Automation: The Wonderful Wizard of CTI (or is it?)

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01159-17.
| 1 |
Automation :
(or is it?)

Who We Are
| 2 |
Sarah Yoder ( @sarah__yoder)
• Cyber Security Engineer
• Cyber threat intelligence + red teaming
• Disneyland enthusiast, Triathlete, Chai Tea Fanatic
Jackie Lasky
• Cyber Security Engineer
• Cyber threat intelligence + threat hunting
• Photographer, Traveler, Dog-lover

The Plan
| 3 |
How We Use CTI for ATT&CK
Our Automation Tool - TRAM
How This Can Help You
Challenges with Automation
The Future of TRAM https://www.kristv.com/news/local-news/follow-the-yellow-brick-road-to-the-wizard-of-oz-movie-party

What does Cyber Threat Intelligence mean for ATT&CK?
▪ CTI forms the basis of ATT&CK
▪ We help to organize CTI by keeping ATT&CK up-to-date
▪ We develop ways to share or organize CTI
▪ We show and provide ways to use CTI
| 4 |

Before We Got A “Brain"
| 5 |
Backlog of reports Analyst gets
assigned report to
read and review
Data is entered
into ATT&CK
http://www.loc.gov/exhibits/oz/images/uc55.jpg

The Yellow Brick Road: Reporting ⇒ ATT&CK
1. Find open source threat
reporting
• APT groups, software
2. Find behaviors in the report
• Think ATT&CK structure
| 6 |
https://www.hiclipart.com/search?clipart=goodbye+Yellow+Brick+Road

| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| Virtualization/Sandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting

Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data
Manipulation
Command and Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote
Management
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application Window
Discovery
Brute Force
Credential Dumping Browser Bookmark
Discovery
Credentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation for
Credential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System Information
Discovery
Private Keys
Securityd Memory System Network
Configuration Discovery
Two-Factor Authentication
Interception
System Network
Connections Discovery
System Owner/User
Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox
Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through
Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for
Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object Model
Hijacking
Graphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors Deobfuscate/Decode Files
or Information
Regsvcs/Regasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution .bash_profile and .bashrc Exploitation for
Privilege Escalation
Exploitation for
Defense Evasion
Signed Binary
Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
Modification
Bootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from Tools
XSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Initial Access
Drive-by Compromise
Exploit Public-Facing
Application
External Remote Services
Hardware Additions
Replication Through
Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATT&CK (there’s a lot!)
Tactics: the adversary’s technical goals
Techniques:
how
the
goals
are
achieved
| 8 |
Procedures: Specific technique implementation

Trapped in a Time-Consuming Process
▪ Too many reports, not enough people!
▪ Human error
▪ Training new team members
| 9 |
https://www.pinterest.com/pin/165788830002744446/

Off to the Emerald Automation City
| 10 |
http://www.infosalonsgroup.com/2018/05/21/start-sold-journey-yellow-brick-road/

The “Magic” behind TRAM?
| 11 |
1
Get Data
2
Clean & Prepare
Data
3
Train
Model
▪ Get Data
– ATT&CK procedure examples
– STIX/TAXII data from ATT&CK
▪ Clean & Prepare Data
– Normalization
– Natural language processing
▪ Build & Train Models
– Python Logistic regression and
supervised learning
– Count Vectorizer, feature extraction,
cross validation, etc.

The “Magic” behind TRAM? (Continued)
▪ Test Data
– Submit a report via URL
– Models generate predictions on unseen
data
▪ Review Model Decision
– Accept or Reject the predictions
– Add in missing techniques
▪ Feedback Loop
– Annotations are recorded and sent back
to the database to build new models
– Reports can be exported
| 12 |
7
Feedback Loop
6
Review
Model Decisions

| 13 |
Threat Report ATT&CK Mapper (TRAM) Demo

| 14 |

Why Does This Matter?
▪ Easier to get started with ATT&CK
▪ Streamline the workflow
▪ Find techniques we forget about (or
have never heard of)
▪ Use reporting that is important to you
| 15 |
http://theconversation.com/wizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098

Overcoming Challenges
| 16 |
▪ Prediction Accuracy
▪ How do we look for techniques not in ATT&CK yet?
▪ Building automations can take away time from other work
https://www.ranker.com/list/wicked-witch-margaret-hamilton-career

Is the Wizard of Automation real?
▪ Why is automating CTI hard to do?
▪ Augmenting CTI work to blend human
analysis with AI
| 17 |
https://media.giphy.com/media/AEMyf9Oj6MpS8/giphy.gif

Future of TRAM
▪ Despite full automation not being the answer to all our problems,
development on TRAM is still on track
▪ Finding the balance as we transition the workflow
▪ We encourage and appreciate contributions from the community!
| 18 |

| 19 |
attack.mitre.org
attack@mitre.org
@MITREattack
Sarah Yoder
@sarah__yoder
Jackie Lasky
https://github.com/mitre-attack/tram/

Automation: The Wonderful Wizard of CTI (or is it?)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Automation: The Wonderful Wizard of CTI (or is it?)

Semelhante a Automation: The Wonderful Wizard of CTI (or is it?) (20)

Mais de MITRE ATT&CK

Mais de MITRE ATT&CK (20)

Último

Último (20)

Automation: The Wonderful Wizard of CTI (or is it?)