Increasing Enterprise Visibility: Integrated Defense with Mitre ATT&CK
by David Evenden
Since seeing Katie Nickels present at a DHS ATTE Conf and then again with Cody Thomas at @sansforensics Summit in New Orleans last year, I’ve been a firm believer of the @MITREattack framework. In fact I’ve started using it to track Foreign Intelligence activity in the US, to the extent we’ve started to be able to produce cautionary predictive analysis on anticipated sector based hacking activities 4–6 months out.
While this work is helping many more advanced organizations, some aren’t quite ready to use it. In fact many engineers ask me often…’but how do I use MITRE ATT&CK to help me today?’. Well this an article outlining what I have learned and what I would recommend.
The Exploitation Lifecycle
In my opinion the first step to defending against hackers is understanding what they’re doing and what their goals are. To do that, you must have a cursory knowledge of the exploitation lifecycle.
The below exploitation lifecycle outlines common and some uncommon steps and goals used by hackers and adversarial APT groups. It is included for educational purposes only and its use outside of this article is expressly forbidden.
use outside of this article is expressly forbidden without permission
Shown below is an example of Pentesting Methodologies developed using the exploitation lifecycle, and is broken up into 6 sections with countless potential subsections.
use outside of this article is expressly forbidden without permission
Often referred to as OSINT (Open Source Intelligence) or reconnaissance, this is simply using publicly available resources to learn as much as possible about your target.
This consists of researching the following non-exclusive list:
- Employees from the lowest level to the highest
- Externally accessible resources
- Programming or developer languages
- Internally used applications
Targeting or Vulnerability Discovery is essentially the act of pairing identified infrastructure with corresponding open source exploits.
This is the act of exploiting infrastructure to gain access to the target.
This is the act of installing a backdoor [malware|callbacks|etc] so that exploitation isn’t necessary over and over again to operate in the target network.
Often the machine of initial access isn’t the primary target. The art of migration is moving throughout the network to expand persistence and locate the primary target.
This is the act of moving data from the target to an external C2 or the attacker machine.
Actor to Sector Correlation
Now that you have a basic understanding of the exploitation lifecycle, you can use open source reporting similar to Crowdstrike Meet the Adversaries to identity the actor groups that are known to be targeting your sector within your country. Here I would create a DB and start adding columns . In this situation I would add the actor names known to be targeting your network. As this data gets updated or released in open source reporting, update your DB to track Actor Groups targeting your sector.
Actor to Sector correlation can be identified in many locations, similar to the Crowdstrike example below.
Exploring & Storing the ATT&CK API
This & More
Here I’ll show you how to programmatically store the MITRE ATT&CK API and keep it updated. Once you have the actor to sector relational analysis completed you can start collecting techniques associated with the attack methodologies of that actor. Furthermore, the columns in ATT&CK are great for threat intel and mitigation techniques, but I’ll show you how adding additional columns will allow you to “LevelUp” by correlating enterprise infrastructure to threat vector mitigation techniques.
The code for this project can be found here.
The first step here is to programmatically download the ATT&CK API. Here is how we stage the download.
Now we download and filter the content. Then we structure the content in a way that is usable for your use case; network defense.
It is important at this point to have a cursory knowledge of the MITRE ATT&CK platform itself. Knowing the data you’re downloading will help you understand how to use it. I recommend researching what data is offered that you’ll be downloading here.
As stated above, you’ll want to add additional columns that will give way for additional infrastructure data that will correlate TTPs to enterprise specific mitigation techniques.
Here is an example, pulled from here, that shows how to link a set of data sources to the techniques that they can be used to detect.
Programmatic Storage of ATT&CK Techniques by Actor Group
We can add a few simple lines of code that allow us to extract and display phases, techniques, and mitigation methods for all selected Actor Groups.
Please note the code has been altered with ‘/’ marks on the end of each line in order that the desired code can be displayed on this blog. The code in the program provided is on a single line.
In the provided code, simply set the array labeled mygroups to the groups names that have been identified as targeting your organization.
The printed results here can be stored in a CSV, Pandas Dataframe, or any other DB style location that allows for quick and easy reference.
Reversing the Exploitation Lifecycle for Defense
Now that we have a cursory knowledge of the Exploitation Lifecycle and a working knowledge of MITRE ATT&CK, we can begin the process of using the exploitation lifecycle in your defenses. This is often performed in reverse order. First identify the boundary of no return, what level of data breach can your organization not recover from? Identify that line, then start working backwards.
During each phase outlined below, refer back to the MITRE ATT&CK phase and identify attack techniques and methodologies used by the actor groups targeting your organization. Once the phases and techniques have been identified, locate the mitigation recommendations and create a checklist.
Once the checklist has been developed, start walking your way through the checklist until all items have been mitigated.
Then start again.
Developing an Asset List & Tagging Critical Data
I recommend you start by developing an enterprise level Asset List that consists of physical devices, software, and data. Then tag critical data on that list. The developed Asset List should consist not only of network devices, but software installed/used on devices throughout the network, and the owners of those devices.
Understanding asset ownership is an important aspect of the asset list when it comes time to perform enterprise level heuristic analytics on change point detection, anomalies, and vulnerability identification.
Intelligence Mitigation Technique: Once you identify your critical data, and have correlated which actor is targeting your sector, you can use the intel you’ve uncovered to research what data your actors might be targeting from your organization.
Side note (log aggregation): The following image outlines common concepts about methodologies associated with event log aggregation.
Close the Network Visibility Gap
Once Critical data has been identified, identifying the line of no return is very important. What can’t your company recover from? Identify that line, the work backwards on how to get there.
Once you identify that network segment, work on network visibility to and from that space. This can be performed using by increasing and sharpening SIEM network logging, etc.
ATT&CK Mitigation Technique: Making an attack vector determination of actor to sector targeting, you can use the MITRE ATT&CK framework to collect the TTPs (Techniques) associated network migration methodologiesassociated with that actor.
Increasing Host Visibility
Host visibility is where many enterprise level security engineers start at this step. Ensuring host visibility using the following methodologies are met is the next phase of this lifecycle:
- Locking down host firewall
- Proper configuration for host AV
- Remote connections to & from hosts
- Child processes and orphaned processes
- Utilization of legitimate process slack space
- DLL hallowing and process injection
ATT&CK Mitigation Technique: Once you start this process you’ll want to pull the techniques associated with host access, persistence, and migration methodologies of the actor group identified as targeting your sector.
Increasing Perimeter Visibility
Perimeter visibility is often viewed as what types of threats are being thrown at your enterprise network. That is for sure an important aspect of network defense. However, for this stage we are simply focusing on what is entering and exiting the network.
- Some common protocols and traffic to look for are:
- Anomalies or significant changes in bandwidth*
- Outbound DNS traffic not originating from your internal DNS servers
- Encrypted traffic on ephemeral (high numbered or uncommon) ports
- Inbound emails with known malicious or otherwise suspicious activity
- Traffic destined to known malicious domains
ATT&CK Mitigation Technique: Once you start this process you’ll want to pull the techniques associated with C2 heuristics of the agents/backdoors/malware used by the actor groups targeting your sector.
Increase OSINT Visibility
Open source intelligence research is nearly always the first step to the attack/targeting/exploitation lifecycle. Knowing what your organizational exposed footprint looks like, will increase your ability to combat attackers as they begin to target your organization.
Since the attack vector here is two fold (technological and social engineering) educating yourself on attack methodologies surrounding both attack surfaces will help develop a target scope for your organization.
HumanHacker, or Chris Hadnagy’s organization Social Engineer is great resource for learning about the methodologies around attacking people. They provide a detailed infographic (shown below) outlining common social engineering tactics used by attackers.
Research Mitigation Technique: Mitigation of this process simply consists of you doing your homework. You can either attempt to identify the exposed attributes of your organization, or hire a penetration testing team like TrustedSec, StandardUser, or SocialEngineer to perform OSINT research for your organization.
Making a Risk Determination
Once you have all this data aggregated, implemented applicable mitigation methodologies where possible, and know your enterprise security visibility gaps, you’ll be prepared to make enterprise & organizational level risk determinations.
This kind of risk determination will provide a vehicle to develop manpower management needs, budgetary and compliance roadmaps, and begin to close additional visibility gaps throughout your network allowing you to sleep a little better at night.
Images of pentesting methodologies and exploitation lifecycle are used by permission of StandardUser, LLC. Their use here does not permit for the reuse on any other platform. The reuse of these images is expressly forbidden.
While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network.
David currently holds Pentest+ and CySA certificates.
The article has been originally published at: https://medium.com/@jedimammoth/increasing-enterprise-visibility-integrated-defense-with-mitre-att-ck-73d9179a8a12