sources / implement new mitigations

• Is there anything about the organizations that may preclude responses?

  • E.g. user constraints / usage patterns

Example

• Notional Capabilities

  • Windows Events already collected to SIEM (but not process info)

  • Evaluating application control tools

  • Highly technical workforce

  • Already have an email file detonation appliance

  • Already have anti-virus on all endpoints

• Notional Constrains

  • SIEM at close to license limit, increase would be prohibitive

  • Large portion of user population developers, run arbitrary binaries

  • Files in transit usually encrypted passing by NIPS

Positives

• Leveraging existing strengths / tools / data sources

• Close fit with specific threat

Negatives

• Cost not commiserate with risk averted

• Poor cultural fit with organization

Each option is highly dependent on your specific org

Step 4. Determine what trade-offs are for org on specific options

Step 5. Make Defensive Recommendations

• Recommendations can be strategic, policy-related, operational, tactical or focused on risk acceptance

• Recommendations can be for management, SOC, IT, or all of the above

• Some potential recommendation types:

  • Technical

    • Collect new data sources

    • Write a detection / analytic from existing data

    • Change a config / engineering change

    • New tool

  • Policy changes

    • Technical / human

  • Accept risk

    • Some things are undetectable / unmitigatable or not worth the tradeoff

• We'll tackle User Exection: Malicious File and Malicious Link via user training

• Supply Chain Compromise and Pre-OS Boot: Component Firmware are beyond our capability and resources to stop or detect, so we'll accept the risk

Recommendations

• New user training geared around not clicking on attachments and how to identify social engineering

  • Policy change aligns with a technical workforce

• Continued use of AV

  • No additional resource requirement

• Increase coverage of email detection

  • Taking advantage of existing tools

Exercise 4: Defensive Recommendations

Worksheet located here: Making Defensive Recommendations Guided Exercise Making Defensive Recommendations Unguided Exercise

Exercise 4: Review

• What resources were helpful to you finding defensive options?

• What kind of recommendations did you end up making?

• Did you consider doing nothing or accepting risk?

• Were there any options that were completly inappropriate for you?

Exercise 4: Solution

• Priority Technique: Scheduled Tasks / Jobs

• Org capabilities / constraints: Windows Event Log Collection going to a SIEM, but no ability to collect process execution logging