Using ATT&CK for Cyber Threat Intelligence Training

(As of Mar 2022)

MITRE ATT&CK: CTI Training

The goal of this training is for students to understand the following:

• What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)

• How to map to ATT&CK from both finished reporting and raw data

• Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that

• How to perform CTI analysis using ATT&CK-mapped data

• How to make defensive recommendations based on CTI analysis

NOTES

Module 1: Introducing training and understanding ATT&CK

• ATT&CK - knowledge base of adversary behavior based on real-world observations, serves as a common language

• Pyramid of Pain - TTPs (apex) are the toughest for adversary to change, tools, network/host artifacts, domain names, IP address and hash values (bottom of pyramid)

• Tactics - adversary's technical goals (horizontal header of MITRE ATT&CK)

• Techniques - how goals are achieved (vertical headers of MITRE ATT&CK)

• Procedures - specific technique implementation e.g. spearphishing

• Mitigations and detections, procedure examples

• APT groups - Associated group descriptions (alternative names of threat actors), techniques and software used by groups

• Use cases of ATT&CK - detection based on behaviour, threat intelligence e.g. compare APT groups, assessment and engineering (find gaps in defense) and adversary emulation (for red team to emulate threats)

• Focus on TI - use knowledge of adversary behaviors to inform defenderrs. Structure TI with ATT&CK allows us to compare behaviors of groups to each other, groups over time and groups to defenses and a common language across community.

Module 2: Mapping to ATT&CK from finished reporting

• Difficult to map CTI to ATT&CK - requires shift in analyst thinking from indicators to behaviors, volume of ATT&CK techniques, "Technical" details of some techniques. Worthwhile to map as analysts shift to thinking about behaviors, learn new adversary techniques and learn "technical" side

• 2 key sources to get info - Finished reporting (module 3) & raw data (module 3)

• Step 0 - Understand ATT&CK: read tactic descriptions, skim technique list

• Step 1 - Find behavior: look for what adversary/software does, focus on initiat compromise and post-compromise details

• Step 2 - Research behavior: research builds better analysts

• Step 3 - Translate behavior to tactic: What is adversary trying to accomplish? Often requires domain expertise and finished intel can give context. 12 options (initial access, discovery, lateral movement etc.)

• Step 4 - Figure out what technique applies to behavior: toughest part. Not every behavior = technique. Strategy (a) look at list of techniques for identified tactic, and (b) search attack.mitre.org try key words, "procedure"-level detail and specific command strings.

• Step 5 - Compare your results to other analysts: hedge against analyst biases

• Exercise - Identify the tactic and techniques in the Cobalt Kitty Report provided. Good exercise to familiarise yourself with the MITRE ATT&CK techniques. Answers are provided too :) but your answers could be right too.

Module 3: Mapping to ATT&CK from raw data

• Analysis of techniques/behaviors directly from source data - more information, greater knowledge to interpret intent/tactic. Possible data sources that can contain behavior are forensic disk images, shell commands, malware analysis, sandbox, packets or data during incident response.

• Step 1 - Find behavior: commands captured, flows from malware in sandbox, new reg keys during incident

• Step 2 - Research behavior: may need expertise in specific data type (network, forensics, malware, windows command line) or multiple data sources to gather context (questions for responders/analysts). File analysis gathers more info.

• Step 3 - Translate behavior to tactic: command could be mappmore than 1 tactic, analyse commands through data sources

• Step 4 - Figure out what technique applies to behavior: procedure may map directly to technique/tactic, but be aware of biasness. Concurrent techniques to think of how it's happening not just what's happening. Execution, defense evasion and collection commonly have concurrent techniques. Types of techniques can be specific (Rundll32/Netsh Helper DLL), some broad (scripting/obfuscated files or info) and some capture "how" behavior occurs (masquerading/data transfer size limits/automated collection)

• Step 5 - Compare your results to other analysts: hedging biases require broad set of skills/experience to work with different types of data

• Pros/Cons of mapping from two different sources

• Exercise A: cmd.exe commands below separated with semi-colon.

ipconfig /all; arp -a; echo %USERDOMAIN%\%USERNAME%; tasklist /v; sc query; systeminfo; net group "Domain Admins" /domain; net user /domain; net group "Domain Controllers" /domain; netsh advfirewall show allprofiles; netstat -ano

Analysis (all Discovery Tactics, but also Execution as it's run on command line)

ipconfig /all (displays full system configuration): Mapped to System network configuration discovery via Sysmon

arp -a (displays ARP table of ip address): Maps to System network configuration discovery

echo %USERDOMAIN%\%USERNAME% (run to find domain of the Windows user and current logged in user respectively): Maps to Account Discovery, System owner/user discovery

tasklist /v (displays list of current running processes), sc query (display information for active services on Windows): Maps to Process discovery T1057 and system service discovery T1082

systeminfo (displays details about OS, hardware and software components): Maps to System information discovery T1082

net group "Domain Admins" /domain (lists all local administrators group in current domain): Maps to Permission groups discovery T1069

net user /domain(lists all user accounts on local domain): Maps to Account discovery T1087.001

net group "Domain Controllers" /domain(lists all domain controllers in local domain): Maps to Remote system discovery T1018

netsh advfirewall show allprofiles (lists firewall connections for all users on network): Maps to System network configuration discovery T1016

netstat -ano (lists all active ports, addresses, port numbers and displays PID with each active connections on network): Maps to System network connections discovery T1049

• Exercise B: Malware analysis

Analysis notes:

C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command.

So far the following commands have been discovered and analyzed:

UPLOAD file (upload a file server->client)

DOWNLOAD file (download a file client->server)

SHELL command (runs a command via cmd.exe)

PSHELL command (runs a command via powershell.exe)

EXEC path (executes a program at the path given via CreateProcess)

SLEEP n (skips n beacons)

Sandbox execution artifacts for winspoo1.exe

Network traffic:

10.1.1.1:12442 -> 8.8.8.8:53 (query A www.m1tre.org)

8.8.8.8:53 -> 10.1.1.1:12442 (response A www.m1tre.org A 129.83.44.12)

10.1.1.1:24123 -> 129.83.44.12:443

129.83.44.12:443 -> 10.1.1.1:24123

10.1.1.1:24123 -> 129.83.44.12:443

129.83.44.12:443 -> 10.1.1.1:24123

10.1.1.1:24123 -> 129.83.44.12:443

129.83.44.12:443 -> 10.1.1.1:24123

10.1.1.1:24123 -> 129.83.44.12:443

129.83.44.12:443 -> 10.1.1.1:24123

10.1.1.1:24123 -> 129.83.44.12:443

129.83.44.12:443 -> 10.1.1.1:24123

File activity:

Copy C:\winspoo1.exe -> C:\Windows\System32\winspool.exe

Registry keys added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winspool REG_SZ "C:\Windows\System32\winspool.exe"

Analysis

C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command. - Data encoding, standard encoding T1132.001 and Application layer protocol, Web protocol T1071.001 (Command & Control)

SHELL command - Command and Scripting Interpreter, Windows command shell T1059.003 (Execution)

PSHELL command - Command and Scripting Interpreter, PowerShell T1059.001 (Execution)

EXEC path - Native API T1106 (Execution)

Copy C:\winspoo1.exe -> C:\Windows\System32\winspool.exe - Masquerading, match legitimate name or location T1036.005 (Defense evasion)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winspool REG_SZ "C:\Windows\System32\winspool.exe" - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 (Persistence)

Module 4: Storing and analyzing ATT&CK-mapped intel

• Considerations when storing intel - (a) Who's consuming it? humans or machines; (b) Context; (c) How detailed? Technique or procedure and how to capture that detail; (d) Link to other intel; and (e) Format to import and export data

• Ways to store and display - (a) Excel; (b) Wikipedia; (c) MISP - link to indicators and files; (d) Techniques at end of report (e.g. Anomali/McAfee); (e) Technques at beginning of report (e.g. Crowdstrike); (f) Add additional info to ATT&CK technique e.g. mitigation advice; (g) Timeline (e.g. Recorded Future); (h) Machine readable; (i) Link techniques to indicators

• What to do with stored data? Compare groups through mapping threat actors' TTPs in open-source reports with ATT&CK Navigator (various visual representation). Need to priortise common techniques identified.

• Exercise: Compare techniques used by APT39 and APT1 (changed from Cobalt Kitty as it wasn't available in the navigator).

Analysis

Overlaps from APT1 & APT39:

1. Scripting

2. Credential dump

3. System network configuration discovery

4. Remote desktop protocol

5. Data compressed

Module 5: Making ATT&CK-mapped data actionable with defensive recommendations

• Apply technique intelligence to defense

• Make recommendations from techniques highest priority starting point

• Step 0: Determine priority techniques - what data do you have, threat intelligence what are your adversaries doing, what current tools cover, what can you see red teamers do

• Step 1: Research how techniques are being used - specific procedures used for technique. Defensive response overlaps with activity

• Step 2: Research defensive options related to technique - defensive info indexed to ATT&CK (data sources, detections, mitigations, research linked to technique pagess), MITRE Cyber Analytics Repositary, Roberto Rodriguez's ThreatHunter-playbook and Atomic Threat Coverage. Do your own research too.

• Step 3: Research organizational capability/constraints - what data sources/defenses/mitigations are collected/in place?, what deployed products with additional capabilities e.g. gather new data source or implement new mitigations, anything about the organization that may preclude responses e.g. user constraints or usage patterns. Notional capabilities and notional constraints.

• Step 4: Determine what tradeoffs are for organization on specific options - how each identified options fit into organization, pros and cons of each defensive option

• Step 5: Make recommendations - technical (collect new data source, change config etc.)/policy changes/risk acceptance (vs tradeoff) for management, SOC, IT or all.

• Exercise: Make defensive recommendations using T1053 Scheduled Task.

0. Determine priority techniques

Techniques identified from the previous exercise:

⁃ Spearphishing Attachment

⁃ Spearphishing Link

⁃ Scheduled Task

⁃ Scripting

⁃ User Execution

⁃ Registry Run Keys/Startup Folder

⁃ Network Service Scanning

For this exercise, we’re going to be working with T1053 - Scheduled Task

1. Research how techniques are being used

How was Scheduled Task used in the Cobalt Kitty report?

Analysis: The attackers used the scheduled GoogleUpdate.exe to deploy the malicious DLL (goopdate.dll) together with the legitimate Google Update binary when it is scheduled to run.

2. Research defensive options related to technique

What data sources are there for Scheduled Task on the ATT&CK website? (Hint: https://attack.mitre.org/techniques/T1053/)

Analysis: File monitoring, Process command-line parameters, Process monitoring, Windows event logs

Based on the Detection portion of the Scheduled Task page what kind of resources can be monitored to detect a new Scheduled Task being added?

Analysis: From the link, monitor process execution from svchost.exe. Configure event logging for scheduled task creation and changes. Use tools like Sysinternals Autoruns. Remote acces tools with built-in features that interact with Windows API.

3. Research organizational capability/constraints

For this exercise, assume that you have Windows Event Log Collection going to a SIEM, but no ability to collect process execution logging.

4. Determine what tradeoffs are for org on specific options

Based on the organizational constraints that have been given in 3., what would the tradeoffs for the defenses in 2. look like?

Analysis: From the above,

i. Monitor process execution from svchost.exe - collect windows event log on how task was added but this does not allow for collection of logs on process execution

ii. Configure event logging for scheduled task creation and changes - With SIEM tool, the configuration for event logging is easy to implement. Organisation can filter the events for any scheduled task creation or changes made.

iii. Use tools like Sysinternals Autoruns - This shows what programs are configured to run during bootup or login and include the Run, RunOnce and other registry keys. Use verify code signatures to ensure processes are authorised to execute. However, need to install this and add to system.

iv. Remote acces tools with built-in features that interact with Windows API - Additional logging needs to be configured to gather the data so that increases the volume of data collected.

5. Make recommendations

Based on the tradeoffs you analyzed in 4., what defensive options would you recommend?

Analysis: Using svchost.exe and SIEM tool, collect event logs for all scheduled task. Install Sysinternals Autoruns to show the current program configuration and watch for changes on persistence.